glupteba | ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620

Analysis

max time kernel
98s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
Size

521KB
MD5

6fbe36ef1d6599968f107c7b6eb19225
SHA1

8761289110102b0a661ffbe28ed7f0a730311c5e
SHA256

ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620
SHA512

cff59fcc496248772906e1c6a1cd5bfe7ece2103b52ed05fd2426fc5e1f5afd184821ee35a8d55f8ab32ddc24781fd733987d0a05f54df89a9478ac93d344428
SSDEEP

6144:39y51HwqQwU0PbQpf1oFdHr34eXHZCTUPEn0IlHgv59OxsDXqYe8RBCu97x+ucSR:3E51HwgRdLoeXMHnfHgzOi6kR5x+9aUI

Score

10^/10

glupteba stealc zgrat dropper evasion execution loader rat stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/3312-1292-0x0000024F863A0000-0x0000024F89BD4000-memory.dmp	family_zgrat_v1
behavioral2/memory/3312-1293-0x0000024FA43C0000-0x0000024FA44CA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3312-1297-0x0000024FA4150000-0x0000024FA4174000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 29 IoCs

resource	yara_rule
behavioral2/memory/2652-990-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/3480-994-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4660-1050-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4892-1053-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4660-1130-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/4892-1277-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/780-1571-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/424-1570-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/424-2824-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/780-2835-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/1772-4038-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/380-4262-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-4977-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-4986-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-4989-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-4991-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-4993-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-4995-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-4997-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-4999-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5001-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5003-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5005-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5007-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5009-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5011-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5013-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5015-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba
behavioral2/memory/376-5017-0x0000000000400000-0x0000000002ED5000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4004	powershell.exe
5064	powershell.exe
4136	powershell.exe
2280	powershell.exe
1556	powershell.exe
1068	powershell.exe
1068	powershell.exe
4784	powershell.exe
4172	powershell.exe
4476	powershell.exe
1956	powershell.exe
4888	powershell.exe
4176	powershell.exe
4232	powershell.exe
4432	powershell.exe
1796	powershell.exe
2880	powershell.exe
2280	powershell.exe
4440	powershell.exe
1360	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4592	netsh.exe
2656	netsh.exe
4980	netsh.exe
4444	netsh.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTZzjejVSYFLjFlguEndacFH.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vioY0r0LwVCmr1jpKnOZ3ys8.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5r6QHrJY2jISXnkzKeRGfP2B.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qJj5pyuAAvWH7ImufpZiwVAo.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oYXr4nJKGKPXw1kVZ42SJMuX.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eWgNfp0NHtcFEfYPzh5bi49R.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZF9EZgANxKpRZNgxHWM41hek.bat	regsvcs.exe

