Overview

overview

10

Static

static

1

Uni400uni.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Uni400uni.exe

  • Size

    3.3MB

  • MD5

    09bd16d82a747ef0621aa367c0e14a9c

  • SHA1

    da57e4b192b7cb50b6e71b48d5f233d2a6b5a4f1

  • SHA256

    b79b3ab665881eadd15b67b9b105db7d99eb091905350a53c6bbc7b91a42cd48

  • SHA512

    7365b17d9ec7264941b88d61e69ea1214ef44b9b8bff9ebc8227794b696142050f267635cdb4e588ba121259b2f2a07519df8053f143db58ebc1a048d08b49a1

  • SSDEEP

    49152:9UIbNigeVE2MD7ZDAgUftcgFEptOkf8Ug:jI3bg5W

Score
10/10
gluptebastealcdiscoverydropperevasionloaderpersistencerootkitspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.209

Attributes
  • url_path

    /3cd2b41cbde8fc9c.php

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba payload 14 IoCs
  • Modifies firewall policy service 2 TTPs 1 IoCs
    evasion
  • Stealc

    Stealc is an infostealer written in C++.

    stealerstealc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Downloads MZ/PE file
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

    rootkitevasion
  • Drops file in System32 directory 14 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 6 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Uni400uni.exe
    "C:\Users\Admin\AppData\Local\Temp\Uni400uni.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Users\Admin\Pictures\f8d6vyf8CcSsVmBPvqBWroL6.exe
        "C:\Users\Admin\Pictures\f8d6vyf8CcSsVmBPvqBWroL6.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Users\Admin\AppData\Local\Temp\u31w.0.exe
          "C:\Users\Admin\AppData\Local\Temp\u31w.0.exe"
          4⤵
          • Executes dropped EXE
          PID:4480
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1048
            5⤵
            • Program crash
            PID:4316
      • C:\Users\Admin\Pictures\v658B7mgvx5DYbvRJJudn1dI.exe
        "C:\Users\Admin\Pictures\v658B7mgvx5DYbvRJJudn1dI.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3456
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4776
        • C:\Users\Admin\Pictures\v658B7mgvx5DYbvRJJudn1dI.exe
          "C:\Users\Admin\Pictures\v658B7mgvx5DYbvRJJudn1dI.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1828
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4608
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4156
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              6⤵
              • Modifies Windows Firewall
              PID:1508
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4640
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5232
      • C:\Users\Admin\Pictures\UD7KToN3dwJ6jD7So0SFAmru.exe
        "C:\Users\Admin\Pictures\UD7KToN3dwJ6jD7So0SFAmru.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:528
        • C:\Users\Admin\Pictures\UD7KToN3dwJ6jD7So0SFAmru.exe
          "C:\Users\Admin\Pictures\UD7KToN3dwJ6jD7So0SFAmru.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks for VirtualBox DLLs, possible anti-VM trick
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\system32\cmd.exe
            C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Windows\system32\netsh.exe
              netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
              6⤵
              • Modifies Windows Firewall
              PID:2504
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3760
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            5⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5224
          • C:\Windows\rss\csrss.exe
            C:\Windows\rss\csrss.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Manipulates WinMonFS driver.
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5684
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -nologo -noprofile
              6⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5804
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
              6⤵
              • Creates scheduled task(s)
              PID:6088
            • C:\Windows\SYSTEM32\schtasks.exe
              schtasks /delete /tn ScheduledUpdate /f
              6⤵
                PID:6116
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4184
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -nologo -noprofile
                6⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5460
              • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
                C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1560
              • C:\Windows\SYSTEM32\schtasks.exe
                schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
                6⤵
                • Creates scheduled task(s)
                PID:5992
              • C:\Windows\windefender.exe
                "C:\Windows\windefender.exe"
                6⤵
                • Executes dropped EXE
                PID:2412
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                  7⤵
                    PID:316
                    • C:\Windows\SysWOW64\sc.exe
                      sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                      8⤵
                      • Launches sc.exe
                      • Suspicious use of AdjustPrivilegeToken
                      PID:816
          • C:\Users\Admin\Pictures\FMAe74ffrvL7ajt27hKSKYDR.exe
            "C:\Users\Admin\Pictures\FMAe74ffrvL7ajt27hKSKYDR.exe"
            3⤵
            • Modifies firewall policy service
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            PID:4776
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4480 -ip 4480
        1⤵
          PID:3704
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
          1⤵
            PID:5540
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
            1⤵
              PID:5552
            • C:\Windows\windefender.exe
              C:\Windows\windefender.exe
              1⤵
              • Executes dropped EXE
              PID:1960

