glupteba | 18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97

Analysis

max time kernel
103s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09/05/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
Size

390KB
MD5

18b50c6016cd5d7ff2f01b71a5e3373b
SHA1

d62dc0a84e39a1fff24163153761c62a55ff30fe
SHA256

18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97
SHA512

27e0017fa30a9322e71191b2c4954d1f55d8fe827f029092fa3bdd6a52e799bbb671a776c3596a1df02d8ebe660b2192f293cb67252ec289bbc99a8725ceaa19
SSDEEP

6144:LlEGEyWKpTlDB878Ed8nFO+tFXFBCorNVDq5GZJrtLK7BYY0g2wqS5e8x:KGEyWERrpdTjZDqeh2Beg28Tx

Score

10^/10

glupteba privateloader stealc zgrat discovery dropper evasion execution loader rat spyware stealer themida trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/6140-1310-0x000001EA399C0000-0x000001EA3D1F4000-memory.dmp	family_zgrat_v1
behavioral2/memory/6140-1311-0x000001EA579B0000-0x000001EA57ABA000-memory.dmp	family_zgrat_v1
behavioral2/memory/6140-1315-0x000001EA57880000-0x000001EA578A4000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

resource	yara_rule
behavioral2/memory/4872-1282-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/3376-1286-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/1856-1290-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/2064-1293-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5768-3183-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5812-3201-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5848-3202-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5812-3352-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/5848-3564-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/2204-3584-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/3788-5025-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	ar3h4L4Q6qoSP0elzT7g4sNt.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ar3h4L4Q6qoSP0elzT7g4sNt.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4300	powershell.exe
212	powershell.exe
1816	powershell.exe
2592	powershell.exe
2240	powershell.exe
3820	powershell.exe
5616	powershell.exe
5880	powershell.exe
2904	powershell.exe
5896	powershell.exe
3060	powershell.exe
5916	powershell.exe
5812	powershell.exe
5428	powershell.exe
5640	powershell.exe
4180	powershell.exe
5788	powershell.exe
5628	powershell.exe
5380	powershell.exe
380	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5428	netsh.exe
5424	netsh.exe
1764	netsh.exe
1080	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ar3h4L4Q6qoSP0elzT7g4sNt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ar3h4L4Q6qoSP0elzT7g4sNt.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hoO9kpgrAmQPyMk5GPFWdqp7.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\up0C4R2ajGIPS9GJW29lRtxd.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6SMzhRhvIC8RR3IfIMfkL0If.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W7rQdrupJLtF6qGQJBXsr2ik.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8RLQJxYp4UcvsOssQWjUOWpR.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C7likkeZQ0O89lVtYywxIyAM.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wuZzjQ4ygNDsygufnOnd9lSI.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j689rw6UTnJ7FjTkXBUiDd15.bat	CasPol.exe

Executes dropped EXE 13 IoCs

pid	Process
1896	hnL1uSF4MuZYq1UltpwFwIXV.exe
1856	uJ0PiYgSu3ck1xBBYSPuS5nn.exe
4872	cXaVrhea89Nwzaore93fMHDx.exe
3376	14wjYPdNCPVKZlepUD2MZJ3K.exe
2064	HyCdPC6K7ot92JfZgawXFqP6.exe
2424	8ys8ZFdu6xNX8P6rZbMg5Mpq.exe
2868	ar3h4L4Q6qoSP0elzT7g4sNt.exe
1604	u1go.0.exe
4104	u1go.1.exe
5768	cXaVrhea89Nwzaore93fMHDx.exe
5812	14wjYPdNCPVKZlepUD2MZJ3K.exe
5848	uJ0PiYgSu3ck1xBBYSPuS5nn.exe
2204	HyCdPC6K7ot92JfZgawXFqP6.exe

Loads dropped DLL 2 IoCs

pid	Process
1604	u1go.0.exe
1604	u1go.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000001ac66-115.dat	themida
behavioral2/memory/2868-116-0x0000000140000000-0x000000014097B000-memory.dmp	themida
behavioral2/memory/2868-125-0x0000000140000000-0x000000014097B000-memory.dmp	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001ac26-5011.dat	upx
behavioral2/memory/1840-5015-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5080-5028-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ar3h4L4Q6qoSP0elzT7g4sNt.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
4	pastebin.com

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	ar3h4L4Q6qoSP0elzT7g4sNt.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	ar3h4L4Q6qoSP0elzT7g4sNt.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	ar3h4L4Q6qoSP0elzT7g4sNt.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	ar3h4L4Q6qoSP0elzT7g4sNt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2868	ar3h4L4Q6qoSP0elzT7g4sNt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3368 set thread context of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	14wjYPdNCPVKZlepUD2MZJ3K.exe
File opened (read-only)	\??\VBoxMiniRdrDN	uJ0PiYgSu3ck1xBBYSPuS5nn.exe
File opened (read-only)	\??\VBoxMiniRdrDN	cXaVrhea89Nwzaore93fMHDx.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3868	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5988	2424	WerFault.exe	84