Executes dropped EXE 11 IoCs

pid	Process
4980	ZYDZtu3gQUbGwdsgcmrByAgd.exe
3480	KpjSnJDyhqUOd3yIgjkERJoy.exe
2652	y1i7Y7fiK4OBNQAAKFbWeovX.exe
4660	cYHqrseGe59jbxafv6rFhOQX.exe
4892	cTZYVZeMqBeVs268JBYxBXTK.exe
596	u3uc.0.exe
696	u3uc.1.exe
424	y1i7Y7fiK4OBNQAAKFbWeovX.exe
780	KpjSnJDyhqUOd3yIgjkERJoy.exe
1772	cYHqrseGe59jbxafv6rFhOQX.exe
380	cTZYVZeMqBeVs268JBYxBXTK.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001ac25-4980.dat	upx
behavioral2/memory/4396-4985-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4308-4992-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/4308-4998-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 824 set thread context of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4752	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3uc.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3uc.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u3uc.1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1280	schtasks.exe
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1360	powershell.exe
1360	powershell.exe
1360	powershell.exe
2280	powershell.exe
2280	powershell.exe
4232	powershell.exe
4232	powershell.exe
4232	powershell.exe
2280	powershell.exe
4232	powershell.exe
2280	powershell.exe
4432	powershell.exe
4432	powershell.exe
4432	powershell.exe
4432	powershell.exe
2652	y1i7Y7fiK4OBNQAAKFbWeovX.exe
3480	KpjSnJDyhqUOd3yIgjkERJoy.exe
2652	y1i7Y7fiK4OBNQAAKFbWeovX.exe
3480	KpjSnJDyhqUOd3yIgjkERJoy.exe
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe
4136	powershell.exe
4660	cYHqrseGe59jbxafv6rFhOQX.exe
4660	cYHqrseGe59jbxafv6rFhOQX.exe
4892	cTZYVZeMqBeVs268JBYxBXTK.exe
4892	cTZYVZeMqBeVs268JBYxBXTK.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	4924	regsvcs.exe
Token: SeIncreaseQuotaPrivilege	1360	powershell.exe
Token: SeSecurityPrivilege	1360	powershell.exe
Token: SeTakeOwnershipPrivilege	1360	powershell.exe
Token: SeLoadDriverPrivilege	1360	powershell.exe
Token: SeSystemProfilePrivilege	1360	powershell.exe
Token: SeSystemtimePrivilege	1360	powershell.exe
Token: SeProfSingleProcessPrivilege	1360	powershell.exe
Token: SeIncBasePriorityPrivilege	1360	powershell.exe
Token: SeCreatePagefilePrivilege	1360	powershell.exe
Token: SeBackupPrivilege	1360	powershell.exe
Token: SeRestorePrivilege	1360	powershell.exe
Token: SeShutdownPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeSystemEnvironmentPrivilege	1360	powershell.exe
Token: SeRemoteShutdownPrivilege	1360	powershell.exe
Token: SeUndockPrivilege	1360	powershell.exe
Token: SeManageVolumePrivilege	1360	powershell.exe
Token: 33	1360	powershell.exe
Token: 34	1360	powershell.exe
Token: 35	1360	powershell.exe
Token: 36	1360	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	2652	y1i7Y7fiK4OBNQAAKFbWeovX.exe
Token: SeImpersonatePrivilege	2652	y1i7Y7fiK4OBNQAAKFbWeovX.exe
Token: SeDebugPrivilege	3480	KpjSnJDyhqUOd3yIgjkERJoy.exe
Token: SeImpersonatePrivilege	3480	KpjSnJDyhqUOd3yIgjkERJoy.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4660	cYHqrseGe59jbxafv6rFhOQX.exe
Token: SeImpersonatePrivilege	4660	cYHqrseGe59jbxafv6rFhOQX.exe
Token: SeDebugPrivilege	4892	cTZYVZeMqBeVs268JBYxBXTK.exe
Token: SeImpersonatePrivilege	4892	cTZYVZeMqBeVs268JBYxBXTK.exe
Token: SeDebugPrivilege	3312	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe
696	u3uc.1.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1360	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	73
PID 824 wrote to memory of 1360	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	73
PID 824 wrote to memory of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75
PID 824 wrote to memory of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75
PID 824 wrote to memory of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75
PID 824 wrote to memory of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75
PID 824 wrote to memory of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75
PID 824 wrote to memory of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75
PID 824 wrote to memory of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75
PID 824 wrote to memory of 4924	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	75
PID 824 wrote to memory of 4380	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	76
PID 824 wrote to memory of 4380	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	76
PID 824 wrote to memory of 4380	824	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe	76
PID 4924 wrote to memory of 4980	4924	regsvcs.exe	80
PID 4924 wrote to memory of 4980	4924	regsvcs.exe	80
PID 4924 wrote to memory of 4980	4924	regsvcs.exe	80
PID 4924 wrote to memory of 3480	4924	regsvcs.exe	81
PID 4924 wrote to memory of 3480	4924	regsvcs.exe	81
PID 4924 wrote to memory of 3480	4924	regsvcs.exe	81
PID 4924 wrote to memory of 2652	4924	regsvcs.exe	82
PID 4924 wrote to memory of 2652	4924	regsvcs.exe	82
PID 4924 wrote to memory of 2652	4924	regsvcs.exe	82
PID 4924 wrote to memory of 4660	4924	regsvcs.exe	83
PID 4924 wrote to memory of 4660	4924	regsvcs.exe	83
PID 4924 wrote to memory of 4660	4924	regsvcs.exe	83
PID 4924 wrote to memory of 4892	4924	regsvcs.exe	84
PID 4924 wrote to memory of 4892	4924	regsvcs.exe	84
PID 4924 wrote to memory of 4892	4924	regsvcs.exe	84
PID 4980 wrote to memory of 596	4980	ZYDZtu3gQUbGwdsgcmrByAgd.exe	85
PID 4980 wrote to memory of 596	4980	ZYDZtu3gQUbGwdsgcmrByAgd.exe	85
PID 4980 wrote to memory of 596	4980	ZYDZtu3gQUbGwdsgcmrByAgd.exe	85
PID 3480 wrote to memory of 4232	3480	KpjSnJDyhqUOd3yIgjkERJoy.exe	88
PID 3480 wrote to memory of 4232	3480	KpjSnJDyhqUOd3yIgjkERJoy.exe	88
PID 3480 wrote to memory of 4232	3480	KpjSnJDyhqUOd3yIgjkERJoy.exe	88
PID 2652 wrote to memory of 2280	2652	y1i7Y7fiK4OBNQAAKFbWeovX.exe	89
PID 2652 wrote to memory of 2280	2652	y1i7Y7fiK4OBNQAAKFbWeovX.exe	89
PID 2652 wrote to memory of 2280	2652	y1i7Y7fiK4OBNQAAKFbWeovX.exe	89
PID 4980 wrote to memory of 696	4980	ZYDZtu3gQUbGwdsgcmrByAgd.exe	92
PID 4980 wrote to memory of 696	4980	ZYDZtu3gQUbGwdsgcmrByAgd.exe	92
PID 4980 wrote to memory of 696	4980	ZYDZtu3gQUbGwdsgcmrByAgd.exe	92
PID 4660 wrote to memory of 4432	4660	cYHqrseGe59jbxafv6rFhOQX.exe	94
PID 4660 wrote to memory of 4432	4660	cYHqrseGe59jbxafv6rFhOQX.exe	94
PID 4660 wrote to memory of 4432	4660	cYHqrseGe59jbxafv6rFhOQX.exe	94
PID 4892 wrote to memory of 4136	4892	cTZYVZeMqBeVs268JBYxBXTK.exe	100
PID 4892 wrote to memory of 4136	4892	cTZYVZeMqBeVs268JBYxBXTK.exe	100
PID 4892 wrote to memory of 4136	4892	cTZYVZeMqBeVs268JBYxBXTK.exe	100
PID 696 wrote to memory of 3312	696	u3uc.1.exe	104
PID 696 wrote to memory of 3312	696	u3uc.1.exe	104

