glupteba | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

glupteba lumma phorphiex discovery dropper evasion execution loader persistence stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://5.42.96.117/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
plo7udsa2s
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Extracted

Family

lumma

https://whispedwoodmoodsksl.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

https://detailbaconroollyws.shop/api

https://horsedwollfedrwos.shop/api

https://patternapplauderw.shop/api

https://understanndtytonyguw.shop/api

https://considerrycurrentyws.shop/api

https://messtimetabledkolvk.shop/api

https://deprivedrinkyfaiir.shop/api

https://relaxtionflouwerwi.shop/api

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

syslmgrsvc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	syslmgrsvc.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\150091560.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2792	powershell.exe
2504	powershell.exe
4156	powershell.exe
2172	powershell.exe
5344	powershell.exe
4532	powershell.exe
980	powershell.exe
2564	powershell.exe

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3628 netsh.exe

pid	process
3628	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4363463463464363463463463.exe288c47bbc1871b439df19ff4df68f000766.exeasdfg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	288c47bbc1871b439df19ff4df68f000766.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	asdfg.exe

Executes dropped EXE 21 IoCs

Processes:

update_3.exevictor.exepei.exe150091560.exesyslmgrsvc.exeasdfg.exe288c47bbc1871b439df19ff4df68f000766.exeISetup4.exe288c47bbc1871b439df19ff4df68f076.exegold.exe951821704.exeleadiadequatepro.exeleadadequate.exemaza-0.16.3-win64-setup-unsigned.exeBLHisbnd.exeasdfg.exeBLHisbnd.exe288c47bbc1871b439df19ff4df68f076.execsrss.exeinjector.exeleadiadequate.exe

pid	process
4200	update_3.exe
3116	victor.exe
4248	pei.exe
5024	150091560.exe
4660	syslmgrsvc.exe
2396	asdfg.exe
4104	288c47bbc1871b439df19ff4df68f000766.exe
3328	ISetup4.exe
5076	288c47bbc1871b439df19ff4df68f076.exe
4760	gold.exe
2800	951821704.exe
540	leadiadequatepro.exe
2040	leadadequate.exe
5716	maza-0.16.3-win64-setup-unsigned.exe
5944	BLHisbnd.exe
5152	asdfg.exe
1192	BLHisbnd.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
1980	csrss.exe
5980	injector.exe
1544	leadiadequate.exe

Loads dropped DLL 3 IoCs

Processes:

maza-0.16.3-win64-setup-unsigned.exe

pid process

5716 maza-0.16.3-win64-setup-unsigned.exe
5716 maza-0.16.3-win64-setup-unsigned.exe
5716 maza-0.16.3-win64-setup-unsigned.exe

pid	process
5716	maza-0.16.3-win64-setup-unsigned.exe
5716	maza-0.16.3-win64-setup-unsigned.exe
5716	maza-0.16.3-win64-setup-unsigned.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

150091560.exeleadiadequatepro.exe288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	150091560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	leadiadequatepro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

193 raw.githubusercontent.com
195 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

168 api.ipify.org
169 api.ipify.org

flow	ioc
193	raw.githubusercontent.com
195	raw.githubusercontent.com

flow	ioc
168	api.ipify.org
169	api.ipify.org

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

gold.exeasdfg.exeBLHisbnd.exeleadadequate.exe

description	pid	process	target process
PID 4760 set thread context of 4088	4760	gold.exe	RegAsm.exe
PID 2396 set thread context of 5152	2396	asdfg.exe	asdfg.exe
PID 5944 set thread context of 1192	5944	BLHisbnd.exe	BLHisbnd.exe
PID 2040 set thread context of 5376	2040	leadadequate.exe	InstallUtil.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 4 IoCs

Processes:

