Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2024, 11:35 UTC

General

  • Target

    8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe

  • Size

    4.1MB

  • MD5

    8792fffdee93c4e1663c7c6a5bfa9ef6

  • SHA1

    d6ba1c4d9e73da8020b891292cd20bd270ed2ff1

  • SHA256

    8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f

  • SHA512

    d0e15f7a4f88c4cb220ac387546beb170d34fffba3dbc7a5a671291d923ab514820721fcaebf8abe853049d6c9188532c4ef77f422cdf3ba7f4ae94ca7f4fefe

  • SSDEEP

    98304:Ok/C6baF9NNXYvR+SQPyohxfWe3/GY9pAEj6Q:On6bazjovoyoHfX3/GYHX

Malware Config

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

  • Glupteba payload 19 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Manipulates WinMonFS driver. 1 IoCs

    Roottkits write to WinMonFS to hide directories/files from being detected.

  • Drops file in System32 directory 7 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
    "C:\Users\Admin\AppData\Local\Temp\8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1324
    • C:\Users\Admin\AppData\Local\Temp\8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe
      "C:\Users\Admin\AppData\Local\Temp\8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f.exe"
      2⤵
      • Adds Run key to start application
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3724
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1376
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3288
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:4572
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -nologo -noprofile
        3⤵
        • Drops file in System32 directory
        • Command and Scripting Interpreter: PowerShell
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4840
      • C:\Windows\rss\csrss.exe
        C:\Windows\rss\csrss.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Manipulates WinMonFS driver.
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -nologo -noprofile
          4⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:464
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
          4⤵
          • Creates scheduled task(s)
          PID:2740
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /delete /tn ScheduledUpdate /f
          4⤵
            PID:2648
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -nologo -noprofile
            4⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4864
          • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
            C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:4292
          • C:\Windows\SYSTEM32\schtasks.exe
            schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
            4⤵
            • Creates scheduled task(s)
            PID:1888
          • C:\Windows\windefender.exe
            "C:\Windows\windefender.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4252
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2508
              • C:\Windows\SysWOW64\sc.exe
                sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
                6⤵
                • Launches sc.exe
                • Suspicious use of AdjustPrivilegeToken
                PID:3752
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 864
          3⤵
          • Program crash
          PID:4548
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 952
        2⤵
        • Program crash
        PID:720
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3260 -ip 3260
      1⤵
        PID:4844
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3724 -ip 3724
        1⤵
          PID:3140
        • C:\Windows\windefender.exe
          C:\Windows\windefender.exe
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:636