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ys8ZFdu6xNX8P6rZbMg5Mpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1go.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1go.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1go.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ys8ZFdu6xNX8P6rZbMg5Mpq.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8ys8ZFdu6xNX8P6rZbMg5Mpq.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1go.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1go.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5352	schtasks.exe
5256	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	14wjYPdNCPVKZlepUD2MZJ3K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	14wjYPdNCPVKZlepUD2MZJ3K.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	14wjYPdNCPVKZlepUD2MZJ3K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	14wjYPdNCPVKZlepUD2MZJ3K.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	cXaVrhea89Nwzaore93fMHDx.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
380	powershell.exe
380	powershell.exe
380	powershell.exe
3820	powershell.exe
3820	powershell.exe
212	powershell.exe
212	powershell.exe
4300	powershell.exe
4300	powershell.exe
212	powershell.exe
3820	powershell.exe
4300	powershell.exe
212	powershell.exe
3820	powershell.exe
4300	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
5896	powershell.exe
3376	14wjYPdNCPVKZlepUD2MZJ3K.exe
3376	14wjYPdNCPVKZlepUD2MZJ3K.exe
4872	cXaVrhea89Nwzaore93fMHDx.exe
4872	cXaVrhea89Nwzaore93fMHDx.exe
1856	uJ0PiYgSu3ck1xBBYSPuS5nn.exe
1856	uJ0PiYgSu3ck1xBBYSPuS5nn.exe
2064	HyCdPC6K7ot92JfZgawXFqP6.exe
2064	HyCdPC6K7ot92JfZgawXFqP6.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
1604	u1go.0.exe
1604	u1go.0.exe
5616	powershell.exe
5616	powershell.exe
5640	powershell.exe
5640	powershell.exe
5616	powershell.exe
5640	powershell.exe
5616	powershell.exe
5640	powershell.exe
4180	powershell.exe
4180	powershell.exe
4180	powershell.exe
4180	powershell.exe
5768	cXaVrhea89Nwzaore93fMHDx.exe
5768	cXaVrhea89Nwzaore93fMHDx.exe
5768	cXaVrhea89Nwzaore93fMHDx.exe
5768	cXaVrhea89Nwzaore93fMHDx.exe
5768	cXaVrhea89Nwzaore93fMHDx.exe
5768	cXaVrhea89Nwzaore93fMHDx.exe
5768	cXaVrhea89Nwzaore93fMHDx.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	788	CasPol.exe
Token: SeIncreaseQuotaPrivilege	380	powershell.exe
Token: SeSecurityPrivilege	380	powershell.exe
Token: SeTakeOwnershipPrivilege	380	powershell.exe
Token: SeLoadDriverPrivilege	380	powershell.exe
Token: SeSystemProfilePrivilege	380	powershell.exe
Token: SeSystemtimePrivilege	380	powershell.exe
Token: SeProfSingleProcessPrivilege	380	powershell.exe
Token: SeIncBasePriorityPrivilege	380	powershell.exe
Token: SeCreatePagefilePrivilege	380	powershell.exe
Token: SeBackupPrivilege	380	powershell.exe
Token: SeRestorePrivilege	380	powershell.exe
Token: SeShutdownPrivilege	380	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeSystemEnvironmentPrivilege	380	powershell.exe
Token: SeRemoteShutdownPrivilege	380	powershell.exe
Token: SeUndockPrivilege	380	powershell.exe
Token: SeManageVolumePrivilege	380	powershell.exe
Token: 33	380	powershell.exe
Token: 34	380	powershell.exe
Token: 35	380	powershell.exe
Token: 36	380	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	3376	14wjYPdNCPVKZlepUD2MZJ3K.exe
Token: SeImpersonatePrivilege	3376	14wjYPdNCPVKZlepUD2MZJ3K.exe
Token: SeDebugPrivilege	4872	cXaVrhea89Nwzaore93fMHDx.exe
Token: SeImpersonatePrivilege	4872	cXaVrhea89Nwzaore93fMHDx.exe
Token: SeDebugPrivilege	1856	uJ0PiYgSu3ck1xBBYSPuS5nn.exe
Token: SeImpersonatePrivilege	1856	uJ0PiYgSu3ck1xBBYSPuS5nn.exe
Token: SeDebugPrivilege	2064	HyCdPC6K7ot92JfZgawXFqP6.exe
Token: SeImpersonatePrivilege	2064	HyCdPC6K7ot92JfZgawXFqP6.exe
Token: SeDebugPrivilege	6140	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeDebugPrivilege	5640	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	5880	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe
4104	u1go.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 380	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	72
PID 3368 wrote to memory of 380	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	72