150091560.exe288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
File created	C:\Windows\syslmgrsvc.exe	150091560.exe
File opened for modification	C:\Windows\syslmgrsvc.exe	150091560.exe
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3812	3116	WerFault.exe	victor.exe
4964	4200	WerFault.exe	update_3.exe
3844	3328	WerFault.exe	ISetup4.exe
5924	5152	WerFault.exe	asdfg.exe
5444	4760	WerFault.exe	gold.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4248 schtasks.exe
5796 schtasks.exe

pid	process
4248	schtasks.exe
5796	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

powershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeinjector.execsrss.exepowershell.exe

pid	process
4532	powershell.exe
4532	powershell.exe
5076	288c47bbc1871b439df19ff4df68f076.exe
5076	288c47bbc1871b439df19ff4df68f076.exe
980	powershell.exe
980	powershell.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
5760	288c47bbc1871b439df19ff4df68f076.exe
2792	powershell.exe
2792	powershell.exe
2504	powershell.exe
2504	powershell.exe
2564	powershell.exe
2564	powershell.exe
4156	powershell.exe
4156	powershell.exe
2172	powershell.exe
2172	powershell.exe
5344	powershell.exe
5344	powershell.exe
5980	injector.exe
5980	injector.exe
5980	injector.exe
5980	injector.exe
5980	injector.exe
5980	injector.exe
1980	csrss.exe
1980	csrss.exe
5980	injector.exe
5980	injector.exe
5980	injector.exe
5980	injector.exe
4488	powershell.exe
4488	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

4363463463464363463463463.exeasdfg.exeleadadequate.exepowershell.exeBLHisbnd.exeBLHisbnd.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execsrss.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3640	4363463463464363463463463.exe
Token: SeDebugPrivilege	2396	asdfg.exe
Token: SeDebugPrivilege	2040	leadadequate.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	2396	asdfg.exe
Token: SeDebugPrivilege	5944	BLHisbnd.exe
Token: SeDebugPrivilege	5944	BLHisbnd.exe
Token: SeDebugPrivilege	1192	BLHisbnd.exe
Token: SeDebugPrivilege	5076	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	5076	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeSystemEnvironmentPrivilege	1980	csrss.exe
Token: SeDebugPrivilege	2040	leadadequate.exe
Token: SeDebugPrivilege	4488	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exepei.exe150091560.exe288c47bbc1871b439df19ff4df68f000766.exesyslmgrsvc.exegold.exeleadiadequatepro.exe288c47bbc1871b439df19ff4df68f076.exeasdfg.exe