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\Pictures\ZYDZtu3gQUbGwdsgcmrByAgd.exe
    "C:\Users\Admin\Pictures\ZYDZtu3gQUbGwdsgcmrByAgd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\u3uc.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u3uc.0.exe"
      4⤵
      Executes dropped EXE
      PID:596
  - - C:\Users\Admin\AppData\Local\Temp\u3uc.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u3uc.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
- - C:\Users\Admin\Pictures\KpjSnJDyhqUOd3yIgjkERJoy.exe
    "C:\Users\Admin\Pictures\KpjSnJDyhqUOd3yIgjkERJoy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4232
  - - C:\Users\Admin\Pictures\KpjSnJDyhqUOd3yIgjkERJoy.exe
      "C:\Users\Admin\Pictures\KpjSnJDyhqUOd3yIgjkERJoy.exe"
      4⤵
      Executes dropped EXE
      PID:780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1556
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:3484
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4444
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1796
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1956
- - C:\Users\Admin\Pictures\y1i7Y7fiK4OBNQAAKFbWeovX.exe
    "C:\Users\Admin\Pictures\y1i7Y7fiK4OBNQAAKFbWeovX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2280
  - - C:\Users\Admin\Pictures\y1i7Y7fiK4OBNQAAKFbWeovX.exe
      "C:\Users\Admin\Pictures\y1i7Y7fiK4OBNQAAKFbWeovX.exe"
      4⤵
      Executes dropped EXE
      PID:424
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2280
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:368
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4980
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4888
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:376
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4172
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1280
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:4168
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5064
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4476
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:3920
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2736
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:4752
- - C:\Users\Admin\Pictures\cYHqrseGe59jbxafv6rFhOQX.exe
    "C:\Users\Admin\Pictures\cYHqrseGe59jbxafv6rFhOQX.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4432
  - - C:\Users\Admin\Pictures\cYHqrseGe59jbxafv6rFhOQX.exe
      "C:\Users\Admin\Pictures\cYHqrseGe59jbxafv6rFhOQX.exe"
      4⤵
      Executes dropped EXE
      PID:1772
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1068
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4988
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4784
- - C:\Users\Admin\Pictures\cTZYVZeMqBeVs268JBYxBXTK.exe
    "C:\Users\Admin\Pictures\cTZYVZeMqBeVs268JBYxBXTK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4136
  - - C:\Users\Admin\Pictures\cTZYVZeMqBeVs268JBYxBXTK.exe
      "C:\Users\Admin\Pictures\cTZYVZeMqBeVs268JBYxBXTK.exe"
      4⤵
      Executes dropped EXE
      PID:380
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4176
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2052
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2656
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:4380