PID 3368 wrote to memory of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74
PID 3368 wrote to memory of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74
PID 3368 wrote to memory of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74
PID 3368 wrote to memory of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74
PID 3368 wrote to memory of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74
PID 3368 wrote to memory of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74
PID 3368 wrote to memory of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74
PID 3368 wrote to memory of 788	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	74
PID 3368 wrote to memory of 4572	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 3368 wrote to memory of 4572	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 3368 wrote to memory of 4572	3368	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe	75
PID 788 wrote to memory of 1896	788	CasPol.exe	79
PID 788 wrote to memory of 1896	788	CasPol.exe	79
PID 788 wrote to memory of 1896	788	CasPol.exe	79
PID 788 wrote to memory of 1856	788	CasPol.exe	80
PID 788 wrote to memory of 1856	788	CasPol.exe	80
PID 788 wrote to memory of 1856	788	CasPol.exe	80
PID 788 wrote to memory of 4872	788	CasPol.exe	81
PID 788 wrote to memory of 4872	788	CasPol.exe	81
PID 788 wrote to memory of 4872	788	CasPol.exe	81
PID 788 wrote to memory of 3376	788	CasPol.exe	82
PID 788 wrote to memory of 3376	788	CasPol.exe	82
PID 788 wrote to memory of 3376	788	CasPol.exe	82
PID 788 wrote to memory of 2064	788	CasPol.exe	83
PID 788 wrote to memory of 2064	788	CasPol.exe	83
PID 788 wrote to memory of 2064	788	CasPol.exe	83
PID 788 wrote to memory of 2424	788	CasPol.exe	84
PID 788 wrote to memory of 2424	788	CasPol.exe	84
PID 788 wrote to memory of 2424	788	CasPol.exe	84
PID 788 wrote to memory of 2868	788	CasPol.exe	85
PID 788 wrote to memory of 2868	788	CasPol.exe	85
PID 1896 wrote to memory of 1604	1896	hnL1uSF4MuZYq1UltpwFwIXV.exe	88
PID 1896 wrote to memory of 1604	1896	hnL1uSF4MuZYq1UltpwFwIXV.exe	88
PID 1896 wrote to memory of 1604	1896	hnL1uSF4MuZYq1UltpwFwIXV.exe	88
PID 1896 wrote to memory of 4104	1896	hnL1uSF4MuZYq1UltpwFwIXV.exe	90
PID 1896 wrote to memory of 4104	1896	hnL1uSF4MuZYq1UltpwFwIXV.exe	90
PID 1896 wrote to memory of 4104	1896	hnL1uSF4MuZYq1UltpwFwIXV.exe	90
PID 4872 wrote to memory of 212	4872	cXaVrhea89Nwzaore93fMHDx.exe	93
PID 4872 wrote to memory of 212	4872	cXaVrhea89Nwzaore93fMHDx.exe	93
PID 4872 wrote to memory of 212	4872	cXaVrhea89Nwzaore93fMHDx.exe	93
PID 1856 wrote to memory of 3820	1856	uJ0PiYgSu3ck1xBBYSPuS5nn.exe	94
PID 1856 wrote to memory of 3820	1856	uJ0PiYgSu3ck1xBBYSPuS5nn.exe	94
PID 1856 wrote to memory of 3820	1856	uJ0PiYgSu3ck1xBBYSPuS5nn.exe	94
PID 3376 wrote to memory of 4300	3376	14wjYPdNCPVKZlepUD2MZJ3K.exe	97
PID 3376 wrote to memory of 4300	3376	14wjYPdNCPVKZlepUD2MZJ3K.exe	97
PID 3376 wrote to memory of 4300	3376	14wjYPdNCPVKZlepUD2MZJ3K.exe	97
PID 2064 wrote to memory of 5896	2064	HyCdPC6K7ot92JfZgawXFqP6.exe	99
PID 2064 wrote to memory of 5896	2064	HyCdPC6K7ot92JfZgawXFqP6.exe	99
PID 2064 wrote to memory of 5896	2064	HyCdPC6K7ot92JfZgawXFqP6.exe	99
PID 4104 wrote to memory of 6140	4104	u1go.1.exe	108
PID 4104 wrote to memory of 6140	4104	u1go.1.exe	108
PID 5768 wrote to memory of 5616	5768	cXaVrhea89Nwzaore93fMHDx.exe	110
PID 5768 wrote to memory of 5616	5768	cXaVrhea89Nwzaore93fMHDx.exe	110
PID 5768 wrote to memory of 5616	5768	cXaVrhea89Nwzaore93fMHDx.exe	110
PID 5812 wrote to memory of 5640	5812	14wjYPdNCPVKZlepUD2MZJ3K.exe	111
PID 5812 wrote to memory of 5640	5812	14wjYPdNCPVKZlepUD2MZJ3K.exe	111
PID 5812 wrote to memory of 5640	5812	14wjYPdNCPVKZlepUD2MZJ3K.exe	111
PID 5848 wrote to memory of 4180	5848	uJ0PiYgSu3ck1xBBYSPuS5nn.exe	114
PID 5848 wrote to memory of 4180	5848	uJ0PiYgSu3ck1xBBYSPuS5nn.exe	114
PID 5848 wrote to memory of 4180	5848	uJ0PiYgSu3ck1xBBYSPuS5nn.exe	114
PID 5768 wrote to memory of 1748	5768	cXaVrhea89Nwzaore93fMHDx.exe	168
PID 5768 wrote to memory of 1748	5768	cXaVrhea89Nwzaore93fMHDx.exe	168