description	pid	process	target process
PID 3640 wrote to memory of 4200	3640	4363463463464363463463463.exe	update_3.exe
PID 3640 wrote to memory of 4200	3640	4363463463464363463463463.exe	update_3.exe
PID 3640 wrote to memory of 4200	3640	4363463463464363463463463.exe	update_3.exe
PID 3640 wrote to memory of 3116	3640	4363463463464363463463463.exe	victor.exe
PID 3640 wrote to memory of 3116	3640	4363463463464363463463463.exe	victor.exe
PID 3640 wrote to memory of 3116	3640	4363463463464363463463463.exe	victor.exe
PID 3640 wrote to memory of 4248	3640	4363463463464363463463463.exe	pei.exe
PID 3640 wrote to memory of 4248	3640	4363463463464363463463463.exe	pei.exe
PID 3640 wrote to memory of 4248	3640	4363463463464363463463463.exe	pei.exe
PID 4248 wrote to memory of 5024	4248	pei.exe	150091560.exe
PID 4248 wrote to memory of 5024	4248	pei.exe	150091560.exe
PID 4248 wrote to memory of 5024	4248	pei.exe	150091560.exe
PID 5024 wrote to memory of 4660	5024	150091560.exe	syslmgrsvc.exe
PID 5024 wrote to memory of 4660	5024	150091560.exe	syslmgrsvc.exe
PID 5024 wrote to memory of 4660	5024	150091560.exe	syslmgrsvc.exe
PID 3640 wrote to memory of 2396	3640	4363463463464363463463463.exe	asdfg.exe
PID 3640 wrote to memory of 2396	3640	4363463463464363463463463.exe	asdfg.exe
PID 3640 wrote to memory of 2396	3640	4363463463464363463463463.exe	asdfg.exe
PID 3640 wrote to memory of 4104	3640	4363463463464363463463463.exe	288c47bbc1871b439df19ff4df68f000766.exe
PID 3640 wrote to memory of 4104	3640	4363463463464363463463463.exe	288c47bbc1871b439df19ff4df68f000766.exe
PID 3640 wrote to memory of 4104	3640	4363463463464363463463463.exe	288c47bbc1871b439df19ff4df68f000766.exe
PID 4104 wrote to memory of 3328	4104	288c47bbc1871b439df19ff4df68f000766.exe	ISetup4.exe
PID 4104 wrote to memory of 3328	4104	288c47bbc1871b439df19ff4df68f000766.exe	ISetup4.exe
PID 4104 wrote to memory of 3328	4104	288c47bbc1871b439df19ff4df68f000766.exe	ISetup4.exe
PID 4104 wrote to memory of 5076	4104	288c47bbc1871b439df19ff4df68f000766.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 4104 wrote to memory of 5076	4104	288c47bbc1871b439df19ff4df68f000766.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 4104 wrote to memory of 5076	4104	288c47bbc1871b439df19ff4df68f000766.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 3640 wrote to memory of 4760	3640	4363463463464363463463463.exe	gold.exe
PID 3640 wrote to memory of 4760	3640	4363463463464363463463463.exe	gold.exe
PID 3640 wrote to memory of 4760	3640	4363463463464363463463463.exe	gold.exe
PID 4660 wrote to memory of 2800	4660	syslmgrsvc.exe	951821704.exe
PID 4660 wrote to memory of 2800	4660	syslmgrsvc.exe	951821704.exe
PID 4660 wrote to memory of 2800	4660	syslmgrsvc.exe	951821704.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 4760 wrote to memory of 4088	4760	gold.exe	RegAsm.exe
PID 3640 wrote to memory of 540	3640	4363463463464363463463463.exe	leadiadequatepro.exe
PID 3640 wrote to memory of 540	3640	4363463463464363463463463.exe	leadiadequatepro.exe
PID 540 wrote to memory of 2040	540	leadiadequatepro.exe	leadadequate.exe
PID 540 wrote to memory of 2040	540	leadiadequatepro.exe	leadadequate.exe
PID 3640 wrote to memory of 5716	3640	4363463463464363463463463.exe	maza-0.16.3-win64-setup-unsigned.exe
PID 3640 wrote to memory of 5716	3640	4363463463464363463463463.exe	maza-0.16.3-win64-setup-unsigned.exe
PID 3640 wrote to memory of 5716	3640	4363463463464363463463463.exe	maza-0.16.3-win64-setup-unsigned.exe
PID 5076 wrote to memory of 4532	5076	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 5076 wrote to memory of 4532	5076	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 5076 wrote to memory of 4532	5076	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2396 wrote to memory of 5944	2396	asdfg.exe	BLHisbnd.exe
PID 2396 wrote to memory of 5944	2396	asdfg.exe	BLHisbnd.exe
PID 2396 wrote to memory of 5944	2396	asdfg.exe	BLHisbnd.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe
PID 2396 wrote to memory of 5152	2396	asdfg.exe	asdfg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Users\Admin\AppData\Local\Temp\Files\update_3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\update_3.exe"
  2⤵
  - Executes dropped EXE
  PID:4200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 388
    3⤵
    - Program crash
    PID:4964
- C:\Users\Admin\AppData\Local\Temp\Files\victor.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\victor.exe"
  2⤵
  - Executes dropped EXE
  PID:3116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 232
    3⤵
    - Program crash
    PID:3812
- C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\150091560.exe
    C:\Users\Admin\AppData\Local\Temp\150091560.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\syslmgrsvc.exe
      C:\Windows\syslmgrsvc.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\951821704.exe
        
        C:\Users\Admin\AppData\Local\Temp\951821704.exe
        5⤵
        Executes dropped EXE
        
