Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/03/2024, 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2dda3dd0377dd66baf80e22f9cf502f2ddffe8d6ddc191e7ea52609bf7ad2f32.exe

  • Size

    203KB

  • MD5

    13797dc7a31a9e87ecccf44c67013b4d

  • SHA1

    9f65cc05399f0e71a379cf2aa6db4741fffaaa94

  • SHA256

    2dda3dd0377dd66baf80e22f9cf502f2ddffe8d6ddc191e7ea52609bf7ad2f32

  • SHA512

    9d609f78ffd132f2ff61ccee41c93411b51df5aa4b564dad460ee950389ec9b1279befe70b7d36d165b0124d2d1ab399a4f3c24b5ce3b62c12a2546e2536f255

  • SSDEEP

    3072:+H6LqhgTI5JJfgKfWDYGYbY7lW2KvSy9VY042+emJZXwMZeK9Y89:+nhgTI5JRg6WcFYxY9V+2+eCSM5N

Score
10/10
dcratdjvugluptebalummaredlinesmokeloaderlogsdiller cloud (tg: @logsdillabot)pub1backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Extracted

Family

djvu

C2

http://sajdfue.com/test1/get.php

Attributes
  • extension

    .vook

  • offline_id

    1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1

  • payload_url

    http://sdfjhuz.com/dl/build2.exe

    http://sajdfue.com/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

5.42.65.0:29587

Extracted

Family

lumma

C2

https://resergvearyinitiani.shop/api

https://affordcharmcropwo.shop/api

Signatures

  • DcRat 4 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detected Djvu ransomware 9 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 6 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 11 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 12 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2dda3dd0377dd66baf80e22f9cf502f2ddffe8d6ddc191e7ea52609bf7ad2f32.exe
    "C:\Users\Admin\AppData\Local\Temp\2dda3dd0377dd66baf80e22f9cf502f2ddffe8d6ddc191e7ea52609bf7ad2f32.exe"
    1⤵
    • DcRat
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1696
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\94FC.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
      2⤵
        PID:2936
    • C:\Users\Admin\AppData\Local\Temp\B6FD.exe
      C:\Users\Admin\AppData\Local\Temp\B6FD.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Users\Admin\AppData\Local\Temp\B6FD.exe
        C:\Users\Admin\AppData\Local\Temp\B6FD.exe
        2⤵
        • DcRat
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Local\400a774b-fbab-4283-b03f-9cf8253e564e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
          3⤵
          • Modifies file permissions
          PID:2100
        • C:\Users\Admin\AppData\Local\Temp\B6FD.exe
          "C:\Users\Admin\AppData\Local\Temp\B6FD.exe" --Admin IsNotAutoStart IsNotTask
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Users\Admin\AppData\Local\Temp\B6FD.exe
            "C:\Users\Admin\AppData\Local\Temp\B6FD.exe" --Admin IsNotAutoStart IsNotTask
            4⤵
            • Executes dropped EXE
            PID:1412
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 568
              5⤵
              • Program crash
              PID:2320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 1412
      1⤵
        PID:2268
      • C:\Users\Admin\AppData\Local\Temp\C371.exe
        C:\Users\Admin\AppData\Local\Temp\C371.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
            PID:4692
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3576
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 836
            2⤵
            • Program crash
            PID:856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3172 -ip 3172
          1⤵
            PID:2632
          • C:\Users\Admin\AppData\Local\Temp\E63C.exe
            C:\Users\Admin\AppData\Local\Temp\E63C.exe
            1⤵
            • Executes dropped EXE
            PID:3964
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E851.bat" "
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4736
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
              2⤵
                PID:1696
            • C:\Users\Admin\AppData\Local\Temp\153E.exe
              C:\Users\Admin\AppData\Local\Temp\153E.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              PID:3040
              • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
                2⤵
                  PID:4252
              • C:\Users\Admin\AppData\Local\Temp\2750.exe
                C:\Users\Admin\AppData\Local\Temp\2750.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3624
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -nologo -noprofile
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2436
                • C:\Users\Admin\AppData\Local\Temp\2750.exe
                  "C:\Users\Admin\AppData\Local\Temp\2750.exe"
                  2⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Checks for VirtualBox DLLs, possible anti-VM trick
                  • Drops file in Windows directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:512
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -nologo -noprofile
                    3⤵
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:4136
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
                    3⤵
                      PID:1720
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
                        4⤵
                        • Modifies Windows Firewall
                        PID:3768
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:4004
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -nologo -noprofile
                      3⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      PID:964
                    • C:\Windows\rss\csrss.exe
                      C:\Windows\rss\csrss.exe
                      3⤵
                      • Executes dropped EXE
                      PID:5048
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        powershell -nologo -noprofile
                        4⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:1292
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                        4⤵
                        • DcRat
                        • Creates scheduled task(s)
                        PID:3356
                      • C:\Windows\SYSTEM32\schtasks.exe
                        schtasks /delete /tn ScheduledUpdate /f
                        4⤵
                          PID:3040
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:3216
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          powershell -nologo -noprofile
                          4⤵
                          • Drops file in System32 directory
                          • Modifies data under HKEY_USERS
                          PID:4984
                        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                          C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                          4⤵
                          • Executes dropped EXE
                          PID:5000
                        • C:\Windows\SYSTEM32\schtasks.exe
                          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                          4⤵
                          • DcRat
                          • Creates scheduled task(s)
                          PID:4516
                        • C:\Windows\windefender.exe
                          "C:\Windows\windefender.exe"
                          4⤵
                            PID:1828
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                              5⤵
                                PID:208
                                • C:\Windows\SysWOW64\sc.exe
                                  sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                                  6⤵