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Scheduled Task/Job

            1
            T1053

            Persistence

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Privilege Escalation

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Scheduled Task/Job

            1
            T1053

            Defense Evasion

            Modify Registry

            2
            T1112

            Virtualization/Sandbox Evasion

            1
            T1497

            Impair Defenses

            1
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Credential Access

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Query Registry

            5
            T1012

            Virtualization/Sandbox Evasion

            1
            T1497

            System Information Discovery

            5
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              a6ea7bfcd3aac150c0caef765cb52281

              SHA1

              037dc22c46a0eb0b9ad4c74088129e387cffe96b

              SHA256

              f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9

              SHA512

              c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              21KB

              MD5

              dfd2b5651843bd6328a7d611c86f55ea

              SHA1

              f427ab99b22d2a7554d2bc11988f531bfcc9134e

              SHA256

              621406cd2b016a2f1207746fc7aaa7060774082e845246597d17f021a74180e5

              SHA512

              a674f19e6736f7838ccadb5a1e218872c34554d244ced606297445b5355766b32ec8e331d417c3385986625fabfc928bd2a88e5324e100ddd8d5966d13e05729

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3rtrmar.s3c.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
              Filesize

              281KB

              MD5

              d98e33b66343e7c96158444127a117f6

              SHA1

              bb716c5509a2bf345c6c1152f6e3e1452d39d50d

              SHA256

              5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

              SHA512

              705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\u31w.0.exe
              Filesize

              323KB

              MD5

              1d4341aa0ca4aefcb043d19eb205d8ac

              SHA1

              c6e7a063a22e6bad72b2c81017747ab31cb59579

              SHA256

              42af762221074082dc3aa6e4efdc2b6439cc026d6e94d6eeae97fcfafda272b4

              SHA512

              1bcc133000feb1ab7944295a14601ff1a66432dcbe117e9e60c9f98cb8aee5b28f0ddcbbc25e2b6d91b677ca67de32a8930a1317de9b8be17524a9bea43c73a7

              Download Submit
            • C:\Users\Admin\Pictures\FMAe74ffrvL7ajt27hKSKYDR.exe
              Filesize

              3.9MB

              MD5

              ffee05ea98b1d51026a44fad0841a8a9

              SHA1

              50a703329c7b9812c17a02b554cf406040079fec

              SHA256

              4cb040696b9ffb14794955b0e56eed04fde0cae3a5ee748dd513ad42c411c823

              SHA512

              626ddc18a906b74a231daa5bcc092a90708e0e3d42e4db645d59d19de7ef38a2d91a843f11dbc7873d379bfa14e87c5fc6d09a657e0b44abd24b9991cb971f86

              Download Submit
            • C:\Users\Admin\Pictures\LfzRHB0ET9iBCs79gvTRy2iG.exe
              Filesize

              7KB

              MD5

              5b423612b36cde7f2745455c5dd82577

              SHA1

              0187c7c80743b44e9e0c193e993294e3b969cc3d

              SHA256

              e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

              SHA512

              c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

              Download Submit
            • C:\Users\Admin\Pictures\f8d6vyf8CcSsVmBPvqBWroL6.exe
              Filesize

              445KB

              MD5

              962689a584907a91344cd3427b586a04

              SHA1

              662bccdb6bd35082045778a68361dd3bf849dd57

              SHA256

              6abeb832e0ebffa3c8f166620d0aba275c0d51c4f75465e79a85716aead44cb4

              SHA512

              c9fa49f5c86498857c78ca833c847758b0e8b61db68454a5a5b3950332ac3f7238606f0ead0b1c288fcf82f7e450fb90b07f8770badac376bb8786caa755f6cb

              Download Submit
            • C:\Users\Admin\Pictures\v658B7mgvx5DYbvRJJudn1dI.exe
              Filesize

              4.2MB

              MD5

              12c1251ddacc8c6651573aaae2a36711

              SHA1

              aa4a4fc95f24a847f33a0fcc22d318fe947929d0

              SHA256

              a018166a731757f43374b0b24baecfbf31b85cf9de793b9d11b186acf887bf22

              SHA512

              e8e9723b210254504ae06f77ed86ff5c7da0ac1ba5134cb2ab99cd42b06744cdf2379835d5e8cbd413da69b1184a0d6297d29dc8393794d8959c5a2dc94f0a69

              Download Submit
            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              968cb9309758126772781b83adb8a28f

              SHA1

              8da30e71accf186b2ba11da1797cf67f8f78b47c

              SHA256

              92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

              SHA512

              4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

              Download Submit
            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              c967d8c293212d6471ab5d36d15019ea

              SHA1

              406757b02966a0febd23481ca69ec6e48dc57198

              SHA256

              5d4e396d4688c228875d05fe1bd56c85c11a221a04194e1e0e70227a66342aed

              SHA512

              c227bd16c0c5086f7c2472132f5c1405a1d74f25d896269c08d0dfe4bd9d26f79801b299f1c20ca868c91766a9cd76d57be79eb303d149f06b62d270a672f5cf