        PID:2800
    - - C:\Users\Admin\AppData\Local\Temp\106632308.exe
        
        C:\Users\Admin\AppData\Local\Temp\106632308.exe
        5⤵
        
        PID:3576
    - - C:\Users\Admin\AppData\Local\Temp\145381521.exe
        
        C:\Users\Admin\AppData\Local\Temp\145381521.exe
        5⤵
        
        PID:5636
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
    "C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:5944
  - - C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
      "C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
    3⤵
    - Executes dropped EXE
    PID:5152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5152 -s 344
      4⤵
      Program crash
      PID:5924
- C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f000766.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f000766.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
    "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
    3⤵
    - Executes dropped EXE
    PID:3328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 692
      4⤵
      Program crash
      PID:3844
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:5760
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1444
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3628
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4248
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:4668
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5344
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5980
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5796
- C:\Users\Admin\AppData\Local\Temp\Files\gold.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gold.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 280
    3⤵
    - Program crash
    PID:5444
- C:\Users\Admin\AppData\Local\Temp\Files\leadiadequatepro.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\leadiadequatepro.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadadequate.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadadequate.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadadequate.exe' -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4488
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadiadequate.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadiadequate.exe
    3⤵
    - Executes dropped EXE
    PID:1544
- C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3116 -ip 3116
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4200 -ip 4200
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3328 -ip 3328
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5152 -ip 5152
1⤵
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4760 -ip 4760
1⤵
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Users\Admin\AppData\Local\Remaining\qqjjtu\Tags.exe
C:\Users\Admin\AppData\Local\Remaining\qqjjtu\Tags.exe
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLHisbnd.exe.log

Filesize
716B

MD5
4f9cc40b2bfe17ac6d8f4e67dad23157

SHA1
f3a7e90a2af422f14a8913e2cf03cb5b639fdb18

SHA256
3be33b92192f6b439c3b03172670dfd25018b775a0de1bde5f1e81e22a49ab20

SHA512
d3d7c1b1fc70cbd7cc4ebe8649bee97a33476e4a0bd67928b124685d793b463208b78982ce592d352ae5a351eaef4d96fde3b02e69860a1c63ab0e53a8a5fa94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Remaining\qqjjtu\Tags.exe

Filesize
768KB

MD5
44c841ec27fdf1846ddd60af6542633e

SHA1
9932d07a4ce1fe637cd45738ba1837efdb0dc0f2

SHA256
3ca8eda5e821fb6fcafed4f5ff71fdbb378df2432378f14d5eae280f6e53fbe6

SHA512
43ae1dbd819a07cb2ce9e880c68abecf382f4c7893d3fb8ff677c4c0d85ee0e30c9754a81b7facc2e5f0bf291e01a9b312dfb97efae216271948d7ee18f2ec49

Download Submit
C:\Users\Admin\AppData\Local\Temp\106632308.exe

Filesize
7KB

MD5
98826d93c645ba34d1eaafc990e4b3ba

SHA1
82ced640336d93ab6392843a407bbe7af9db946a

SHA256
b829f7c9ae610fdb1a82cf412c5e66ea5f857554f7c68eca88d6002e54e2a587

SHA512
a8ac6747147d3a329520090ae68213f30474e1619fb781c05787dee740a5eeecb2aa5dd839c81adce8ca90ba797280141e3a68a38f112a7913b7e94d53199862

Download Submit
C:\Users\Admin\AppData\Local\Temp\145381521.exe

Filesize
10KB

MD5
c8cf446ead193a3807472fbd294c5f23

SHA1
2162f28c919222f75ce5f52e4bb1155255ae5368

SHA256
e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

SHA512
fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\147289869.exe

Filesize
80KB

MD5
2ff2bb06682812eeb76628bfbe817fbb

SHA1
18e86614d0f4904e1fe97198ccda34b25aab7dae

SHA256
985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

SHA512
5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\150091560.exe

Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
43b4b9050e5b237de2d1412de8781f36