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe

C:\Users\Admin\AppData\Local\Temp\18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe
"C:\Users\Admin\AppData\Local\Temp\18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\18d62aa8d04103058203e75fe4039dadb80eb0927ddd23b14f89c984f28aea97.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Users\Admin\Pictures\hnL1uSF4MuZYq1UltpwFwIXV.exe
    "C:\Users\Admin\Pictures\hnL1uSF4MuZYq1UltpwFwIXV.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\u1go.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1go.0.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\u1go.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1go.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6140
- - C:\Users\Admin\Pictures\uJ0PiYgSu3ck1xBBYSPuS5nn.exe
    "C:\Users\Admin\Pictures\uJ0PiYgSu3ck1xBBYSPuS5nn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3820
  - - C:\Users\Admin\Pictures\uJ0PiYgSu3ck1xBBYSPuS5nn.exe
      "C:\Users\Admin\Pictures\uJ0PiYgSu3ck1xBBYSPuS5nn.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Suspicious use of WriteProcessMemory
      PID:5848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2480
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2592
- - C:\Users\Admin\Pictures\cXaVrhea89Nwzaore93fMHDx.exe
    "C:\Users\Admin\Pictures\cXaVrhea89Nwzaore93fMHDx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:212
  - - C:\Users\Admin\Pictures\cXaVrhea89Nwzaore93fMHDx.exe
      "C:\Users\Admin\Pictures\cXaVrhea89Nwzaore93fMHDx.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5768
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5616
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1748
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5424
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5788
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:3788
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5628
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5352
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:4276
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5428
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5380
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:1808
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5256
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:3868
- - C:\Users\Admin\Pictures\14wjYPdNCPVKZlepUD2MZJ3K.exe
    "C:\Users\Admin\Pictures\14wjYPdNCPVKZlepUD2MZJ3K.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Users\Admin\Pictures\14wjYPdNCPVKZlepUD2MZJ3K.exe
      "C:\Users\Admin\Pictures\14wjYPdNCPVKZlepUD2MZJ3K.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:5812
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5640
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5484
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:1764
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5916
- - C:\Users\Admin\Pictures\HyCdPC6K7ot92JfZgawXFqP6.exe
    "C:\Users\Admin\Pictures\HyCdPC6K7ot92JfZgawXFqP6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5896
  - - C:\Users\Admin\Pictures\HyCdPC6K7ot92JfZgawXFqP6.exe
      "C:\Users\Admin\Pictures\HyCdPC6K7ot92JfZgawXFqP6.exe"
      4⤵
      Executes dropped EXE
      PID:2204
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2904
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5292
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5428
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2240
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5812
- - C:\Users\Admin\Pictures\8ys8ZFdu6xNX8P6rZbMg5Mpq.exe
    "C:\Users\Admin\Pictures\8ys8ZFdu6xNX8P6rZbMg5Mpq.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    PID:2424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 492
      4⤵
      Program crash
      PID:5988
- - C:\Users\Admin\Pictures\ar3h4L4Q6qoSP0elzT7g4sNt.exe
    "C:\Users\Admin\Pictures\ar3h4L4Q6qoSP0elzT7g4sNt.exe"
    3⤵
    - Modifies firewall policy service
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:4572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4296

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5080

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
98995f4a3f04a1ccd51e64744571c7ac

SHA1
4660fdf3ccab4fdabd985386336e643678b13a83

SHA256
9a765d3dc0ba5d7d9b1d4e85ad5035da33c4774dd49d3944186fa6faaee5856b

SHA512
124c6a6ed239b030a4a1d0106a66c8f460c5153aff55358f7f377f30d88c1da236d276e197176418221c72bb42bac8899e5ea923408d770a1682fce81513973b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
27bb9cb8ff261bb65c38288e3d76f958

SHA1
152397a89da9a2bb2cd7c1ece2b758b9b84543d5

SHA256
1d2541372351fbe08333a4c60b447984c17b1c250c3bd2da0e749c635b111186

SHA512
fb35b0a76778810b3fd777367cd44ea7517e38ece58a45a43a1ea090007c742129e5b0f4b48917c1e43e349b1db878822330f7a242d04760be1a755717a491c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
0dbf4c62bb4c4059952c96ee0320945f

SHA1
b4764ae9d104e7937f346a0bbecb5bf3ab1155a4

SHA256
c5a7aa15664a84653e86cb2035208270c3846df6e36fa9b0fd3c2f30c53d612e

SHA512
e41b34424dcdbb0b33f7431ddd7135b1fc67ee6119698d9449d8a56622dcb44f850414df20ba6a4e92731eae68810ffcc670dfc02290a2a6e8532b8b044a725d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3g0pnwp.fvs.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
6f652ad00f65502c770eb0e5c2165a24