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
18e67bc8a38dc30e0b7cb62445c08b08

SHA1
9a78e4f1d28cc97dc7320d4e6269e6e5243f2673

SHA256
bc5b5c2837298501a3a13d7215f0214b1086abd6a1ae1cf9af770911afb54527

SHA512
f6fa5434ef3deeb3d8df9550eec46eab07bd84bc59201631e8b7220769f2b1e7423eccceb159761bd980686c91401ac4dc564a325a3a2c2a01570cf5f8b17f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
91e7bfe5f509eb2db780d8a9375bb9e0

SHA1
61a41aead1ab8d975e98e5c3cb81474f10cbd359

SHA256
64746984e23726d4bb186902c4d6bd63cd041c031987686a6c152041cd8c7b6a

SHA512
9c7138cee98e942f800f367b682def82c808f2baf7c45e9b4ef0cc3b6ee6161fda8e0796e133cf05b0cacca075bb309c9d3c32a0c15cbd6e142f34420083e7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_30qvxo0k.u4m.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
d5e65e9048a6d23827db90c3b701afbe

SHA1
f82a0740bb1bbed5a45cef5d4c0f4d796a08b8c8

SHA256
caeab2ca6011cca46c598edcb12bf0180d6dfe2c777d77d24339a119d2133804

SHA512
50656fc980d7cf9345db9fc21f510270bda2e8436ef49a897a578f85fb9b8e136c3a1d1a318b5ca24ffdabe71776bc8b26077181f384f68231194c418d3a1935

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3uc.0.exe

Filesize
206KB

MD5
0917be53327ea132956255dcab650a82

SHA1
b60818917f645a8a9af3b530e3ae37c1f002be2f

SHA256
211c34660898480e0777c6ef6f61bf2111f6550e00b40cab859543d567dc455a

SHA512
a72acc24ba813d983bbf2ecab7929d0aab4e25637ae43e85b973a5105429bd15c061415fd855737620caaf81b456b2d6ba57f85566245efbe5f8b5db5560932a

Download Submit
C:\Users\Admin\AppData\Local\Temp\u3uc.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\AFIssEDOFCMcrrTFzClYQzSw.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\KpjSnJDyhqUOd3yIgjkERJoy.exe

Filesize
4.1MB

MD5
f6156b63d313f7247432a693de39daef

SHA1
bff890bf23551db49d04af57779630bea35356a9

SHA256
f148a51481ad34b81dbdc1c27873ca0e4d56c83729dcf8ed891f4443f5492620

SHA512
54c61e755d5661da14ebfef93b9fa61d02f59fb43edc1310cf21c0780479bc54be973836286f0d5104a946e9d511e94162d38e2a5471f0f386b7b7e396e7f759

Download Submit
C:\Users\Admin\Pictures\ZYDZtu3gQUbGwdsgcmrByAgd.exe

Filesize
384KB

MD5
a09d068dbe8e20e489d1d16a67fa9c92

SHA1
1ab47f34b06ce91e99ed260563ff431b776df525

SHA256
3a6571ca197b5ee4a0bf6d2cf32e4f35c133ce313253c9ed2b07977c22518842

SHA512
ea4a0b72c3dbdee23413216a3740826ff19db61a14724541d7046c1ae590392a235c58763524f7c490bd9d34f112f511c86669cd019c6b4dcd48ef47157892c5

Download Submit
C:\Users\Admin\Pictures\qftnM5SXoR6N3yV2eC7AAUNU.exe

Filesize
18KB

MD5
949f191270e024e75823b32174f15754

SHA1
e2685aee44aaee2bc87888ee7c86d77bba313eae

SHA256
c3356a89f9d9962232df6a5d6dbfb42a9e2b2578b2a8d89c20b61c4c2e72c71c

SHA512
d3eea70b18938ab93b4d659a0dcb793ab1f440614763b005c9e3f9bf36e4ad49c87cd9d436d2821c34c194a6ec384c57351be4bf9164caaf269046d29c01a55a