SHA1
125cd51af3ca81d4c3e517b8405b9afae92b86f2

SHA256
97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

SHA512
24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe

Filesize
3.4MB

MD5
e13e6f7986b9d1eff55fe30133592c40

SHA1
8299d50b76990e9dc7e0a8cc67e2f4d44cb810f5

SHA256
407e9094206a37707a368f4cd0103269c50b8c0c03edba87b4f20664d259f207

SHA512
bb41209d410ff38c01279d119f646658e363a3055a4f152b6a2c76b9cdb1fb42441b243fa8f7fb7a353a1b0e78c619e499274185f40d8592e43551da46bd97a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f000766.exe

Filesize
4.7MB

MD5
4645adc87acf83b55edff3c5ce2fc28e

SHA1
4953795cc90315cf7004b8f71718f117887b8c91

SHA256
5a03eb8534caf92f4c3d7896d1af7fe61292b5f0995567be8c783ab28c3b74f8

SHA512
3d8853dd1f28062f7554628565bc62e42296b0ab69da28665bf29771d78c50fdcdb2432aea09dbeb69d935e0dcf6d3b703af8ba1b7a0aed70b5be93b7959c602

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RambledMimets.exe

Filesize
192KB

MD5
b61258fc3045c3f1b9fe022d219e6f74

SHA1
3e7433220dafbab335ebc36c1fc27b66befdd756

SHA256
416d53d984d2dfddc81bfa4969bc23beb851c4417e7c0240f4541776ea342731

SHA512
2d0e80362123a6eb4391c3d88be3351468bd8b38164fec4c42eaed7f62cdecfbb572208f503d663ae2f79bc7e0d7c42554db34c0b9592bee20f82870b2aa307d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gold.exe

Filesize
1.2MB

MD5
0b7e08a8268a6d413a322ff62d389bf9

SHA1
e04b849cc01779fe256744ad31562aca833a82c1

SHA256
d23a10b3ff0c565ea8ee7f54bcded0582e1e621ebad69d4523d6746f6d8e0e65

SHA512
3d226673e30bbbc27e0a5a6c64bf81eca475c697486b20141df7975bef97901d4865b88f41937f5e3dd00b437f24f91493f80cb69aa366b7a49cd17b26197ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\leadiadequatepro.exe

Filesize
14.1MB

MD5
b149f82964b1e269ade2686612a9e777

SHA1
9ccccc1fe6c947dcbc779624ffa9a0fd1b7e7790

SHA256
9f2c70239fe518552ee44423564b075a85e0fc1e7bd80dc233bcc1f882ffceb9

SHA512
5c07589d51c21310415fb2fd616ac6fe23b1ec7e26007b6a3d2ce948bcbc3613db14bbc5686f5f352fb614cea00b3af657d1d6a9e2a078c3487d345d145ec2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe

Filesize
15.0MB

MD5
3bcb9a06b0a213eef96cbd772f127a48

SHA1
359470a98c701fef2490efb9e92f6715f7b1975e

SHA256
563f37e8208427a38cde013f785d2a4cbb9aac29e93dc1233d28b9762d3eddec

SHA512
60431dd4aa91c43dadfbcb698cf1b6590b098fbd3b41c37fdcc22dc13a9a9085cfd38182bbbc9ef68a22070029d7613359d938a8fe6827ae7107376ded8022ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update_3.exe

Filesize
323KB

MD5
3cdf1bdf2bed57fb7cf7f683bfb59678

SHA1
44aefd13d974c1c6cc606f09936e6f915d85d477

SHA256
cc10ccbaa239e9eece4cbc144315a6782ad5f3ec07850da92e5ad59b945ea4a8

SHA512
f23af16f4183062930eb30e4f4ec45b9bec92c42ccd4af2fb7c0bfdeb5fcab4f8d4d71157ee0ca114fb7dc7839e7beabd98d5ce32b2553a8419a1690fb742425