SHA1
c595cdbab1c77a0f186417e63ddd2aea27041a5a

SHA256
13bb9fa5a0d06e3776799d09107e453659a820d2a62c3b6b6aae3cc2a162da21

SHA512
fc1b6ffadf95b91c3084a736bfa06a117b9bcc85c81bc156c9d62d008af4da4e62756954ab5125eb8c02c3282931ba58f928a6fae283bfe358a6b0807512a589

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1go.0.exe

Filesize
206KB

MD5
0917be53327ea132956255dcab650a82

SHA1
b60818917f645a8a9af3b530e3ae37c1f002be2f

SHA256
211c34660898480e0777c6ef6f61bf2111f6550e00b40cab859543d567dc455a

SHA512
a72acc24ba813d983bbf2ecab7929d0aab4e25637ae43e85b973a5105429bd15c061415fd855737620caaf81b456b2d6ba57f85566245efbe5f8b5db5560932a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1go.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\5wRfvDmYkXz8cjDFhbtvLP16.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\8ys8ZFdu6xNX8P6rZbMg5Mpq.exe

Filesize
213KB

MD5
718455b384af2a8caa79eca4c64b7d78

SHA1
84993e856abe4c3c90a61f95f02252dfbe94b356

SHA256
1e418b3dae341f3196b5c3c23cb11eb071dbb82c77ebef9badfd74e3ddea1aac

SHA512
46f51aa5f2fa32f597bbc6e6d375d8d0b9baa2fae2ec68a76fdba63e0d831a514658aa26c137657b8ad1ec653b1f4f5c728b3a61a40f0ba3e0b67a381d02537f

Download Submit
C:\Users\Admin\Pictures\ar3h4L4Q6qoSP0elzT7g4sNt.exe

Filesize
2.8MB

MD5
d41fd1ea6e0ca0032be2174317f60fd8

SHA1
60f001b9d201259aa333e9b202e4ab5648d16bf3

SHA256
3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990

SHA512
a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

Download Submit
C:\Users\Admin\Pictures\cXaVrhea89Nwzaore93fMHDx.exe

Filesize
4.1MB

MD5
f6156b63d313f7247432a693de39daef

SHA1
bff890bf23551db49d04af57779630bea35356a9

SHA256
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

SHA512
54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

Download Submit
C:\Users\Admin\Pictures\hnL1uSF4MuZYq1UltpwFwIXV.exe

Filesize
384KB

MD5
f969256486cae8c6c357924481ec86ee

SHA1
95f91c8a6539700b4dd6077ba3a778c13bc72d4d

SHA256
d719fb243a6d2ad33a76aa78ee66f4763a36c78a2373a01de223fb5c27b722da

SHA512
106959ab072744ae5ce79cbc627040dbd32bb416407ca7d1f848ae49dbb609f900c0f34696fc5e30c5418d889b5c07b35d5a0f9b4f1be1e662621ba2c4491e16

Download Submit
C:\Users\Admin\Pictures\uJ0PiYgSu3ck1xBBYSPuS5nn.exe

Filesize
4.1MB

MD5
0ed8d071deae90ff638cb070d0b9559d

SHA1
9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda

SHA256
691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99

SHA512
960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
2226d81b37d7af194883a2a276c2f1a8

SHA1
c78ad44e33d1ae393572aa6a767b38fd0ba0e7ec

SHA256
2fa0364e67e01a9902038d49735cf335104814ebee320838e774265bdfd0042b

SHA512
2ed6d663c314d92e844fd8aa98d1de45ff5b834bc95cf0fa325fb6535e4b011d6cfaf4fb95e434c3ce30fdde6353061c3dfc220945fd73363da36193715e7595

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
944603c8f0b7846dec2196037da9ea32

SHA1
617166b2a03c89c4bc3346d9908dcc57853abf9f

SHA256
f63db08819df5752a7cde697e50724d9112aa3168f92bc78e7f44c6fc079394b

SHA512
b763ebf59b8481673341b6583eeb0873f376399a002271babc92d501868c67d3e1f974706578dffb660b5dfef213572e4839123cb7ae13b1b700a0b906dfd8d2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e3229e518dd04354fcef39226f8a49e9

SHA1
3006656fd2173135c5e9d5ce2f6ca68f3ad4ab16

SHA256
5fce0fb5c22fef36921de5a5fa81dd97843a4d96ee5567a7635a0065afbe589d

SHA512
f47a4f00c0e96c44463a02d3ae8379aa1a5e077e78455426eefc500277cc62a087e2737a867b0843a28f9b97f934c91a1bbbd39d38fe14a501026463f3f2f71a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f186b509cc40929b93bb2c04bbc2829f

SHA1
7ec0887e18c0c19993691cf161d475ef15b1b837

SHA256
c9e774ffaa51cb64c5963d48f520b0c8327c81405457b52c4c18b3289f51433e

SHA512
bcf4131ad628fc3eba799a5d85086ac7a16b27281da1652c6d1b9822f9d69372473c64d1393a411e0ee4d34c68d84860652b6836cc1579a8cde259cac15bc9fa