        Network

        • flag-us
          DNS
          58.55.71.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          58.55.71.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          g.bing.com
          Remote address:
          8.8.8.8:53
          Request
          g.bing.com
          IN A
          Response
          g.bing.com
          IN CNAME
          g-bing-com.dual-a-0034.a-msedge.net
          g-bing-com.dual-a-0034.a-msedge.net
          IN CNAME
          dual-a-0034.a-msedge.net
          dual-a-0034.a-msedge.net
          IN A
          204.79.197.237
          dual-a-0034.a-msedge.net
          IN A
          13.107.21.237
        • flag-us
          GET
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MUID=1345946F6F5864BB39AB80EB6EB86568; domain=.bing.com; expires=Fri, 13-Jun-2025 11:36:08 GMT; path=/; SameSite=None; Secure; Priority=High;
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: A9C165A46C6F4ED485B26660F3F23140 Ref B: LON04EDGE1206 Ref C: 2024-05-19T11:36:08Z
          date: Sun, 19 May 2024 11:36:08 GMT
        • flag-us
          GET
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
          Remote address:
          204.79.197.237:443
          Request
          GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949 HTTP/2.0
          host: g.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=1345946F6F5864BB39AB80EB6EB86568; _EDGE_S=SID=3EF7D66F419A64A01A0FC2EB405A656F
          Response
          HTTP/2.0 204
          cache-control: no-cache, must-revalidate
          pragma: no-cache
          expires: Fri, 01 Jan 1990 00:00:00 GMT
          set-cookie: MSPTC=eqDWACr1k0mztmi3n-6o7oU0vSNGq-Vk6pIvibmJdPY; domain=.bing.com; expires=Fri, 13-Jun-2025 11:36:09 GMT; path=/; Partitioned; secure; SameSite=None
          strict-transport-security: max-age=31536000; includeSubDomains; preload
          access-control-allow-origin: *
          x-cache: CONFIG_NOCACHE
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 3FBCB5CC9CAD41588E00AA3C715699B4 Ref B: LON04EDGE1206 Ref C: 2024-05-19T11:36:09Z
          date: Sun, 19 May 2024 11:36:09 GMT
        • flag-nl
          GET
          https://www.bing.com/aes/c.gif?RG=0a018e8082d94d07ad552b0327603ad3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135829Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
          Remote address:
          23.62.61.129:443
          Request
          GET /aes/c.gif?RG=0a018e8082d94d07ad552b0327603ad3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135829Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038 HTTP/2.0
          host: www.bing.com
          accept-encoding: gzip, deflate
          user-agent: WindowsShellClient/9.0.40929.0 (Windows)
          cookie: MUID=1345946F6F5864BB39AB80EB6EB86568
          Response
          HTTP/2.0 200
          cache-control: private,no-store
          pragma: no-cache
          vary: Origin
          p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 0A444E318F894A26BC270037B4377D40 Ref B: DUS30EDGE0314 Ref C: 2024-05-19T11:36:09Z
          content-length: 0
          date: Sun, 19 May 2024 11:36:09 GMT
          set-cookie: _EDGE_S=SID=3EF7D66F419A64A01A0FC2EB405A656F; path=/; httponly; domain=bing.com
          set-cookie: MUIDB=1345946F6F5864BB39AB80EB6EB86568; path=/; httponly; expires=Fri, 13-Jun-2025 11:36:09 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.7d3d3e17.1716118569.e7c92c9
        • flag-us
          DNS
          20.160.190.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          20.160.190.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          237.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          237.197.79.204.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          129.61.62.23.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          129.61.62.23.in-addr.arpa
          IN PTR
          Response
          129.61.62.23.in-addr.arpa
          IN PTR
          a23-62-61-129deploystaticakamaitechnologiescom
        • flag-nl
          GET
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          Remote address:
          23.62.61.129:443
          Request
          GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
          host: www.bing.com
          accept: */*
          cookie: MUID=1345946F6F5864BB39AB80EB6EB86568; _EDGE_S=SID=3EF7D66F419A64A01A0FC2EB405A656F; MSPTC=eqDWACr1k0mztmi3n-6o7oU0vSNGq-Vk6pIvibmJdPY; MUIDB=1345946F6F5864BB39AB80EB6EB86568
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-type: image/png
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          content-length: 1107
          date: Sun, 19 May 2024 11:36:11 GMT
          alt-svc: h3=":443"; ma=93600
          x-cdn-traceid: 0.7d3d3e17.1716118571.e7c9a9f
        • flag-us
          DNS
          26.35.223.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          26.35.223.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          217.106.137.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          217.106.137.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          de3edac4-8096-4511-90f6-74cacd4e2eae.uuid.thestatsfiles.ru
          csrss.exe
          Remote address:
          8.8.8.8:53
          Request
          de3edac4-8096-4511-90f6-74cacd4e2eae.uuid.thestatsfiles.ru
          IN TXT
          Response
        • flag-us
          DNS
          stun.ipfire.org
          csrss.exe
          Remote address:
          8.8.8.8:53
          Request
          stun.ipfire.org
          IN A
          Response
          stun.ipfire.org
          IN CNAME
          xmpp.ipfire.org
          xmpp.ipfire.org
          IN A
          81.3.27.44
        • flag-us
          DNS
          cdn.discordapp.com
          csrss.exe
          Remote address:
          8.8.8.8:53
          Request
          cdn.discordapp.com
          IN A
          Response
          cdn.discordapp.com
          IN A
          162.159.133.233
          cdn.discordapp.com
          IN A
          162.159.129.233
          cdn.discordapp.com
          IN A
          162.159.134.233
          cdn.discordapp.com
          IN A
          162.159.135.233
          cdn.discordapp.com
          IN A
          162.159.130.233
        • flag-us
          DNS
          server12.thestatsfiles.ru
          csrss.exe
          Remote address:
          8.8.8.8:53
          Request
          server12.thestatsfiles.ru
          IN A
          Response
          server12.thestatsfiles.ru
          IN A
          185.82.216.96
        • flag-us
          DNS
          carsalessystem.com
          csrss.exe
          Remote address:
          8.8.8.8:53
          Request
          carsalessystem.com
          IN A
          Response
          carsalessystem.com
          IN A
          172.67.221.71
          carsalessystem.com
          IN A
          104.21.94.82
        • flag-us
          DNS
          233.133.159.162.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          233.133.159.162.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          44.27.3.81.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          44.27.3.81.in-addr.arpa
          IN PTR
          Response
          44.27.3.81.in-addr.arpa
          IN PTR
          xmppipfireorg
        • flag-us
          DNS
          71.221.67.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          71.221.67.172.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          96.216.82.185.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          96.216.82.185.in-addr.arpa
          IN PTR
          Response
          96.216.82.185.in-addr.arpa
          IN PTR
          dedic-mariadebommarez-1201693hosted-by-itldccom
        • flag-us
          DNS
          183.59.114.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          183.59.114.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          206.23.85.13.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          206.23.85.13.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          205.47.74.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          205.47.74.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          14.227.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          14.227.111.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          tse1.mm.bing.net
          Remote address:
          8.8.8.8:53
          Request
          tse1.mm.bing.net
          IN A
          Response
          tse1.mm.bing.net
          IN CNAME
          mm-mm.bing.net.trafficmanager.net
          mm-mm.bing.net.trafficmanager.net
          IN CNAME
          dual-a-0001.a-msedge.net
          dual-a-0001.a-msedge.net
          IN A
          204.79.197.200
          dual-a-0001.a-msedge.net
          IN A
          13.107.21.200
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 329579
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: 63E7B75B8BFC41F0A8CB50EA5AF5C90F Ref B: LON04EDGE0709 Ref C: 2024-05-19T11:37:48Z
          date: Sun, 19 May 2024 11:37:48 GMT
        • flag-us
          GET
          https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          Remote address:
          204.79.197.200:443
          Request
          GET /th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
          host: tse1.mm.bing.net
          accept: */*
          accept-encoding: gzip, deflate, br
          user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
          Response
          HTTP/2.0 200
          cache-control: public, max-age=2592000
          content-length: 381531
          content-type: image/jpeg
          x-cache: TCP_HIT
          access-control-allow-origin: *
          access-control-allow-headers: *
          access-control-allow-methods: GET, POST, OPTIONS
          timing-allow-origin: *
          report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
          nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
          accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
          x-msedge-ref: Ref A: D45354A857264BF3BC78CF206A9382C8 Ref B: LON04EDGE0709 Ref C: 2024-05-19T11:37:48Z
          date: Sun, 19 May 2024 11:37:48 GMT
        • flag-us
          DNS
          200.197.79.204.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.197.79.204.in-addr.arpa
          IN PTR
          Response
          200.197.79.204.in-addr.arpa
          IN PTR
          a-0001a-msedgenet
        • 204.79.197.237:443
          https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949
          tls, http2
          2.5kB
          9.0kB
          19
          17