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\victor.exe

Filesize
312KB

MD5
01cff6fb725465d86284505028b42cfd

SHA1
f9182ea73fe1f80a41ba996ed9d00548c95abbcf

SHA256
3814ef98c5c16988df008a989038faf39943b32fb9687dc9347ac16df722e4cd

SHA512
ecf4e2e236dd55032c5e0ea4048557463519036279b586d53a1ef4ea50df049651385bbc11c55d515a73d6f568ea28080513035273de524466eae72b46461088

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadadequate.exe

Filesize
14.6MB

MD5
938ea9e68b80a685337ed40667037a21

SHA1
520a3984265c13d4f289eb162f5a25108a9b7d9c

SHA256
2cbf1a9a727ec04dc73f38be06befd8e3d162346807afb95ae1189cbd8376a19

SHA512
e756f76dca6a6aacb7b5e1b017be4d583890c13f41059f3a4a5da24733f0b141c7d074a5a4b032275b03bac331c628f008d0178e85e53d348d506a8c50255c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadiadequate.exe

Filesize
16.4MB

MD5
40f6d61aae921cc7ec31836a7fac3c2a

SHA1
fcb93eb39a221d68978f3943acba0699e032a16c

SHA256
e8cabc3a065dd38f596cfc67ae3231dc728a35125b2d1677c73b3682dcaa9b29

SHA512
22cb185a1f492d4d695702605a26f4b8ad154b0a6130297cbb705462043dee7d07e85f9f8637381e574e8f7970d747ff7ab136ebc1c01a5695eef5df84dee6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnwkwa11.ehe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv59B.tmp\System.dll

Filesize
23KB

MD5
8643641707ff1e4a3e1dfda207b2db72

SHA1
f6d766caa9cafa533a04dd00e34741d276325e13

SHA256
d1b94797529c414b9d058c17dbd10c989eef59b1fa14eea7f61790d7cfa7fd25

SHA512
cc8e07395419027914a6d4b3842ac7d4f14e3ec8be319bfe5c81f70bcf757f8c35f0aaeb985c240b6ecc71fc3e71b9f697ccda6e71f84ac4930adf5eac801181

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv59B.tmp\nsDialogs.dll

Filesize
11KB

MD5
79a0bde19e949a8d90df271ca6e79cd2

SHA1
946ad18a59c57a11356dd9841bec29903247bb98

SHA256
8353f495064aaf30b32b02f5d935c21f86758f5a99d8ee5e8bf8077b907fad90

SHA512
2a65a48f5dd453723146babca8d047e112ab023a589c57fcf5441962f2846a262c2ad25a2985dba4f2246cdc21d973cbf5e426d4b75dd49a083635400f908a3e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
c5c1cc2c6566136f534b3748d2871682

SHA1
690b44b22713ef94991b06afebb68ce797d22851

SHA256
d6a6e4ff48920f3b32025642152e279634305a640c2213b65c649dcec18bdc6c

SHA512
2522d2d5c974ce288e1fc39dcd6663a2b89001a3958b6e72869bfd46da4efbacee4821c461c1d62237e3a49211cee2792d3c3a32e8e4102ac57da842e2bdc919

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
4e545fe0dc4bc8f3d044bde0d47dea73

SHA1
fcc1c1304bfd397d844a446ed33530d6513dc23f

SHA256
8dbf37f8b25d8a13427ea0f2e6bf220b96f2564e4db64b479f25c2dfd6ff3bf6

SHA512
7f1617bd6b369e9acf50883d6e8099b3b1fccba500e266f31cebbc243064f45553536a7a213a2e1afc29ad3cc50ba2f3ec75a968b356ed4cdd2585c75e87c7e3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
d490db7f9137ced875e0b6c04d00788b

SHA1
313d8abf7ae5712c0b770493f09d018a26e0b82e

SHA256
924eab411b6fac17d378442d2359899d5f4229221b129d9b178cc0001637f8ba

SHA512
28228f6ebc557af15eae16d60bb07c841ecf28b794ae3a56f2b7066cc830814adebcae4b3f38ef8039ce9d8ecdc9aae47cc2f74dead86afef49ddcf667b75cae