                                  • Launches sc.exe
                                  PID:3956
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:856
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:2528
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:5020
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:3764
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:4536
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of SendNotifyMessage
                        PID:1460
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:3548
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of SendNotifyMessage
                        PID:540
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:2524
                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                        1⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:2900
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of SendNotifyMessage
                        PID:1472
                      • C:\Windows\explorer.exe
                        explorer.exe
                        1⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        PID:3804
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3576
                        • C:\Windows\explorer.exe
                          explorer.exe
                          1⤵
                            PID:3900
                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                            1⤵
                              PID:4356
                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                              1⤵
                                PID:5084
                              • C:\Windows\windefender.exe
                                C:\Windows\windefender.exe
                                1⤵
                                  PID:4528
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:2524
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                      PID:1016
                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:2844
                                      • C:\Windows\explorer.exe
                                        explorer.exe
                                        1⤵
                                          PID:3856
                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                          1⤵
                                            PID:2776
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                              PID:1068
                                            • C:\Windows\explorer.exe
                                              explorer.exe
                                              1⤵
                                                PID:3656
                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                1⤵
                                                  PID:1912
                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                  1⤵
                                                    PID:5072
                                                  • C:\Windows\explorer.exe
                                                    explorer.exe
                                                    1⤵
                                                      PID:2632
                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                      1⤵
                                                        PID:4596
                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                          PID:2884
                                                        • C:\Windows\explorer.exe
                                                          explorer.exe
                                                          1⤵
                                                            PID:920
                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                            1⤵
                                                              PID:1296
                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                              1⤵
                                                                PID:1404
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                  PID:2088
                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                  1⤵
                                                                    PID:2880
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                    1⤵
                                                                      PID:4280
                                                                    • C:\Windows\explorer.exe
                                                                      explorer.exe
                                                                      1⤵
                                                                        PID:1880
                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                        1⤵
                                                                          PID:4156
                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                          1⤵
                                                                            PID:1900
                                                                          • C:\Windows\explorer.exe
                                                                            explorer.exe
                                                                            1⤵
                                                                              PID:3044
                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                              1⤵
                                                                                PID:4148
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                1⤵
                                                                                  PID:4884
                                                                                • C:\Windows\explorer.exe
                                                                                  explorer.exe
                                                                                  1⤵
                                                                                    PID:2844
                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                    1⤵
                                                                                      PID:444
                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                      1⤵
                                                                                        PID:940
                                                                                      • C:\Windows\explorer.exe
                                                                                        explorer.exe
                                                                                        1⤵
                                                                                          PID:316
                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                          1⤵
                                                                                            PID:4828
                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                            1⤵
                                                                                              PID:3524