          HTTP Request

          GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

          HTTP Response

          204

          HTTP Request

          GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8zjwuZz-GKb4O1UdGgG973zVUCUzbtxkLGtjeepRHT2eYr8EXaPUp8Hp4sdlCk8TflZTjdQfzBKbVQJFfnRbdF0VVdeU9ynqU46TzflVE5aMPOLsy7tVim4n2w95lfrXzJPu6tPSP-7RouaNartZjbeCISgIvUZzINssrTmNDBaj7lhFO%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D9972c90b239618a31e3aaf2091708c7c&TIME=20240426T135829Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038&muid=416143B6C3858B3296EFB62827C91949

          HTTP Response

          204
        • 23.62.61.129:443
          https://www.bing.com/aes/c.gif?RG=0a018e8082d94d07ad552b0327603ad3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135829Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038
          tls, http2
          1.4kB
          5.3kB
          16
          11

          HTTP Request

          GET https://www.bing.com/aes/c.gif?RG=0a018e8082d94d07ad552b0327603ad3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135829Z&adUnitId=11730597&localId=w:416143B6-C385-8B32-96EF-B62827C91949&deviceId=6825828828137038

          HTTP Response

          200
        • 23.62.61.129:443
          https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
          tls, http2
          1.7kB
          7.6kB
          18
          13