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
48e7f6e8897cd5e3d271245d836cc9ce

SHA1
6894f3d67a8282f6e4425d7a9eb630ff2a07df53

SHA256
7bbcc49be3681fd20d8eedacf29019e75b0c4ec3952d90938833715278bf37f6

SHA512
c3dee796e59826910f37bbd28be00e9ccaa981968283facb22fee51660e9f496bab91bf2df7bb6638fceeacd02ba5b5cb40bb98c72d8b0a7fe740c4a1c258b1c

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f62027ddad3fd73192bd8a0362393509

SHA1
381faa5713cabbfb722f850f56641b7116f8c1c2

SHA256
40f10ac834ad8f4162f47b02ae084ee53ef431ac5df74bf793a3b6c9f1bd1d51

SHA512
d6ec8cd0f826fe9fd4d55978f14f4b701b5dc603dcefadbf1db6c2b4a15c09789e090f5da689893d2732d3e96041267fe2ee5196558ad95c6c4769913cfea71f

Download Submit
memory/980-17122-0x000000006ED30000-0x000000006ED7C000-memory.dmp

Filesize
304KB

Download
memory/980-17139-0x0000000007700000-0x0000000007711000-memory.dmp

Filesize
68KB

Download
memory/980-17140-0x0000000007750000-0x0000000007764000-memory.dmp

Filesize
80KB

Download
memory/980-17133-0x0000000007400000-0x00000000074A3000-memory.dmp

Filesize
652KB

Download
memory/980-17123-0x000000006E100000-0x000000006E454000-memory.dmp

Filesize
3.3MB

Download
memory/980-17121-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/1192-14887-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1192-17107-0x0000000005530000-0x0000000005538000-memory.dmp

Filesize
32KB

Download
memory/1192-17108-0x0000000005540000-0x0000000005596000-memory.dmp

Filesize
344KB

Download
memory/1192-14888-0x0000000005340000-0x0000000005428000-memory.dmp

Filesize
928KB

Download
memory/1544-17342-0x0000000009730000-0x00000000099E6000-memory.dmp

Filesize
2.7MB

Download
memory/1544-17321-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/1544-17320-0x0000000000BD0000-0x0000000001C38000-memory.dmp

Filesize
16.4MB

Download
memory/2040-9936-0x00000255F18C0000-0x00000255F197A000-memory.dmp

Filesize
744KB

Download
memory/2040-2318-0x00000255F2420000-0x00000255F269E000-memory.dmp

Filesize
2.5MB

Download
memory/2040-971-0x00000255EE440000-0x00000255EF2E4000-memory.dmp

Filesize
14.6MB

Download
memory/2172-17252-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/2172-17253-0x000000006E100000-0x000000006E454000-memory.dmp

Filesize
3.3MB

Download
memory/2396-118-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-114-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-112-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-120-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-84-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-86-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-88-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-92-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-102-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-106-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-96-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-98-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-59-0x0000000000900000-0x0000000000E5A000-memory.dmp

Filesize
5.4MB

Download
memory/2396-60-0x0000000005810000-0x0000000005CC0000-memory.dmp

Filesize
4.7MB

Download
memory/2396-100-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-9934-0x0000000004FE0000-0x000000000502C000-memory.dmp

Filesize
304KB

Download
memory/2396-9933-0x00000000071B0000-0x000000000749C000-memory.dmp

Filesize
2.9MB

Download
memory/2396-61-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-64-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-66-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-82-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-104-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-108-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-9963-0x0000000008830000-0x0000000008884000-memory.dmp

Filesize
336KB

Download
memory/2396-9962-0x0000000009500000-0x0000000009AA4000-memory.dmp

Filesize
5.6MB

Download
memory/2396-94-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-90-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-80-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-78-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-74-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-76-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-72-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-70-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-68-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-62-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-110-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2396-116-0x0000000005810000-0x0000000005CBB000-memory.dmp

Filesize
4.7MB

Download
memory/2504-17182-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/2504-17183-0x000000006E100000-0x000000006E454000-memory.dmp