                                                                                            Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Reconnaissance

                                                                                            Resource Development

                                                                                            Initial Access

                                                                                            Execution

                                                                                            Scheduled Task/Job

                                                                                            1
                                                                                            T1053

                                                                                            Persistence

                                                                                            Boot or Logon Autostart Execution

                                                                                            2
                                                                                            T1547

                                                                                            Registry Run Keys / Startup Folder

                                                                                            2
                                                                                            T1547.001

                                                                                            Create or Modify System Process

                                                                                            1
                                                                                            T1543

                                                                                            Windows Service

                                                                                            1
                                                                                            T1543.003

                                                                                            Scheduled Task/Job

                                                                                            1
                                                                                            T1053

                                                                                            Privilege Escalation

                                                                                            Boot or Logon Autostart Execution

                                                                                            2
                                                                                            T1547

                                                                                            Registry Run Keys / Startup Folder

                                                                                            2
                                                                                            T1547.001

                                                                                            Create or Modify System Process

                                                                                            1
                                                                                            T1543

                                                                                            Windows Service

                                                                                            1
                                                                                            T1543.003

                                                                                            Scheduled Task/Job

                                                                                            1
                                                                                            T1053

                                                                                            Defense Evasion

                                                                                            File and Directory Permissions Modification

                                                                                            1
                                                                                            T1222

                                                                                            Impair Defenses

                                                                                            1
                                                                                            T1562

                                                                                            Disable or Modify System Firewall

                                                                                            1
                                                                                            T1562.004

                                                                                            Modify Registry

                                                                                            3
                                                                                            T1112

                                                                                            Credential Access

                                                                                            Unsecured Credentials

                                                                                            3
                                                                                            T1552

                                                                                            Credentials In Files

                                                                                            3
                                                                                            T1552.001

                                                                                            Discovery

                                                                                            Peripheral Device Discovery

                                                                                            2
                                                                                            T1120

                                                                                            Query Registry

                                                                                            5
                                                                                            T1012

                                                                                            System Information Discovery

                                                                                            5
                                                                                            T1082

                                                                                            Lateral Movement

                                                                                            Collection

                                                                                            Data from Local System

                                                                                            3
                                                                                            T1005

                                                                                            Command and Control

                                                                                            Web Service

                                                                                            1
                                                                                            T1102

                                                                                            Exfiltration

                                                                                            Impact

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                                                                                              Filesize

                                                                                              471B

                                                                                              MD5

                                                                                              59e81183e22d6940a35f6ed67fd7284f

                                                                                              SHA1

                                                                                              f89e79506bb55e28e917700270d43ced58a3f359

                                                                                              SHA256

                                                                                              1f5e75b95a0642292425b320843958d8f55ff50f8a5556ac85d325b14e62521d

                                                                                              SHA512

                                                                                              afffc6628906c57cf29ecac595978793c182389734178dc2c73bf839a42f877cd6541fd5419670b415f14ed7a3c3e0256b48f9f43636c2d96f513fe1d2326257

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                                                                                              Filesize

                                                                                              412B

                                                                                              MD5

                                                                                              468905fb24df178bc8fe5f8121d42dbc

                                                                                              SHA1

                                                                                              4a79fa5874d85c84b3373d2f5d789bb6eba19454

                                                                                              SHA256

                                                                                              f17a06a0b6b25f8b0181e0dd3d6a9232b092b66e684315fd93d86a0099e37998

                                                                                              SHA512

                                                                                              c458471eca27f7bb2853ac43e8d2cecb103a330bbde6c377dd069dd70955d1a00592799e35f7e55a1c42d3afb4518fd0649696d9a41aa260b803cdfe15a7a25d

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                                                                                              Filesize

                                                                                              1022B

                                                                                              MD5

                                                                                              ce6c73e90308666da791421811ed5dc2

                                                                                              SHA1

                                                                                              1983aef384427a03b47f2a0cdbff9f733a0be2ca

                                                                                              SHA256

                                                                                              00239d0e245750bd78a5300a157af7859ce98554cfc1fdc565b93291dc04d234

                                                                                              SHA512

                                                                                              3bde72f8b50fb433a026bfc1abdd9d096b86fcb63685bc5ff9e62840badeaa0d1f582536df28300d2e4939f95b106f3c0721aa173b2e11b5ee88f3619a579bb6

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\QDDM1QX5\microsoft.windows[1].xml
                                                                                              Filesize

                                                                                              96B

                                                                                              MD5

                                                                                              2415f1b0b1e5150e9f1e871081fd1fad

                                                                                              SHA1

                                                                                              a79e4bfddc3daf75f059fda3547bd18282d993f7

                                                                                              SHA256

                                                                                              3eff25035403aba506d0dbf69c76a22fa90ec66d2094cbf39bc5267a850902ae

                                                                                              SHA512

                                                                                              5d05da9ec1471dbf91f0c474c8db3897130543ff3c4da70724ce3a36adc38f628264c3dae4f54caef493f7593a0986a944dda0e19e947f3dfc34fc16fbd3e6bb