          HTTP Request

          GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

          HTTP Response

          200
        • 162.159.133.233:443
          cdn.discordapp.com
          tls
          csrss.exe
          1.4kB
          6.1kB
          18
          21
        • 185.82.216.96:443
          server12.thestatsfiles.ru
          tls
          csrss.exe
          1.4kB
          5.1kB
          13
          15
        • 172.67.221.71:443
          carsalessystem.com
          tls
          csrss.exe
          77.2kB
          1.7MB
          1305
          1283
        • 185.82.216.96:443
          server12.thestatsfiles.ru
          tls
          csrss.exe
          1.3kB
          4.8kB
          11
          14
        • 185.82.216.96:443
          server12.thestatsfiles.ru
          tls
          csrss.exe
          1.9kB
          4.7kB
          11
          13
        • 204.79.197.200:443
          tse1.mm.bing.net
          tls, http2
          1.2kB
          8.1kB
          16
          13
        • 204.79.197.200:443
          https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
          tls, http2
          27.4kB
          743.8kB
          551
          548

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239371372356_1N2G93XRLJ1Y5GWC9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

          HTTP Request

          GET https://tse1.mm.bing.net/th?id=OADD2.10239371372355_1WLRVFTZ079W9XPFC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

          HTTP Response

          200

          HTTP Response

          200
        • 185.82.216.96:443
          server12.thestatsfiles.ru
          tls
          csrss.exe
          2.0kB
          4.7kB
          12
          13
        • 127.0.0.1:31465
          csrss.exe
        • 8.8.8.8:53
          58.55.71.13.in-addr.arpa
          dns
          70 B
          144 B
          1
          1

          DNS Request

          58.55.71.13.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          g.bing.com
          dns
          56 B
          151 B
          1
          1

          DNS Request

          g.bing.com

          DNS Response

          204.79.197.237
          13.107.21.237

        • 8.8.8.8:53
          20.160.190.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          20.160.190.20.in-addr.arpa

        • 8.8.8.8:53
          237.197.79.204.in-addr.arpa
          dns
          73 B
          143 B
          1
          1

          DNS Request

          237.197.79.204.in-addr.arpa

        • 8.8.8.8:53
          129.61.62.23.in-addr.arpa
          dns
          71 B
          135 B
          1
          1

          DNS Request

          129.61.62.23.in-addr.arpa

        • 8.8.8.8:53
          26.35.223.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          26.35.223.20.in-addr.arpa

        • 8.8.8.8:53
          217.106.137.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          217.106.137.52.in-addr.arpa

        • 8.8.8.8:53
          de3edac4-8096-4511-90f6-74cacd4e2eae.uuid.thestatsfiles.ru
          dns
          csrss.exe
          104 B
          177 B
          1
          1

          DNS Request

          de3edac4-8096-4511-90f6-74cacd4e2eae.uuid.thestatsfiles.ru

        • 8.8.8.8:53
          stun.ipfire.org
          dns
          csrss.exe
          61 B
          96 B
          1
          1

          DNS Request

          stun.ipfire.org

          DNS Response

          81.3.27.44

        • 8.8.8.8:53
          cdn.discordapp.com
          dns
          csrss.exe
          64 B
          144 B
          1
          1

          DNS Request

          cdn.discordapp.com

          DNS Response

          162.159.133.233
          162.159.129.233
          162.159.134.233
          162.159.135.233
          162.159.130.233

        • 8.8.8.8:53
          server12.thestatsfiles.ru
          dns
          csrss.exe
          71 B
          87 B
          1
          1

          DNS Request

          server12.thestatsfiles.ru

          DNS Response

          185.82.216.96

        • 81.3.27.44:3478
          stun.ipfire.org
          csrss.exe
          48 B
          80 B
          1
          1
        • 8.8.8.8:53
          carsalessystem.com
          dns
          csrss.exe
          64 B
          96 B
          1
          1

          DNS Request

          carsalessystem.com

          DNS Response

          172.67.221.71
          104.21.94.82

        • 8.8.8.8:53
          233.133.159.162.in-addr.arpa
          dns
          74 B
          136 B
          1
          1

          DNS Request

          233.133.159.162.in-addr.arpa

        • 8.8.8.8:53
          44.27.3.81.in-addr.arpa
          dns
          69 B
          98 B
          1
          1

          DNS Request

          44.27.3.81.in-addr.arpa

        • 8.8.8.8:53
          71.221.67.172.in-addr.arpa
          dns
          72 B
          134 B
          1
          1

          DNS Request

          71.221.67.172.in-addr.arpa

        • 8.8.8.8:53
          96.216.82.185.in-addr.arpa
          dns
          72 B
          135 B
          1
          1