              Download Submit
            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              927a97b5c6fbaff3bae367cf7898772d

              SHA1

              b58515d5c2080da48fbd1cd5080ecff687c64c8c

              SHA256

              d0e4f39083a1aaa997abb9517aa003f2cdcb59af9bdc82b517c49df2a288c497

              SHA512

              c98bd78729a316b316cad79e1318d0919d8a9a79e1fc463b8f5eaa2e19a93c50dd4b17cd3dc7b2a9926b9761b11aa1453835695318303671d9c0de8739ac23d7

              Download Submit
            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              cc38260a1211e0037df90399bbace95f

              SHA1

              5f53489f4c137164fb0ff3ff2750655ca46b22da

              SHA256

              757a538f49b1d0035dbf6da871bb04d16cf82f5b63c40b6c49412b1acf47f194

              SHA512

              639a714cbc272a9fdd5f034c822d0cce6e8eb467b836051d5100771533b2fe99317ce80c23a2427d8e643a9e33bda939c9566796ed9cd3e68087046a9aecc640

              Download Submit
            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              e98c38454d89188b68b7612d8b8307a6

              SHA1

              683e6c07d198e05531a7f1f174f7ece1f3ff841f

              SHA256

              9f4c676f3249073211853d366d3f604a4bb41a811e93b1a97898eac2e5b72797

              SHA512

              86bd5890f0a7587be352cb7b680c48629be712c38c4a8226f275b0c4711888e3b655724d4d2a714d64d02ebb54ef57c0bfbb043a0f82dbeb380dafc53d22b7b9

              Download Submit
            • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              19KB

              MD5

              aa06a819c9c754316a5d468ae4ea5ff9

              SHA1

              4857e0e6e06a474abf18049354573e698a60e0e4

              SHA256

              9d11b28a95054febc917b2b336df5546b48879be5721a85a26af400540a26b96

              SHA512

              65a569d7519e5273e1b8f1614908849cc507525f715ce216d25e83661de46486d96683d6582bf8a8f3845fc00a5a5b74d74983a9695ccac6d7ade7bc79b6aed4

              Download Submit
            • C:\Windows\System32\GroupPolicy\gpt.ini
              Filesize

              127B

              MD5

              8ef9853d1881c5fe4d681bfb31282a01

              SHA1

              a05609065520e4b4e553784c566430ad9736f19f

              SHA256

              9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

              SHA512

              5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

              Download Submit
            • C:\Windows\windefender.exe
              Filesize

              2.0MB

              MD5

              8e67f58837092385dcf01e8a2b4f5783

              SHA1

              012c49cfd8c5d06795a6f67ea2baf2a082cf8625

              SHA256

              166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

              SHA512

              40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

              Download Submit
            • memory/528-113-0x00000000082A0000-0x000000000891A000-memory.dmp
              Filesize

              6.5MB

              Download
            • memory/528-115-0x000000007F6E0000-0x000000007F6F0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/528-80-0x0000000074220000-0x00000000749D0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/528-82-0x0000000005970000-0x0000000005F98000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/528-161-0x0000000074220000-0x00000000749D0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/528-158-0x0000000008000000-0x0000000008008000-memory.dmp
              Filesize

              32KB

              Download
            • memory/528-156-0x0000000007FC0000-0x0000000007FD4000-memory.dmp
              Filesize

              80KB

              Download
            • memory/528-85-0x0000000005330000-0x0000000005340000-memory.dmp
              Filesize

              64KB

              Download
            • memory/528-155-0x0000000007FB0000-0x0000000007FBE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/528-79-0x00000000052A0000-0x00000000052D6000-memory.dmp
              Filesize

              216KB

              Download
            • memory/528-152-0x0000000005330000-0x0000000005340000-memory.dmp
              Filesize

              64KB

              Download
            • memory/528-148-0x0000000008010000-0x00000000080A6000-memory.dmp
              Filesize

              600KB

              Download
            • memory/528-132-0x0000000007F50000-0x0000000007F5A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/528-131-0x0000000007E60000-0x0000000007F03000-memory.dmp
              Filesize

              652KB

              Download
            • memory/528-129-0x0000000007E40000-0x0000000007E5E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/528-130-0x0000000005330000-0x0000000005340000-memory.dmp
              Filesize

              64KB

              Download
            • memory/528-118-0x000000006E260000-0x000000006E5B4000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/528-112-0x0000000007BA0000-0x0000000007C16000-memory.dmp
              Filesize

              472KB

              Download
            • memory/528-117-0x000000006F690000-0x000000006F6DC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/528-114-0x0000000007C40000-0x0000000007C5A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/528-116-0x0000000007E00000-0x0000000007E32000-memory.dmp
              Filesize