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\153E.exe
                                                                                              Filesize

                                                                                              30.6MB

                                                                                              MD5

                                                                                              ff35671d54d612772b0c22c141a3056e

                                                                                              SHA1

                                                                                              d005a27cd48556bf17eb9c2b43af49b67347cc0e

                                                                                              SHA256

                                                                                              2f625ea35f82332c639049c4a849f39cd2b74acb013880d156a2f647497c2512

                                                                                              SHA512

                                                                                              9a40a657f196036ef07c410db225f7a023f7299abc078cefd5d97489e7359ce9c640d72b98fedbf3f11ebaba1987b0acd5c7892b1ba5b5ae18709037df45790e

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\2750.exe
                                                                                              Filesize

                                                                                              4.1MB

                                                                                              MD5

                                                                                              cd86175e48a32ed7191466bcad199e62

                                                                                              SHA1

                                                                                              bed533b2623941e4e4c062b0009c64dd091fb5a7

                                                                                              SHA256

                                                                                              d7c6d0fa2e29eb3a3e3e14d9536858d388cfa9625540cad5f5125ea826a9b5a2

                                                                                              SHA512

                                                                                              4f6a124b53a20838d52872a49af7e59fd1ae3c3d488c31a3d4defa9388b692ae186dd27ea1665b0d056f1721905beea80448bb35bfb1068688b4cbc556bae886

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\94FC.bat
                                                                                              Filesize

                                                                                              77B

                                                                                              MD5

                                                                                              55cc761bf3429324e5a0095cab002113

                                                                                              SHA1

                                                                                              2cc1ef4542a4e92d4158ab3978425d517fafd16d

                                                                                              SHA256

                                                                                              d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                                                                                              SHA512

                                                                                              33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\B6FD.exe
                                                                                              Filesize

                                                                                              733KB

                                                                                              MD5

                                                                                              cc4b213535ca360dbf9d08590939972d

                                                                                              SHA1

                                                                                              a1ac443d9c2f2a809b01fc7968235a9b9992f89b

                                                                                              SHA256

                                                                                              33b7a85c7b3ba67d21e108440ea3a755639875314fce7c922865e723479aeb38

                                                                                              SHA512

                                                                                              9de6129de378164c5454a8833a31bbaeb9c7718d9f149a141d014c72a55d25207be7826124def4fd7e2a02e9178287e5ac912c9bc0abcbf896ebf3311ea77eb3

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\C371.exe
                                                                                              Filesize

                                                                                              392KB

                                                                                              MD5

                                                                                              89ec2c6bf09ed9a38bd11acb2a41cd1b

                                                                                              SHA1

                                                                                              408549982b687ca8dd5efb0e8b704a374bd8909d

                                                                                              SHA256

                                                                                              da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d

                                                                                              SHA512

                                                                                              c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\E63C.exe
                                                                                              Filesize

                                                                                              6.5MB

                                                                                              MD5

                                                                                              9e52aa572f0afc888c098db4c0f687ff

                                                                                              SHA1

                                                                                              ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

                                                                                              SHA256

                                                                                              4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

                                                                                              SHA512

                                                                                              d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjeuu0z4.ll5.ps1
                                                                                              Filesize

                                                                                              60B

                                                                                              MD5

                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                              SHA1

                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                              SHA256

                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                              SHA512

                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                              Download Submit

                                                                                            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                                                                                              Filesize

                                                                                              281KB

                                                                                              MD5

                                                                                              d98e33b66343e7c96158444127a117f6

                                                                                              SHA1

                                                                                              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

                                                                                              SHA256

                                                                                              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

                                                                                              SHA512

                                                                                              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              3d086a433708053f9bf9523e1d87a4e8

                                                                                              SHA1

                                                                                              b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

                                                                                              SHA256

                                                                                              6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

                                                                                              SHA512

                                                                                              931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                              Filesize