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
47672419cff4afa61302bd1cc84e371d

SHA1
424a4d1099888c7be5d65e24c1e09fa514bc5323

SHA256
9a6de336a04779ee3ac05c5d665666f9ef5ea1d3a2ac4003d611d2ba6b93fd53

SHA512
965e913d44ab06d3505f60e2258e3b69e3422ac74e7eeb267830030ef4c0ff2c0267ab6066209a129c2a2e4b012863bbd988531acc796779fdc315385f3bd130

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
1089217a51907db25dceb30fd7080137

SHA1
ffd74b49827c12b1df213d22213347945c55eae1

SHA256
520835a6e27069bd167132cfcac732952fbd289cbeac8cacc5ecbb2394e3df12

SHA512
6e95a809ac4979188a8351bb300dead56547f776026bad0f0c9eed1fcd361e3fefa259bb5d1cf225fe34bc10cd40d4cd179ebf89e561b49d33dbf55bcfdffcb1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
84cee782969482fa4d2d7cf7168133e2

SHA1
e42131f9e0580ae40f0c43993973f8c1beff0937

SHA256
d55f3e89d00f5bcba8e1a4582053820d332557de2cdd32eac51b3ce77957f03d

SHA512
321778529427a89664d8d8e7f2070ed24fd129bdbff49e47b6e2641277982eff528d895e9dcdb280833c4cccab2870f7108ab3451210c9e5c321db3f39b62ba5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
3797c2f7905dc4d9bb61098b2bba0460

SHA1
2723057ffab668c5c553964780b072d1e1bd33d4

SHA256
8ac02a679bf816244e35ca5ecc8aa8211459dcdb468106113d7a03bfa50c2fd1

SHA512
75412bc71f3263909085ada14c942c06c021702f79a0d32d3e9b39152072cd48270fc95c04f764754719739a89ae1869efa87f9096726b4baecc480c89933b0d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
6b958895eec04c259b6950ae1e0b9618

SHA1
b0a46cde43d6f8cef25ed538b9c29cdd0caf7169

SHA256
8115a7c29327f577b653a4fade9c8ec97df5b7fd6932d3813f710678e7f36304

SHA512
7261beaefb6a59d7d462257726e7eeda2e6561b889f2fdc7f51536fd971500115d946e284bcb73f30c73580914f2c98f73717951179bc79c4596d7d9f1fc91c6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
98663c81e8b4a6d4107124d5ee26f6a0

SHA1
d41ddd0eb4cf001d484777837e13a58079bb0c06

SHA256
8b3e9d90f816073a904ea9978ec4773bab54b3e4ccc190b8ce2443b8d83b46ab

SHA512
108e7c5ce5b484abf966b2956ec869841375ab8b7e3b7b3fc623278a76d6b9f828ed53475ddbaa8a883a7b1fbbce3c43685dfed2898951e33ee6ca5fadda2043

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
15394f64c4076905b7e688e3a4b6bc3e

SHA1
b99e760613ac9eeef271c7b29e6a87e0607cd638

SHA256
d22e6c7f8eb646bb3fb2081c142d062b156791ad6b91b20495a19e10e5fb4ee0

SHA512
d319f0893d4b72eb77de72c55a991c2d5e4717036d20a63c331d0b47e4e396403301e3de807b4d7cfb55bcfac20de375092f02ff729e65facae5c08b59ca8f7e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ab8c442e3d9c4a02944a61e7b8d7af33

SHA1
ed5c974b8696bf5d5a192c9d8db131b18a1fc278

SHA256
0a1fc91365f40510ba8237fbac1eb42c4ef376fc750593c67728c4467b7471c4

SHA512
406c24caf5e1173fbcde484382b282d29add5f6062ee4717a343faadbf6002d261d93a4b7aaa0d00e3bb441c65d2696f7e77bc39793312caaa0a6bda5fd2cea1

Download Submit
C:\Windows\windefender.exe

Filesize
448KB

MD5
eac3c94e166a4ac3e7d3dbf26d505ebb

SHA1
c231e723ad6077f9b6bd12c5e7bd3fd208f7fa45

SHA256
662eb9030b85d481e53772eb13a1b747a62bc68a862e0e4ba90f4e6acb3fe124

SHA512
b5b0f2d3205ebf43593ae73318cc078b5eafed92be6c8d113cf0e7dbef9f84da759301393b9528ac7f11b2f82dd8a190ad5c2b9066c84afbc1c9fb775fcff1a0

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/212-350-0x0000000009AC0000-0x0000000009B54000-memory.dmp