Download Submit
C:\Users\Admin\Pictures\y1i7Y7fiK4OBNQAAKFbWeovX.exe

Filesize
4.1MB

MD5
0ed8d071deae90ff638cb070d0b9559d

SHA1
9b39b4703ccd78d9ca56bbf2f4c168d71a7bcfda

SHA256
691bddda01382e95f74905b1fc77da9acbb73383734ca3116075be2c7d62cf99

SHA512
960a5a4e2b4f82bb7273cbab8bf622933c6e603cdc44b59b409c285b62c3a2c741bca7692ed77864520aa95c85a2f3fc31ddc9383caada588828d953346c2729

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
d9cb3fc6e2a8dfc9dcf409605fd1c79c

SHA1
bb405965febc104ff27aaa785a880dba368881af

SHA256
39c3dea289b3dee615ad0b4a427aeb915ad6907b81ed847c4f6df39af1e8e82b

SHA512
39a987192714249be2e58b99d64743550ef1c088a4db6ad0f9a2c9f8f501f25f3f262c34cea733db1fddcdf0e9d54d07132d848d6449467529b17417da3acbed

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
06983952a0e64010728b8fef3ac59922

SHA1
098613d614fddc09db0efdad8549bb279c17b9c9

SHA256
0cf6f0f5aa116d35a7f0982f1164033543fa755cee0347e26465a7575a9b24fe

SHA512
85514d241350b57ff0e962787a90592cf4cedd8b7848203a1aecdce987abf89014d82616bee80262a17e1e380d481e158b623d9d1aed300e11a1b430f4b8a654

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
f9104f88526184de281eec92d05f4176

SHA1
37b14396a86acbdee60a4e5dbea09728016747de

SHA256
48e1590cc6f6c9fd87f34618d53e7edb2a521fb632759c9c00c6fb4359abe119

SHA512
2c45988aa8910e3819eb305ebd7a6cce0077b127d55425d7ce2361fde12d74a13f6220d298f8f114a0ec0dae0a5ec798d31db2a4753227fbcd3b6f7cd8d495db

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
45697aa71ca02a0511bb883aa9800c6d

SHA1
a295d0dc2c143d333cca73250d2ce3311bbd6970

SHA256
85515991017f3bd38544fb2d10d953f2fe6706f3c07a852e7c78ef393d663df3

SHA512
65de12ec4c9cf91b0882821799afd41c408c0b1f9f0063136f5a24fd3c9fc9925ddc8024b5ad18c343ba7c4f762bc6b9fff3e24db4b8d1c2d1801ef69cd0d0c1

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
502e480cd5ebaad71439c240230cc3e5

SHA1
be6cfeccf1b34e828657895c7f2aa0bb699f45ce

SHA256
3fba2361a057ba0af2c423097ce87ca023fc5f9f5275ee14367f6a9a142b773f

SHA512
f5c643f7eafeaca51c1a13ff58ef2c23c79d6c426c50e67f211c64a3006a0b2e56364a95f8ddc862997a96559905bfb6f9fc1c4d3278b0fe6e4fd2f8e07a93fb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
756c4c77d3288ad5712530a7171ff4b0

SHA1
7114bc7943fc9e5d9d2d7a6719f2d429d7be378b

SHA256
f81c82358ea21793b200588109f7e2434b7c89cda4eb1c464c6c50a22d7f77dd

SHA512
35c8f6b5a739fe2341432879fff12988f7d65b39a38ce80f4fa7bf63ed82ae9b8dfb450e94e67783921943f073ee7b21854670e586a00d582c0791e26b35ebd9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
a28666bc7415164780f2146a4fe174aa

SHA1
8145589b4ee74874fa03b6f540d2eea54aee118e

SHA256
249c1065d80e92a553c693684363a2cc0aed3e4f9cee145f46c4ba40c51c6d8b

SHA512
51416c9e3753702c14984f95c9365176b9a9af64c9fbcee6fdedab488f7a1ae50c07ee3ba79a7d7839dfd8a663cdfbf80b11364ab347aa07c772f5d08f0fa18c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
5079a8f7240f3233fc01a2f04f3d39fd

SHA1
e2a2e28ba7f9a06122fd508b5191d1c2105e54b4

SHA256
b5b00f3cabf77a224e7e8d42daf8ea1c883163363cba304cd69360be0b014aa8

SHA512
3b2a9908552b7d7026555bf34d8c99ee1092ada380df17f4ca41e9760d18357ffda04a91484001905e04b62e064a0baa40052400d015c81417e13d7a02237e85

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
d99a8d41f7c787ef42a63c14b7603a5a