                                                                                              19KB

                                                                                              MD5

                                                                                              5bb82a38c8e3e920dcf595b837214e2c

                                                                                              SHA1

                                                                                              8a22ac6610329187f1e660bd03600bca55852188

                                                                                              SHA256

                                                                                              49fbf8e678886eddd458223f4104f8c23260456213ed5d15e29e8758af6bee67

                                                                                              SHA512

                                                                                              474d88afe0ecabf1df2197ca64bc4f502d1705b2c61b27e922bafa91934af1e4fc03cc66ca9c115d0fbcd251e598c2f88451a9e38d9f31558a338a39b688ca47

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                              Filesize

                                                                                              19KB

                                                                                              MD5

                                                                                              dc25cec0e51504321134abc4363b79bc

                                                                                              SHA1

                                                                                              7939eb4f90738866db96b3c298a496c97c6e6a4f

                                                                                              SHA256

                                                                                              5757f44673d550b106bfe87ed36cf7076f2c2f040c7a534aa8b12a67df909ab2

                                                                                              SHA512

                                                                                              94d01ccbea428c541d1d32d8a843d5e761791224ef773e412fe8707a01ccdc42da4a6a1cd46b5ad0b9b5f90b58873da39eba4c02abd80dee9640b139db484291

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                              Filesize

                                                                                              19KB

                                                                                              MD5

                                                                                              c531671d8e043ee176a60ca2033f8a68

                                                                                              SHA1

                                                                                              611f269a71bd84702dbecb11af3c258fc21954a2

                                                                                              SHA256

                                                                                              b1665a5be5e48f1fe02bb47a62250dd6cb687b5c6abb892df79f971ae2876776

                                                                                              SHA512

                                                                                              b93f5f6a43ba0471d8588fb61996b63b0ac8aa936d70767503adfe314f011c404fcdcd5c7212602e4622b48737881ed182d31680c3593adfb0401245b111811a

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                              Filesize

                                                                                              19KB

                                                                                              MD5

                                                                                              4ec6c5ec2de4beb775eeaed285093f18

                                                                                              SHA1

                                                                                              e0cb0f59d648d7e97f716472e06bac5f959f8b47

                                                                                              SHA256

                                                                                              6fc65897fbff2cf2aa812224b9828d134fdd487cf51b8cb64ad724d05d4f3b63

                                                                                              SHA512

                                                                                              0a96b0afb1e52cd54d912d5f8e38a78db78c62866e4c87120952da23ba6c0f9fffe0497de2c6ed744dfb26b32dbc5085a047073783c30c9092d50106b116f290

                                                                                              Download Submit

                                                                                            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                              Filesize

                                                                                              19KB

                                                                                              MD5

                                                                                              212b7e202580b8569670e0d43e87d57c

                                                                                              SHA1

                                                                                              73e6c5686913813477dd4396ecb187563c22d5f1

                                                                                              SHA256

                                                                                              9c2df4dfde34b7e061f2f47fb482494e0e074c6dc8a64b988ea47d95bb246406

                                                                                              SHA512

                                                                                              35a94105c4fa0920c7b4738397740bd64a9ebbde1e3ecd02be3e8bbad75344b389c8e8f1086e8df3297ce41f8f951abdabfcd82df94a2bc87bcb77c33bc1936b

                                                                                              Download Submit

                                                                                            • C:\Windows\windefender.exe
                                                                                              Filesize

                                                                                              2.0MB

                                                                                              MD5

                                                                                              8e67f58837092385dcf01e8a2b4f5783

                                                                                              SHA1

                                                                                              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

                                                                                              SHA256

                                                                                              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

                                                                                              SHA512

                                                                                              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

                                                                                              Download Submit

                                                                                            • memory/512-449-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                              Filesize

                                                                                              9.1MB

                                                                                              Download

                                                                                            • memory/512-473-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                              Filesize

                                                                                              9.1MB

                                                                                              Download

                                                                                            • memory/1008-25-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1008-26-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1008-24-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1008-22-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1008-36-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1020-40-0x00000000020F0000-0x000000000218F000-memory.dmp

                                                                                              Filesize

                                                                                              636KB

                                                                                              Download

                                                                                            • memory/1068-765-0x0000021BF11B0000-0x0000021BF11D0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/1068-769-0x0000021BF1580000-0x0000021BF15A0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/1068-767-0x0000021BF1170000-0x0000021BF1190000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/1412-45-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1412-43-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1412-42-0x0000000000400000-0x0000000000537000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1472-677-0x00000000045C0000-0x00000000045C1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/1696-2-0x0000000002280000-0x000000000228B000-memory.dmp

