azorult | 63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7v20210408
submitted
05-10-2021 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d907de96adcb7c400834d974754ece57.exe
Size

2.1MB
MD5

d907de96adcb7c400834d974754ece57
SHA1

89cf58eb2fb76d42a1283c8068ac36adcc9d66c9
SHA256

63cff2624610c0ba77145f4ca69ca649dd063e5da23b6f9534ffc643fe30b203
SHA512

02c1fe42f9729539d1181542899399cb779764f178dd0fff005a44e20f50cecd7b3a09e8d36488a192c68f6783973b9b62614e948513dc29df77ca4866b0783e

Score

10^/10

azorult oski raccoon e16d9c3413a8d3bc552d87560e5a14148908608d discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.8.1

Botnet

e16d9c3413a8d3bc552d87560e5a14148908608d

Attributes

url4cnc
https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

milsom.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

Processes:

Jscxuucrnkfaconsoleapp17.exeJscxuucrnkfaconsoleapp17.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exe

pid	process
1996	Jscxuucrnkfaconsoleapp17.exe
1524	Jscxuucrnkfaconsoleapp17.exe
1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1388	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

Loads dropped DLL 9 IoCs

Processes:

WScript.exeJscxuucrnkfaconsoleapp17.exeWScript.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exe

pid	process
804	WScript.exe
1996	Jscxuucrnkfaconsoleapp17.exe
1956	WScript.exe
1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1388	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1388	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1388	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1388	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1388	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

d907de96adcb7c400834d974754ece57.exeJscxuucrnkfaconsoleapp17.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exe

description	pid	process	target process
PID 1080 set thread context of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1996 set thread context of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1568 set thread context of 1388	1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 1 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1860 taskkill.exe

pid	process
1860	taskkill.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exed907de96adcb7c400834d974754ece57.exepowershell.exepowershell.exeJscxuucrnkfaconsoleapp17.exepowershell.exepowershell.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exe

pid	process
1484	powershell.exe
1484	powershell.exe
1524	powershell.exe
1524	powershell.exe
1080	d907de96adcb7c400834d974754ece57.exe
1080	d907de96adcb7c400834d974754ece57.exe
1080	d907de96adcb7c400834d974754ece57.exe
336	powershell.exe
336	powershell.exe
1412	powershell.exe
1412	powershell.exe
1996	Jscxuucrnkfaconsoleapp17.exe
1996	Jscxuucrnkfaconsoleapp17.exe
1996	Jscxuucrnkfaconsoleapp17.exe
2036	powershell.exe
2036	powershell.exe
1816	powershell.exe
1816	powershell.exe
1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exed907de96adcb7c400834d974754ece57.exepowershell.exepowershell.exeJscxuucrnkfaconsoleapp17.exepowershell.exepowershell.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1080	d907de96adcb7c400834d974754ece57.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1996	Jscxuucrnkfaconsoleapp17.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
Token: SeDebugPrivilege	1860	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d907de96adcb7c400834d974754ece57.exeWScript.exeJscxuucrnkfaconsoleapp17.exeWScript.exeGhbauogxqhiavkucqejhjxjfoconsoleapp14.exe