SHA1
65c6b8044e459e550e072c493eb54b68428d3653

SHA256
4158584cbb1b22506b24f64fc521661d5e3b8b22ed5d8eaf266ef23ead76dd48

SHA512
0dab224afcdec24b60302b1118c3ec417adb5df5da90559a4e77c1db4a0503e6969d691d223ee4428a6f933145a51713ce0c001a6e4494d0234cad717c21a0b3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
277578deb6407230553f94c2dcc964cf

SHA1
3fc728a2a185d303e767d0c59702fac530ee35db

SHA256
5b5453f2892b64806cee4431a5fdd3dd9b2a04675046f142a45394ab8cc787c3

SHA512
b2d1dac69bee783c89b3bb8ba444049c65869d25fa684ef2b3f086884ca99df7379a00aa8bbe40e4d6ddee030bde78127473f88564cb31fc3ad12524177e37c4

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/376-4986-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-4989-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5001-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-4999-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-4997-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-4995-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-4993-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5007-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-4991-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5015-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5005-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5009-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5013-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-4977-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5011-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5003-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/376-5017-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/380-4262-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/424-1570-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/424-2824-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/596-1873-0x0000000000400000-0x0000000002AF1000-memory.dmp

Filesize
38.9MB

Download
memory/596-1320-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/696-1291-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/696-1275-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/780-2835-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/780-1571-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/824-111-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp

Filesize
9.9MB

Download
memory/824-3-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp

Filesize
9.9MB

Download
memory/824-2-0x000001C1B7F40000-0x000001C1B7F9E000-memory.dmp

Filesize
376KB

Download
memory/824-1-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp

Filesize
4KB

Download
memory/824-0-0x000001C1B61E0000-0x000001C1B620A000-memory.dmp

Filesize
168KB

Download
memory/824-110-0x00007FFDC79F3000-0x00007FFDC79F4000-memory.dmp

Filesize
4KB

Download
memory/1068-2860-0x000000006EC80000-0x000000006EFD0000-memory.dmp

Filesize
3.3MB

Download
memory/1068-3567-0x000000006F0E0000-0x000000006F12B000-memory.dmp

Filesize
300KB

Download
memory/1068-3568-0x000000006EC80000-0x000000006EFD0000-memory.dmp

Filesize
3.3MB

Download
memory/1068-2838-0x00000000075A0000-0x00000000078F0000-memory.dmp

Filesize
3.3MB

Download
memory/1068-2865-0x0000000008EB0000-0x0000000008F55000-memory.dmp

Filesize
660KB

Download
memory/1068-2859-0x000000006F0E0000-0x000000006F12B000-memory.dmp

Filesize
300KB

Download
memory/1068-2840-0x0000000007E60000-0x0000000007EAB000-memory.dmp

Filesize
300KB

Download
memory/1360-57-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp

Filesize
9.9MB

Download
memory/1360-9-0x00007FFDC79F0000-0x00007FFDC83DC000-memory.dmp

Filesize
9.9MB

Download
memory/1360-12-0x000002A2D7790000-0x000002A2D77A0000-memory.dmp

Filesize
64KB

Download
memory/1360-11-0x000002A2D7790000-0x000002A2D77A0000-memory.dmp

Filesize
64KB

Download
memory/1360-13-0x000002A2D77A0000-0x000002A2D77C2000-memory.dmp

Filesize
136KB

Download
memory/1360-17-0x000002A2D82F0000-0x000002A2D8366000-memory.dmp

Filesize
472KB

Download
memory/1556-1422-0x000000006E7B0000-0x000000006EB00000-memory.dmp

Filesize
3.3MB

Download
memory/1556-1357-0x0000000008240000-0x000000000828B000-memory.dmp

Filesize
300KB

Download
memory/1556-1421-0x000000006EC10000-0x000000006EC5B000-memory.dmp

Filesize
300KB

Download
memory/1772-4038-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/1796-1918-0x000000006E7B0000-0x000000006EB00000-memory.dmp