          DNS Request

          96.216.82.185.in-addr.arpa

        • 8.8.8.8:53
          183.59.114.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          183.59.114.20.in-addr.arpa

        • 8.8.8.8:53
          206.23.85.13.in-addr.arpa
          dns
          71 B
          145 B
          1
          1

          DNS Request

          206.23.85.13.in-addr.arpa

        • 8.8.8.8:53
          205.47.74.20.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          205.47.74.20.in-addr.arpa

        • 8.8.8.8:53
          14.227.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          14.227.111.52.in-addr.arpa

        • 8.8.8.8:53
          tse1.mm.bing.net
          dns
          62 B
          173 B
          1
          1

          DNS Request

          tse1.mm.bing.net

          DNS Response

          204.79.197.200
          13.107.21.200

        • 8.8.8.8:53
          200.197.79.204.in-addr.arpa
          dns
          73 B
          106 B
          1
          1

          DNS Request

          200.197.79.204.in-addr.arpa

        • 8.8.8.8:53

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osrqtuj5.peu.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

          Filesize

          281KB

          MD5

          d98e33b66343e7c96158444127a117f6

          SHA1

          bb716c5509a2bf345c6c1152f6e3e1452d39d50d

          SHA256

          5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

          SHA512

          705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Filesize

          19KB

          MD5

          b28e77566441fd2624b54b9fd1a59e4b

          SHA1

          e49b0c59dfdba991dbb4b137d046cac5da1806d8

          SHA256

          e92a336873b3279ca278d2b62894a157c6e45dec079897ecf600babb18306098

          SHA512

          01c2c0a1f3e1c018416f6ef667a3a74b5fffdeb722c859266c72fdccc0ce9d9cb75bfd935e0081e2b41d5219cec8a9323a4d9ae8793c73a6af9dae340d4b5018

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Filesize

          19KB

          MD5

          abf3a2d51e1d1932a06f7090ca02f324

          SHA1

          a1ef3ab7f12b433f9631fec8f7989f83b1d5e7d6

          SHA256

          0f8fb9e9e3f4759a4b53d0d369ff520b9abd18c1e8ce25ea0307f06cc167c86a

          SHA512

          f94ae7ee9bf49943e058970b738c6c50a4ebbc7a02cc9ed1251abdac2fdfeaf92c811db4e455f5a3b39b9d9660fa3a9926d47068675f040b90557784472d17fd

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Filesize

          19KB

          MD5

          43a9dcfbaeae2ddfc8289be9d10d3dd3

          SHA1

          7828b20a973294310e11e46b56ce78e471e0785d

          SHA256

          383fa356f6d607de0a2bbb7d5855651125252e9e9da2b6673787794bbb61c6b9

          SHA512

          c113ccee4ba527240ae766fefb594a36a36372c797801b821e60644c4ac2b0b3abb5845c649a4a01e706335f3d0be2a6bfb1f003c804cc8952347487dbf7c37b

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Filesize

          19KB

          MD5

          53889e8e7a66c097671a392765843473

          SHA1

          32652d7a3accc1d43a8028817f8acb88bebdcd1f

          SHA256

          3e1e2ed8a1811cadef2aa7af68a1717390d52e0f5d96780fa7ba9d947dc0f9a8

          SHA512

          ac4591a84c9085f67249e5693190807ea4216ac4450bacdc0ead78fd862ee3b6e7f15aec01ae2ae255364cbf25ad0945b893ef81af254c6f91d98121b81ae469

        • C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Filesize

          19KB

          MD5

          6bb99a179e48454a87ed283adb248634

          SHA1

          a4cc1a9f092daf97ca7aabf51fa38f07660b3960

          SHA256

          df62be3ecd3627ecfac0f46f0be4a091fcf80c4658e49aa24cd4cf52b1d85629

          SHA512

          3ccd9262a8f0f5146e7516bc80cd3bc795123644897188f330a3def8da47a435f3aa6a166060474e62a024a9ea4739631885512650c4c118ffeb37c733f00489