Filesize
592KB

Download
memory/212-328-0x0000000009840000-0x000000000985E000-memory.dmp

Filesize
120KB

Download
memory/212-155-0x0000000000C20000-0x0000000000C56000-memory.dmp

Filesize
216KB

Download
memory/212-162-0x0000000007620000-0x0000000007970000-memory.dmp

Filesize
3.3MB

Download
memory/212-163-0x0000000006EC0000-0x0000000006EDC000-memory.dmp

Filesize
112KB

Download
memory/212-164-0x0000000007E30000-0x0000000007E7B000-memory.dmp

Filesize
300KB

Download
memory/212-203-0x0000000008970000-0x00000000089AC000-memory.dmp

Filesize
240KB

Download
memory/212-234-0x0000000008A30000-0x0000000008AA6000-memory.dmp

Filesize
472KB

Download
memory/212-333-0x00000000098A0000-0x0000000009945000-memory.dmp

Filesize
660KB

Download
memory/212-323-0x0000000009860000-0x0000000009893000-memory.dmp

Filesize
204KB

Download
memory/212-324-0x000000006EF70000-0x000000006EFBB000-memory.dmp

Filesize
300KB

Download
memory/212-327-0x000000006EFC0000-0x000000006F310000-memory.dmp

Filesize
3.3MB

Download
memory/212-935-0x0000000009A00000-0x0000000009A08000-memory.dmp

Filesize
32KB

Download
memory/380-13-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

Filesize
9.9MB

Download
memory/380-16-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

Filesize
9.9MB

Download
memory/380-10-0x00000276643D0000-0x00000276643F2000-memory.dmp

Filesize
136KB

Download
memory/380-11-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

Filesize
9.9MB

Download
memory/380-15-0x000002767CA40000-0x000002767CAB6000-memory.dmp

Filesize
472KB

Download
memory/380-55-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

Filesize
9.9MB

Download
memory/788-17-0x0000000073CBE000-0x0000000073CBF000-memory.dmp

Filesize
4KB

Download
memory/788-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/788-127-0x0000000073CBE000-0x0000000073CBF000-memory.dmp

Filesize
4KB

Download
memory/1604-1374-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/1604-1729-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/1604-1345-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1816-2303-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/1816-2250-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/1840-5015-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1856-1290-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/1896-130-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/1896-141-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/2064-1293-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/2204-3584-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/2204-4282-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/2240-3830-0x000000006F190000-0x000000006F4E0000-memory.dmp

Filesize
3.3MB

Download
memory/2240-3829-0x000000006FB00000-0x000000006FB4B000-memory.dmp

Filesize
300KB

Download
memory/2424-1296-0x0000000000400000-0x0000000002AF2000-memory.dmp

Filesize
38.9MB

Download
memory/2592-3342-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/2592-3341-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/2868-116-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/2868-125-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/2904-3567-0x00000000087E0000-0x000000000882B000-memory.dmp

Filesize
300KB

Download
memory/2904-3565-0x0000000007E60000-0x00000000081B0000-memory.dmp

Filesize
3.3MB

Download
memory/2904-3590-0x000000006F190000-0x000000006F4E0000-memory.dmp

Filesize
3.3MB

Download
memory/2904-3589-0x000000006FB00000-0x000000006FB4B000-memory.dmp

Filesize
300KB

Download
memory/2904-3595-0x0000000009840000-0x00000000098E5000-memory.dmp

Filesize
660KB

Download
memory/3060-2628-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/3060-2627-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/3368-1-0x00007FFB141D3000-0x00007FFB141D4000-memory.dmp

Filesize
4KB

Download
memory/3368-124-0x00007FFB141D3000-0x00007FFB141D4000-memory.dmp

Filesize
4KB

Download
memory/3368-126-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

Filesize
9.9MB

Download
memory/3368-2-0x0000016149170000-0x000001614917A000-memory.dmp

Filesize
40KB

Download
memory/3368-3-0x0000016149100000-0x000001614915E000-memory.dmp

Filesize
376KB

Download
memory/3368-4-0x00007FFB141D0000-0x00007FFB14BBC000-memory.dmp

Filesize
9.9MB

Download
memory/3368-0-0x000001612EDA0000-0x000001612EDAA000-memory.dmp

Filesize
40KB

Download
memory/3376-1286-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3788-5016-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3788-5005-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3788-5025-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3788-5021-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/3820-158-0x00000000071B0000-0x0000000007216000-memory.dmp

Filesize
408KB

Download
memory/3820-159-0x0000000007220000-0x0000000007286000-memory.dmp

Filesize
408KB

Download
memory/3820-339-0x000000006EFC0000-0x000000006F310000-memory.dmp

Filesize
3.3MB

Download
memory/3820-338-0x000000006EF70000-0x000000006EFBB000-memory.dmp

Filesize
300KB

Download
memory/3820-156-0x0000000006B80000-0x00000000071A8000-memory.dmp

Filesize
6.2MB

Download
memory/3820-157-0x0000000006980000-0x00000000069A2000-memory.dmp

Filesize
136KB

Download
memory/4104-1309-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4104-1298-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/4180-1810-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/4180-1811-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/4300-344-0x000000006EF70000-0x000000006EFBB000-memory.dmp