                                                                                              Filesize

                                                                                              44KB

                                                                                              Download

                                                                                            • memory/1696-3-0x0000000000400000-0x0000000000536000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1696-5-0x0000000000400000-0x0000000000536000-memory.dmp

                                                                                              Filesize

                                                                                              1.2MB

                                                                                              Download

                                                                                            • memory/1696-1-0x0000000000690000-0x0000000000790000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/1828-731-0x0000000000400000-0x00000000008DF000-memory.dmp

                                                                                              Filesize

                                                                                              4.9MB

                                                                                              Download

                                                                                            • memory/2524-733-0x0000000004360000-0x0000000004361000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/2844-745-0x0000016F858A0000-0x0000016F858C0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2844-743-0x0000016F85290000-0x0000016F852B0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/2844-741-0x0000016F852D0000-0x0000016F852F0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/3040-309-0x00007FF6D3970000-0x00007FF6D58BC000-memory.dmp

                                                                                              Filesize

                                                                                              31.3MB

                                                                                              Download

                                                                                            • memory/3040-392-0x00007FF6D3970000-0x00007FF6D58BC000-memory.dmp

                                                                                              Filesize

                                                                                              31.3MB

                                                                                              Download

                                                                                            • memory/3040-255-0x00007FF6D3970000-0x00007FF6D58BC000-memory.dmp

                                                                                              Filesize

                                                                                              31.3MB

                                                                                              Download

                                                                                            • memory/3172-67-0x0000000074B70000-0x0000000075320000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/3172-54-0x0000000074B70000-0x0000000075320000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/3172-62-0x0000000002C90000-0x0000000004C90000-memory.dmp

                                                                                              Filesize

                                                                                              32.0MB

                                                                                              Download

                                                                                            • memory/3172-53-0x00000000008F0000-0x0000000000954000-memory.dmp

                                                                                              Filesize

                                                                                              400KB

                                                                                              Download

                                                                                            • memory/3172-58-0x0000000002C20000-0x0000000002C21000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3172-55-0x00000000052F0000-0x0000000005300000-memory.dmp

                                                                                              Filesize

                                                                                              64KB

                                                                                              Download

                                                                                            • memory/3424-20-0x0000000002250000-0x00000000022E8000-memory.dmp

                                                                                              Filesize

                                                                                              608KB

                                                                                              Download

                                                                                            • memory/3424-21-0x0000000002340000-0x000000000245B000-memory.dmp

                                                                                              Filesize

                                                                                              1.1MB

                                                                                              Download

                                                                                            • memory/3448-4-0x0000000002D00000-0x0000000002D16000-memory.dmp

                                                                                              Filesize

                                                                                              88KB

                                                                                              Download

                                                                                            • memory/3448-241-0x0000000001000000-0x0000000001001000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3576-64-0x0000000074B70000-0x0000000075320000-memory.dmp

                                                                                              Filesize

                                                                                              7.7MB

                                                                                              Download

                                                                                            • memory/3576-72-0x0000000006350000-0x000000000639C000-memory.dmp

                                                                                              Filesize

                                                                                              304KB

                                                                                              Download

                                                                                            • memory/3576-61-0x0000000005DA0000-0x0000000006344000-memory.dmp

                                                                                              Filesize

                                                                                              5.6MB

                                                                                              Download

                                                                                            • memory/3576-69-0x0000000005C60000-0x0000000005D6A000-memory.dmp

                                                                                              Filesize

                                                                                              1.0MB

                                                                                              Download

                                                                                            • memory/3576-63-0x00000000057F0000-0x0000000005882000-memory.dmp

                                                                                              Filesize

                                                                                              584KB

                                                                                              Download

                                                                                            • memory/3576-70-0x0000000005B90000-0x0000000005BA2000-memory.dmp

                                                                                              Filesize

                                                                                              72KB

                                                                                              Download

                                                                                            • memory/3576-68-0x0000000006970000-0x0000000006F88000-memory.dmp

                                                                                              Filesize

                                                                                              6.1MB

                                                                                              Download

                                                                                            • memory/3576-65-0x0000000005980000-0x0000000005990000-memory.dmp

                                                                                              Filesize

                                                                                              64KB

                                                                                              Download

                                                                                            • memory/3576-66-0x00000000057C0000-0x00000000057CA000-memory.dmp

                                                                                              Filesize

                                                                                              40KB

                                                                                              Download

                                                                                            • memory/3576-74-0x0000000007390000-0x00000000073E0000-memory.dmp

                                                                                              Filesize

                                                                                              320KB

                                                                                              Download

                                                                                            • memory/3576-71-0x0000000005BF0000-0x0000000005C2C000-memory.dmp

                                                                                              Filesize

                                                                                              240KB

                                                                                              Download

                                                                                            • memory/3576-59-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                              Filesize