        • C:\Windows\rss\csrss.exe

          Filesize

          4.1MB

          MD5

          8792fffdee93c4e1663c7c6a5bfa9ef6

          SHA1

          d6ba1c4d9e73da8020b891292cd20bd270ed2ff1

          SHA256

          8409c2b0bb04ac92de1a1dab769d8eb0ba90026ed3036afb9bec59c52527f78f

          SHA512

          d0e15f7a4f88c4cb220ac387546beb170d34fffba3dbc7a5a671291d923ab514820721fcaebf8abe853049d6c9188532c4ef77f422cdf3ba7f4ae94ca7f4fefe

        • C:\Windows\windefender.exe

          Filesize

          2.0MB

          MD5

          8e67f58837092385dcf01e8a2b4f5783

          SHA1

          012c49cfd8c5d06795a6f67ea2baf2a082cf8625

          SHA256

          166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

          SHA512

          40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

        • memory/464-149-0x0000000070800000-0x000000007084C000-memory.dmp

          Filesize

          304KB

        • memory/464-161-0x0000000007830000-0x0000000007841000-memory.dmp

          Filesize

          68KB

        • memory/464-148-0x00000000068A0000-0x00000000068EC000-memory.dmp

          Filesize

          304KB

        • memory/464-162-0x00000000061D0000-0x00000000061E4000-memory.dmp

          Filesize

          80KB

        • memory/464-146-0x0000000005D40000-0x0000000006094000-memory.dmp

          Filesize

          3.3MB

        • memory/464-160-0x0000000007690000-0x0000000007733000-memory.dmp

          Filesize

          652KB

        • memory/464-150-0x0000000070C40000-0x0000000070F94000-memory.dmp

          Filesize

          3.3MB

        • memory/528-97-0x00000000708A0000-0x00000000708EC000-memory.dmp

          Filesize

          304KB

        • memory/528-98-0x0000000070CD0000-0x0000000071024000-memory.dmp

          Filesize

          3.3MB

        • memory/528-95-0x0000000005C60000-0x0000000005FB4000-memory.dmp

          Filesize

          3.3MB

        • memory/636-230-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

        • memory/636-234-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

        • memory/636-227-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

        • memory/1324-43-0x0000000008080000-0x000000000808A000-memory.dmp

          Filesize

          40KB

        • memory/1324-5-0x00000000033D0000-0x0000000003406000-memory.dmp

          Filesize

          216KB

        • memory/1324-28-0x0000000007F30000-0x0000000007F62000-memory.dmp

          Filesize

          200KB

        • memory/1324-44-0x0000000074900000-0x00000000750B0000-memory.dmp

          Filesize

          7.7MB

        • memory/1324-45-0x0000000008190000-0x0000000008226000-memory.dmp

          Filesize

          600KB

        • memory/1324-46-0x0000000008090000-0x00000000080A1000-memory.dmp

          Filesize

          68KB

        • memory/1324-47-0x00000000080D0000-0x00000000080DE000-memory.dmp

          Filesize

          56KB

        • memory/1324-48-0x00000000080F0000-0x0000000008104000-memory.dmp

          Filesize

          80KB

        • memory/1324-50-0x0000000008130000-0x0000000008138000-memory.dmp

          Filesize

          32KB

        • memory/1324-49-0x0000000008140000-0x000000000815A000-memory.dmp

          Filesize

          104KB

        • memory/1324-53-0x0000000074900000-0x00000000750B0000-memory.dmp

          Filesize

          7.7MB

        • memory/1324-4-0x000000007490E000-0x000000007490F000-memory.dmp

          Filesize

          4KB

        • memory/1324-30-0x0000000074900000-0x00000000750B0000-memory.dmp

          Filesize

          7.7MB

        • memory/1324-7-0x0000000074900000-0x00000000750B0000-memory.dmp

          Filesize

          7.7MB

        • memory/1324-6-0x0000000005B20000-0x0000000006148000-memory.dmp

          Filesize

          6.2MB

        • memory/1324-8-0x0000000074900000-0x00000000750B0000-memory.dmp

          Filesize

          7.7MB

        • memory/1324-9-0x0000000005AE0000-0x0000000005B02000-memory.dmp

          Filesize

          136KB

        • memory/1324-10-0x00000000062C0000-0x0000000006326000-memory.dmp

          Filesize

          408KB

        • memory/1324-13-0x00000000063A0000-0x0000000006406000-memory.dmp

          Filesize

          408KB

        • memory/1324-21-0x0000000006510000-0x0000000006864000-memory.dmp

          Filesize

          3.3MB

        • memory/1324-22-0x00000000069B0000-0x00000000069CE000-memory.dmp

          Filesize

          120KB

        • memory/1324-23-0x00000000069E0000-0x0000000006A2C000-memory.dmp

          Filesize

          304KB

        • memory/1324-42-0x0000000007F90000-0x0000000008033000-memory.dmp