Filesize
3.3MB

Download
memory/2564-17202-0x000001B6D3E10000-0x000001B6D3E32000-memory.dmp

Filesize
136KB

Download
memory/2792-17170-0x0000000005800000-0x0000000005814000-memory.dmp

Filesize
80KB

Download
memory/2792-17155-0x000000006E100000-0x000000006E454000-memory.dmp

Filesize
3.3MB

Download
memory/2792-17154-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/2792-17169-0x0000000007390000-0x00000000073A1000-memory.dmp

Filesize
68KB

Download
memory/3116-24-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3640-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3640-3-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3640-2-0x0000000004DB0000-0x0000000004E4C000-memory.dmp

Filesize
624KB

Download
memory/3640-46-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3640-47-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3640-1-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/4104-238-0x0000000000EA0000-0x0000000001350000-memory.dmp

Filesize
4.7MB

Download
memory/4156-17226-0x000000006E100000-0x000000006E454000-memory.dmp

Filesize
3.3MB

Download
memory/4156-17225-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/4200-14-0x0000000000600000-0x000000000064D000-memory.dmp

Filesize
308KB

Download
memory/4200-37-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4200-36-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4200-13-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/4200-15-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4532-13505-0x000000006E100000-0x000000006E454000-memory.dmp

Filesize
3.3MB

Download
memory/4532-13536-0x00000000075D0000-0x00000000075EE000-memory.dmp

Filesize
120KB

Download
memory/4532-13874-0x0000000007820000-0x00000000078B6000-memory.dmp

Filesize
600KB

Download
memory/4532-9973-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/4532-14266-0x0000000007470000-0x0000000007481000-memory.dmp

Filesize
68KB

Download
memory/4532-10867-0x0000000007000000-0x0000000007044000-memory.dmp

Filesize
272KB

Download
memory/4532-11857-0x0000000007330000-0x00000000073A6000-memory.dmp

Filesize
472KB

Download
memory/4532-12314-0x00000000073E0000-0x00000000073FA000-memory.dmp

Filesize
104KB

Download
memory/4532-9941-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/4532-12310-0x0000000007A30000-0x00000000080AA000-memory.dmp

Filesize
6.5MB

Download
memory/4532-13478-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/4532-9938-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/4532-9939-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/4532-9940-0x0000000005060000-0x00000000050C6000-memory.dmp

Filesize
408KB

Download
memory/4532-9935-0x00000000052A0000-0x00000000058C8000-memory.dmp

Filesize
6.2MB

Download
memory/4532-14881-0x0000000007760000-0x000000000776E000-memory.dmp

Filesize
56KB

Download
memory/4532-13462-0x0000000007590000-0x00000000075C2000-memory.dmp

Filesize
200KB

Download
memory/4532-9932-0x0000000002A90000-0x0000000002AC6000-memory.dmp

Filesize
216KB

Download
memory/4532-13635-0x00000000072C0000-0x00000000072CA000-memory.dmp

Filesize
40KB

Download
memory/4532-13537-0x00000000075F0000-0x0000000007693000-memory.dmp

Filesize
652KB

Download
memory/4532-14985-0x00000000077B0000-0x00000000077B8000-memory.dmp

Filesize
32KB

Download
memory/4532-14889-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/4532-9971-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/4532-14886-0x0000000007780000-0x0000000007794000-memory.dmp

Filesize
80KB

Download
memory/5344-17279-0x000000006E100000-0x000000006E454000-memory.dmp

Filesize
3.3MB

Download
memory/5344-17278-0x000000006F580000-0x000000006F5CC000-memory.dmp

Filesize
304KB

Download
memory/5944-14880-0x00000000052B0000-0x00000000053A4000-memory.dmp

Filesize
976KB

Download
memory/5944-9961-0x0000000000250000-0x00000000005B0000-memory.dmp

Filesize
3.4MB

Download
memory/5944-9972-0x0000000004DE0000-0x0000000005098000-memory.dmp

Filesize
2.7MB

Download