Filesize
3.3MB

Download
memory/1796-1912-0x000000006EC10000-0x000000006EC5B000-memory.dmp

Filesize
300KB

Download
memory/1956-2352-0x00000000074D0000-0x0000000007820000-memory.dmp

Filesize
3.3MB

Download
memory/1956-2399-0x000000006EE20000-0x000000006F170000-memory.dmp

Filesize
3.3MB

Download
memory/1956-2398-0x000000006EDD0000-0x000000006EE1B000-memory.dmp

Filesize
300KB

Download
memory/2280-1356-0x0000000007C10000-0x0000000007F60000-memory.dmp

Filesize
3.3MB

Download
memory/2280-641-0x000000000A7B0000-0x000000000A7CA000-memory.dmp

Filesize
104KB

Download
memory/2280-259-0x000000006E3E0000-0x000000006E730000-memory.dmp

Filesize
3.3MB

Download
memory/2280-257-0x000000006E390000-0x000000006E3DB000-memory.dmp

Filesize
300KB

Download
memory/2280-1416-0x0000000009530000-0x00000000095D5000-memory.dmp

Filesize
660KB

Download
memory/2280-1411-0x000000006E7B0000-0x000000006EB00000-memory.dmp

Filesize
3.3MB

Download
memory/2280-1410-0x000000006EC10000-0x000000006EC5B000-memory.dmp

Filesize
300KB

Download
memory/2280-138-0x0000000008170000-0x00000000084C0000-memory.dmp

Filesize
3.3MB

Download
memory/2280-128-0x0000000007850000-0x0000000007E78000-memory.dmp

Filesize
6.2MB

Download
memory/2652-990-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/2880-1910-0x000000006EC10000-0x000000006EC5B000-memory.dmp

Filesize
300KB

Download
memory/2880-1917-0x0000000009DA0000-0x0000000009E45000-memory.dmp

Filesize
660KB

Download
memory/2880-1911-0x000000006E7B0000-0x000000006EB00000-memory.dmp

Filesize
3.3MB

Download
memory/3312-1293-0x0000024FA43C0000-0x0000024FA44CA000-memory.dmp

Filesize
1.0MB

Download
memory/3312-1313-0x0000024FA9D30000-0x0000024FA9D52000-memory.dmp

Filesize
136KB

Download
memory/3312-1294-0x0000024FA40C0000-0x0000024FA40D0000-memory.dmp

Filesize
64KB

Download
memory/3312-1309-0x0000024FA99B0000-0x0000024FA99E8000-memory.dmp

Filesize
224KB

Download
memory/3312-1299-0x0000024FA4180000-0x0000024FA41AA000-memory.dmp

Filesize
168KB

Download
memory/3312-1297-0x0000024FA4150000-0x0000024FA4174000-memory.dmp

Filesize
144KB

Download
memory/3312-1300-0x0000024FA4710000-0x0000024FA47C2000-memory.dmp

Filesize
712KB

Download
memory/3312-1298-0x0000024F8B930000-0x0000024F8B93A000-memory.dmp

Filesize
40KB

Download
memory/3312-1295-0x0000024FA40E0000-0x0000024FA40EC000-memory.dmp

Filesize
48KB

Download
memory/3312-1302-0x0000024F8B940000-0x0000024F8B94A000-memory.dmp

Filesize
40KB

Download
memory/3312-1301-0x0000024FA4820000-0x0000024FA4870000-memory.dmp

Filesize
320KB

Download
memory/3312-1306-0x0000024FA51B0000-0x0000024FA54B0000-memory.dmp

Filesize
3.0MB

Download
memory/3312-1310-0x0000024FA9380000-0x0000024FA9388000-memory.dmp

Filesize
32KB

Download
memory/3312-1296-0x0000024FA40D0000-0x0000024FA40E4000-memory.dmp

Filesize
80KB

Download
memory/3312-1312-0x0000024FA9CD0000-0x0000024FA9D32000-memory.dmp

Filesize
392KB

Download
memory/3312-1318-0x0000024FA9D70000-0x0000024FA9D8E000-memory.dmp

Filesize
120KB

Download
memory/3312-1292-0x0000024F863A0000-0x0000024F89BD4000-memory.dmp

Filesize
56.2MB

Download
memory/3312-1311-0x0000024FA9CB0000-0x0000024FA9CBA000-memory.dmp

Filesize
40KB

Download
memory/3312-1308-0x0000024FA9320000-0x0000024FA9328000-memory.dmp

Filesize
32KB

Download
memory/3312-1314-0x0000024FAA290000-0x0000024FAA7B6000-memory.dmp

Filesize
5.1MB

Download
memory/3312-1317-0x0000024FA9CC0000-0x0000024FA9CCC000-memory.dmp

Filesize
48KB

Download
memory/3480-994-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4004-4043-0x000000006F0E0000-0x000000006F12B000-memory.dmp