          Filesize

          652KB

        • memory/1324-31-0x0000000070920000-0x0000000070C74000-memory.dmp

          Filesize

          3.3MB

        • memory/1324-41-0x0000000007F70000-0x0000000007F8E000-memory.dmp

          Filesize

          120KB

        • memory/1324-29-0x00000000707A0000-0x00000000707EC000-memory.dmp

          Filesize

          304KB

        • memory/1324-27-0x0000000007D70000-0x0000000007D8A000-memory.dmp

          Filesize

          104KB

        • memory/1324-24-0x0000000006F40000-0x0000000006F84000-memory.dmp

          Filesize

          272KB

        • memory/1324-25-0x0000000007CD0000-0x0000000007D46000-memory.dmp

          Filesize

          472KB

        • memory/1324-26-0x00000000083D0000-0x0000000008A4A000-memory.dmp

          Filesize

          6.5MB

        • memory/1376-67-0x0000000006270000-0x00000000065C4000-memory.dmp

          Filesize

          3.3MB

        • memory/1376-70-0x0000000070A20000-0x0000000070D74000-memory.dmp

          Filesize

          3.3MB

        • memory/1376-68-0x00000000067A0000-0x00000000067EC000-memory.dmp

          Filesize

          304KB

        • memory/1376-69-0x00000000708A0000-0x00000000708EC000-memory.dmp

          Filesize

          304KB

        • memory/1376-82-0x0000000007D30000-0x0000000007D44000-memory.dmp

          Filesize

          80KB

        • memory/1376-81-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

          Filesize

          68KB

        • memory/1376-80-0x00000000079C0000-0x0000000007A63000-memory.dmp

          Filesize

          652KB

        • memory/1584-176-0x0000000070720000-0x000000007076C000-memory.dmp

          Filesize

          304KB

        • memory/1584-189-0x00000000065F0000-0x0000000006604000-memory.dmp

          Filesize

          80KB

        • memory/1584-164-0x0000000006150000-0x00000000064A4000-memory.dmp

          Filesize

          3.3MB

        • memory/1584-187-0x0000000007A20000-0x0000000007AC3000-memory.dmp

          Filesize

          652KB

        • memory/1584-175-0x0000000006970000-0x00000000069BC000-memory.dmp

          Filesize

          304KB

        • memory/1584-188-0x0000000007D60000-0x0000000007D71000-memory.dmp

          Filesize

          68KB

        • memory/1584-177-0x0000000070EC0000-0x0000000071214000-memory.dmp

          Filesize

          3.3MB

        • memory/3260-55-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/3260-1-0x0000000003F40000-0x0000000004345000-memory.dmp

          Filesize

          4.0MB

        • memory/3260-2-0x0000000004450000-0x0000000004D3B000-memory.dmp

          Filesize

          8.9MB

        • memory/3260-3-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

        • memory/3260-57-0x0000000000400000-0x0000000000D1C000-memory.dmp

          Filesize

          9.1MB

        • memory/3260-56-0x0000000004450000-0x0000000004D3B000-memory.dmp

          Filesize

          8.9MB

        • memory/3724-136-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4252-228-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

        • memory/4252-224-0x0000000000400000-0x00000000008DF000-memory.dmp

          Filesize

          4.9MB

        • memory/4840-120-0x0000000070A20000-0x0000000070D74000-memory.dmp

          Filesize

          3.3MB

        • memory/4840-119-0x00000000708A0000-0x00000000708EC000-memory.dmp

          Filesize

          304KB

        • memory/4864-202-0x0000000070720000-0x000000007076C000-memory.dmp

          Filesize

          304KB

        • memory/4864-203-0x0000000070D10000-0x0000000071064000-memory.dmp

          Filesize

          3.3MB

        • memory/4864-200-0x0000000005980000-0x0000000005CD4000-memory.dmp

          Filesize

          3.3MB

        • memory/4944-235-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-231-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-233-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-229-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-219-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-237-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-239-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-241-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-243-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-245-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-247-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-249-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        • memory/4944-251-0x0000000000400000-0x0000000002364000-memory.dmp

          Filesize

          31.4MB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.