Filesize
300KB

Download
memory/4300-345-0x000000006EFC0000-0x000000006F310000-memory.dmp

Filesize
3.3MB

Download
memory/4300-910-0x0000000009E90000-0x0000000009EAA000-memory.dmp

Filesize
104KB

Download
memory/4872-1282-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5080-5028-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/5616-1449-0x0000000009980000-0x0000000009A25000-memory.dmp

Filesize
660KB

Download
memory/5616-1443-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/5616-1405-0x0000000008980000-0x00000000089CB000-memory.dmp

Filesize
300KB

Download
memory/5616-1393-0x0000000007F90000-0x00000000082E0000-memory.dmp

Filesize
3.3MB

Download
memory/5616-1444-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/5628-4313-0x00000000094B0000-0x0000000009555000-memory.dmp

Filesize
660KB

Download
memory/5628-4288-0x0000000008440000-0x000000000848B000-memory.dmp

Filesize
300KB

Download
memory/5628-4308-0x000000006F190000-0x000000006F4E0000-memory.dmp

Filesize
3.3MB

Download
memory/5628-4307-0x000000006FA20000-0x000000006FA6B000-memory.dmp

Filesize
300KB

Download
memory/5640-1507-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/5640-1470-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/5768-3183-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5788-2803-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/5788-2776-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/5812-4068-0x000000006FB00000-0x000000006FB4B000-memory.dmp

Filesize
300KB

Download
memory/5812-3201-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5812-4069-0x000000006F190000-0x000000006F4E0000-memory.dmp

Filesize
3.3MB

Download
memory/5812-3352-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5848-3202-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5848-3564-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/5880-2161-0x0000000009CE0000-0x0000000009D85000-memory.dmp

Filesize
660KB

Download
memory/5880-2156-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/5880-2155-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/5896-1063-0x000000006EFC0000-0x000000006F310000-memory.dmp

Filesize
3.3MB

Download
memory/5896-1062-0x000000006EF70000-0x000000006EFBB000-memory.dmp

Filesize
300KB

Download
memory/5916-3066-0x000000006EFD0000-0x000000006F01B000-memory.dmp

Filesize
300KB

Download
memory/5916-3089-0x000000006EB40000-0x000000006EE90000-memory.dmp

Filesize
3.3MB

Download
memory/6140-1337-0x000001EA5CA50000-0x000001EA5CA6E000-memory.dmp

Filesize
120KB

Download
memory/6140-1336-0x000001EA5C9A0000-0x000001EA5C9AC000-memory.dmp

Filesize
48KB

Download
memory/6140-1333-0x000001EA5CF60000-0x000001EA5D486000-memory.dmp

Filesize
5.1MB

Download
memory/6140-1330-0x000001EA5C990000-0x000001EA5C99A000-memory.dmp

Filesize
40KB

Download
memory/6140-1331-0x000001EA5C9B0000-0x000001EA5CA12000-memory.dmp

Filesize
392KB

Download
memory/6140-1332-0x000001EA5CA10000-0x000001EA5CA32000-memory.dmp

Filesize
136KB

Download
memory/6140-1328-0x000001EA5C690000-0x000001EA5C6C8000-memory.dmp

Filesize
224KB

Download
memory/6140-1329-0x000001EA5C060000-0x000001EA5C068000-memory.dmp

Filesize
32KB

Download
memory/6140-1327-0x000001EA5C000000-0x000001EA5C008000-memory.dmp

Filesize
32KB

Download
memory/6140-1325-0x000001EA57EB0000-0x000001EA581B0000-memory.dmp

Filesize
3.0MB

Download
memory/6140-1321-0x000001EA3D670000-0x000001EA3D67A000-memory.dmp

Filesize
40KB

Download
memory/6140-1317-0x000001EA3D660000-0x000001EA3D66A000-memory.dmp

Filesize
40KB

Download
memory/6140-1320-0x000001EA57E30000-0x000001EA57E80000-memory.dmp

Filesize
320KB

Download
memory/6140-1318-0x000001EA57CF0000-0x000001EA57D1A000-memory.dmp

Filesize
168KB

Download
memory/6140-1319-0x000001EA57D30000-0x000001EA57DE2000-memory.dmp

Filesize
712KB

Download
memory/6140-1312-0x000001EA3EF40000-0x000001EA3EF50000-memory.dmp

Filesize
64KB

Download
memory/6140-1315-0x000001EA57880000-0x000001EA578A4000-memory.dmp

Filesize
144KB

Download
memory/6140-1314-0x000001EA3EF50000-0x000001EA3EF64000-memory.dmp

Filesize
80KB

Download
memory/6140-1313-0x000001EA3EF60000-0x000001EA3EF6C000-memory.dmp

Filesize
48KB

Download
memory/6140-1311-0x000001EA579B0000-0x000001EA57ABA000-memory.dmp

Filesize
1.0MB

Download
memory/6140-1310-0x000001EA399C0000-0x000001EA3D1F4000-memory.dmp

Filesize
56.2MB

Download