              200KB

              Download
            • memory/1224-153-0x0000000003A50000-0x0000000003E53000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/1224-64-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/1224-173-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/1224-60-0x0000000003A50000-0x0000000003E53000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/1364-363-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/1364-174-0x0000000003950000-0x0000000003D51000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/1364-186-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/1828-362-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/1828-366-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/1828-171-0x0000000003C00000-0x0000000004007000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/1828-175-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/2412-509-0x0000000000400000-0x00000000008DF000-memory.dmp
              Filesize

              4.9MB

              Download
            • memory/3456-59-0x0000000003B00000-0x0000000003F08000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/3456-63-0x0000000003F10000-0x00000000047FB000-memory.dmp
              Filesize

              8.9MB

              Download
            • memory/3456-61-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/3456-172-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/3456-154-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/3456-151-0x0000000003B00000-0x0000000003F08000-memory.dmp
              Filesize

              4.0MB

              Download
            • memory/3956-146-0x0000000001C50000-0x0000000001D50000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/3956-136-0x00000000036F0000-0x000000000375E000-memory.dmp
              Filesize

              440KB

              Download
            • memory/3956-27-0x0000000001C50000-0x0000000001D50000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/3956-150-0x0000000000400000-0x0000000001A3A000-memory.dmp
              Filesize

              22.2MB

              Download
            • memory/3956-30-0x0000000000400000-0x0000000001A3A000-memory.dmp
              Filesize

              22.2MB

              Download
            • memory/3956-28-0x00000000036F0000-0x000000000375E000-memory.dmp
              Filesize

              440KB

              Download
            • memory/4480-77-0x0000000003630000-0x0000000003657000-memory.dmp
              Filesize

              156KB

              Download
            • memory/4480-78-0x0000000000400000-0x0000000001A1C000-memory.dmp
              Filesize

              22.1MB

              Download
            • memory/4480-76-0x0000000001B10000-0x0000000001C10000-memory.dmp
              Filesize

              1024KB

              Download
            • memory/4480-108-0x0000000000400000-0x0000000001A1C000-memory.dmp
              Filesize

              22.1MB

              Download
            • memory/4588-2-0x00000000052F0000-0x0000000005300000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4588-1-0x0000000074220000-0x00000000749D0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4588-0-0x0000000000400000-0x0000000000408000-memory.dmp
              Filesize

              32KB

              Download
            • memory/4588-133-0x00000000052F0000-0x0000000005300000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4588-119-0x0000000074220000-0x00000000749D0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4608-176-0x00000000059F0000-0x0000000005D44000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/4608-187-0x0000000004A60000-0x0000000004A70000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4776-432-0x00007FF630600000-0x00007FF631109000-memory.dmp
              Filesize

              11.0MB

              Download
            • memory/4776-147-0x00000000034E0000-0x00000000034F0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4776-438-0x00007FF630600000-0x00007FF631109000-memory.dmp
              Filesize

              11.0MB

              Download
            • memory/4776-135-0x000000006E260000-0x000000006E5B4000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/4776-439-0x00007FF630600000-0x00007FF631109000-memory.dmp
              Filesize

              11.0MB

              Download
            • memory/4776-134-0x000000006F690000-0x000000006F6DC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/4776-111-0x0000000006D50000-0x0000000006D94000-memory.dmp
              Filesize

              272KB

              Download
            • memory/4776-440-0x00007FF630600000-0x00007FF631109000-memory.dmp
              Filesize

              11.0MB

              Download
            • memory/4776-109-0x0000000006810000-0x000000000682E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/4776-107-0x0000000006340000-0x0000000006694000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/4776-87-0x00000000061D0000-0x0000000006236000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4776-165-0x0000000074220000-0x00000000749D0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4776-149-0x0000000007EE0000-0x0000000007EF1000-memory.dmp
              Filesize

              68KB

              Download
            • memory/4776-157-0x0000000008020000-0x000000000803A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/4776-110-0x0000000006840000-0x000000000688C000-memory.dmp
              Filesize

              304KB

              Download
            • memory/4776-442-0x00007FF630600000-0x00007FF631109000-memory.dmp
              Filesize

              11.0MB

              Download
            • memory/4776-88-0x0000000074220000-0x00000000749D0000-memory.dmp
              Filesize

              7.7MB

              Download
            • memory/4776-86-0x0000000006160000-0x00000000061C6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4776-84-0x0000000005830000-0x0000000005852000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4776-83-0x00000000034E0000-0x00000000034F0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4776-500-0x00007FF630600000-0x00007FF631109000-memory.dmp
              Filesize

              11.0MB

              Download
            • memory/4776-81-0x00000000034E0000-0x00000000034F0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/5684-499-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/5684-514-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download
            • memory/5684-521-0x0000000000400000-0x0000000001DF9000-memory.dmp
              Filesize

              26.0MB

              Download