                                                                                              320KB

                                                                                              Download

                                                                                            • memory/3576-73-0x00000000064A0000-0x0000000006506000-memory.dmp

                                                                                              Filesize

                                                                                              408KB

                                                                                              Download

                                                                                            • memory/3624-259-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                              Filesize

                                                                                              9.1MB

                                                                                              Download

                                                                                            • memory/3624-285-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                              Filesize

                                                                                              9.1MB

                                                                                              Download

                                                                                            • memory/3856-757-0x0000000004480000-0x0000000004481000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3900-701-0x0000000004830000-0x0000000004831000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3964-112-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-105-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-124-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-126-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-125-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-127-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-128-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-129-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-130-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-131-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-132-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-133-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-122-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-121-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-120-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-119-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-118-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-117-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-116-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-115-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-114-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-113-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-111-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-109-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-110-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-108-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-107-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-83-0x0000000000770000-0x0000000001455000-memory.dmp

                                                                                              Filesize

                                                                                              12.9MB

                                                                                              Download

                                                                                            • memory/3964-106-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-123-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-104-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-103-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-102-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-101-0x0000000004010000-0x0000000004110000-memory.dmp

                                                                                              Filesize

                                                                                              1024KB

                                                                                              Download

                                                                                            • memory/3964-100-0x00000000035E0000-0x0000000003612000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/3964-88-0x00000000019C0000-0x00000000019C1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3964-89-0x00000000019D0000-0x00000000019D1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3964-90-0x0000000001A00000-0x0000000001A01000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3964-92-0x00000000035C0000-0x00000000035C1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3964-93-0x0000000000770000-0x0000000001455000-memory.dmp

                                                                                              Filesize

                                                                                              12.9MB

                                                                                              Download

                                                                                            • memory/3964-94-0x00000000035D0000-0x00000000035D1000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3964-99-0x00000000035E0000-0x0000000003612000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/3964-98-0x00000000035E0000-0x0000000003612000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/3964-91-0x0000000001A10000-0x0000000001A11000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/3964-96-0x0000000000770000-0x0000000001455000-memory.dmp

                                                                                              Filesize

                                                                                              12.9MB

                                                                                              Download

                                                                                            • memory/3964-97-0x00000000035E0000-0x0000000003612000-memory.dmp

                                                                                              Filesize

                                                                                              200KB

                                                                                              Download

                                                                                            • memory/4252-393-0x0000000001060000-0x00000000010AB000-memory.dmp

                                                                                              Filesize

                                                                                              300KB

                                                                                              Download

                                                                                            • memory/4252-390-0x0000000001060000-0x00000000010AB000-memory.dmp

                                                                                              Filesize

                                                                                              300KB

                                                                                              Download

                                                                                            • memory/4528-776-0x0000000000400000-0x00000000008DF000-memory.dmp

                                                                                              Filesize

                                                                                              4.9MB

                                                                                              Download

                                                                                            • memory/4536-334-0x000001F3091A0000-0x000001F3091C0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4536-332-0x000001F308D20000-0x000001F308D40000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/4536-330-0x000001F308D60000-0x000001F308D80000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/5020-324-0x0000000004670000-0x0000000004671000-memory.dmp

                                                                                              Filesize

                                                                                              4KB

                                                                                              Download

                                                                                            • memory/5048-698-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                              Filesize

                                                                                              9.1MB

                                                                                              Download

                                                                                            • memory/5048-755-0x0000000000400000-0x0000000000D1C000-memory.dmp

                                                                                              Filesize

                                                                                              9.1MB

                                                                                              Download

                                                                                            • memory/5084-713-0x000001FB60F80000-0x000001FB60FA0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/5084-711-0x000001FB60B70000-0x000001FB60B90000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download

                                                                                            • memory/5084-709-0x000001FB60BB0000-0x000001FB60BD0000-memory.dmp

                                                                                              Filesize

                                                                                              128KB

                                                                                              Download