Filesize
300KB

Download
memory/4004-4044-0x000000006EC80000-0x000000006EFD0000-memory.dmp

Filesize
3.3MB

Download
memory/4136-1055-0x000000006E3E0000-0x000000006E730000-memory.dmp

Filesize
3.3MB

Download
memory/4136-1054-0x000000006E390000-0x000000006E3DB000-memory.dmp

Filesize
300KB

Download
memory/4172-4285-0x000000006EC80000-0x000000006EFD0000-memory.dmp

Filesize
3.3MB

Download
memory/4172-4284-0x000000006F0E0000-0x000000006F12B000-memory.dmp

Filesize
300KB

Download
memory/4176-3097-0x000000006F0E0000-0x000000006F12B000-memory.dmp

Filesize
300KB

Download
memory/4176-3098-0x000000006EC80000-0x000000006EFD0000-memory.dmp

Filesize
3.3MB

Download
memory/4232-140-0x0000000007B20000-0x0000000007B6B000-memory.dmp

Filesize
300KB

Download
memory/4232-666-0x00000000099B0000-0x00000000099B8000-memory.dmp

Filesize
32KB

Download
memory/4232-134-0x0000000006BD0000-0x0000000006C36000-memory.dmp

Filesize
408KB

Download
memory/4232-139-0x0000000007870000-0x000000000788C000-memory.dmp

Filesize
112KB

Download
memory/4232-255-0x0000000009810000-0x0000000009843000-memory.dmp

Filesize
204KB

Download
memory/4232-204-0x00000000089D0000-0x0000000008A46000-memory.dmp

Filesize
472KB

Download
memory/4232-258-0x000000006E3E0000-0x000000006E730000-memory.dmp

Filesize
3.3MB

Download
memory/4232-256-0x000000006E390000-0x000000006E3DB000-memory.dmp

Filesize
300KB

Download
memory/4232-260-0x00000000097F0000-0x000000000980E000-memory.dmp

Filesize
120KB

Download
memory/4232-173-0x0000000008910000-0x000000000894C000-memory.dmp

Filesize
240KB

Download
memory/4232-135-0x0000000006C40000-0x0000000006CA6000-memory.dmp

Filesize
408KB

Download
memory/4232-124-0x0000000001230000-0x0000000001266000-memory.dmp

Filesize
216KB

Download
memory/4232-269-0x0000000009850000-0x00000000098F5000-memory.dmp

Filesize
660KB

Download
memory/4232-270-0x0000000009A70000-0x0000000009B04000-memory.dmp

Filesize
592KB

Download
memory/4232-133-0x0000000006B30000-0x0000000006B52000-memory.dmp

Filesize
136KB

Download
memory/4308-4992-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4308-4998-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4396-4985-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4432-769-0x000000006E390000-0x000000006E3DB000-memory.dmp

Filesize
300KB

Download
memory/4432-770-0x000000006E3E0000-0x000000006E730000-memory.dmp

Filesize
3.3MB

Download
memory/4440-3329-0x000000006F0E0000-0x000000006F12B000-memory.dmp

Filesize
300KB

Download
memory/4440-3330-0x000000006EC80000-0x000000006EFD0000-memory.dmp

Filesize
3.3MB

Download
memory/4660-1050-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4660-1130-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4784-3798-0x000000006EC80000-0x000000006EFD0000-memory.dmp

Filesize
3.3MB

Download
memory/4784-3795-0x000000006F0E0000-0x000000006F12B000-memory.dmp

Filesize
300KB

Download
memory/4888-2354-0x0000000008C80000-0x0000000008CCB000-memory.dmp

Filesize
300KB

Download
memory/4888-2387-0x000000006EDD0000-0x000000006EE1B000-memory.dmp

Filesize
300KB

Download
memory/4888-2388-0x000000006EE20000-0x000000006F170000-memory.dmp

Filesize
3.3MB

Download
memory/4888-2395-0x0000000009CC0000-0x0000000009D65000-memory.dmp

Filesize
660KB

Download
memory/4892-1053-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4892-1277-0x0000000000400000-0x0000000002ED5000-memory.dmp

Filesize
42.8MB

Download
memory/4924-10-0x00000000732CE000-0x00000000732CF000-memory.dmp

Filesize
4KB

Download
memory/4924-112-0x00000000732CE000-0x00000000732CF000-memory.dmp

Filesize
4KB

Download
memory/4924-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4980-130-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/4980-113-0x0000000000400000-0x0000000002B1E000-memory.dmp

Filesize
39.1MB

Download
memory/5064-4519-0x000000006F0E0000-0x000000006F12B000-memory.dmp

Filesize
300KB

Download