description	pid	process	target process
PID 1080 wrote to memory of 1484	1080	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 1080 wrote to memory of 1484	1080	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 1080 wrote to memory of 1484	1080	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 1080 wrote to memory of 1484	1080	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 1080 wrote to memory of 1524	1080	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 1080 wrote to memory of 1524	1080	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 1080 wrote to memory of 1524	1080	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 1080 wrote to memory of 1524	1080	d907de96adcb7c400834d974754ece57.exe	powershell.exe
PID 1080 wrote to memory of 804	1080	d907de96adcb7c400834d974754ece57.exe	WScript.exe
PID 1080 wrote to memory of 804	1080	d907de96adcb7c400834d974754ece57.exe	WScript.exe
PID 1080 wrote to memory of 804	1080	d907de96adcb7c400834d974754ece57.exe	WScript.exe
PID 1080 wrote to memory of 804	1080	d907de96adcb7c400834d974754ece57.exe	WScript.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 1080 wrote to memory of 1600	1080	d907de96adcb7c400834d974754ece57.exe	d907de96adcb7c400834d974754ece57.exe
PID 804 wrote to memory of 1996	804	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 804 wrote to memory of 1996	804	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 804 wrote to memory of 1996	804	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 804 wrote to memory of 1996	804	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 804 wrote to memory of 1996	804	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 804 wrote to memory of 1996	804	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 804 wrote to memory of 1996	804	WScript.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 336	1996	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1996 wrote to memory of 336	1996	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1996 wrote to memory of 336	1996	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1996 wrote to memory of 336	1996	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1996 wrote to memory of 1412	1996	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1996 wrote to memory of 1412	1996	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1996 wrote to memory of 1412	1996	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1996 wrote to memory of 1412	1996	Jscxuucrnkfaconsoleapp17.exe	powershell.exe
PID 1996 wrote to memory of 1956	1996	Jscxuucrnkfaconsoleapp17.exe	WScript.exe
PID 1996 wrote to memory of 1956	1996	Jscxuucrnkfaconsoleapp17.exe	WScript.exe
PID 1996 wrote to memory of 1956	1996	Jscxuucrnkfaconsoleapp17.exe	WScript.exe
PID 1996 wrote to memory of 1956	1996	Jscxuucrnkfaconsoleapp17.exe	WScript.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1996 wrote to memory of 1524	1996	Jscxuucrnkfaconsoleapp17.exe	Jscxuucrnkfaconsoleapp17.exe
PID 1956 wrote to memory of 1568	1956	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 1956 wrote to memory of 1568	1956	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 1956 wrote to memory of 1568	1956	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 1956 wrote to memory of 1568	1956	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 1956 wrote to memory of 1568	1956	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 1956 wrote to memory of 1568	1956	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 1956 wrote to memory of 1568	1956	WScript.exe	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
PID 1568 wrote to memory of 2036	1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe	powershell.exe
PID 1568 wrote to memory of 2036	1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe	powershell.exe
PID 1568 wrote to memory of 2036	1568	Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
"C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Yfqxiynzbvwsbkccphx.vbs"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
"C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Cwlbjrmtqffwwhsmok.vbs"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
"C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 10
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /pid 1388 & erase C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe & RD /S /Q C:\\ProgramData\\195315300937508\\* & exit
7⤵
PID:1972

C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 1388
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
4⤵
- Executes dropped EXE
PID:1524

C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
C:\Users\Admin\AppData\Local\Temp\d907de96adcb7c400834d974754ece57.exe
2⤵
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
9bdf7f258bc0939237592f64c8183355

SHA1
3c8ffdd84cb3cdc0623d7bb2f5132df3e1e14e35

SHA256
2d79346f9531b70803f51ba381e1040bd1e1cad7779c37e10b8373c809977999

SHA512
082e079c2b17bd9491731aecb20cf924cfdcc78b5e0c23e1e6b6eb3664796778cf6e9876a2e2b3addd67c5685de8682669c8e8e4cc15bde272dc284ec2322d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cwlbjrmtqffwwhsmok.vbs
MD5
d607d837434d8a735db349c03e974fe8

SHA1
2a2150c2dc9f8daf480f4bd31990f5422cca5183

SHA256
5aba0566e48f9408c1d5f27997ed6e6cdefa33cc41f9254d8c9a4ec20b8ab056

SHA512
76bdc153ed888ab8806c0398dc6baa0f6b48cc90abbb1afea3a33cf6a606b84ddbe2cea7bc08e86b6ec2b2e96c9a75832f47172ab36161dff886d12378794d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
MD5
7f81c20b2808d92704fc8b4557114e6a

SHA1
3dc8bdc97f644739f560706ada6e3cc046bc5492

SHA256
c2002b69bedabbd48f0f0f1259ffe1928fe83671940587994c3bf46cbfdcfd07

SHA512
98377aff59a9ee0d4187d2b6dd6bb1da5b8501008233ec5aff402a2b6f4aa70a164e16cc39e43cc0b06024df67d1f62fd4549dc755c2122b0365cbd1e9d09be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
MD5
7f81c20b2808d92704fc8b4557114e6a

SHA1
3dc8bdc97f644739f560706ada6e3cc046bc5492

SHA256
c2002b69bedabbd48f0f0f1259ffe1928fe83671940587994c3bf46cbfdcfd07

SHA512
98377aff59a9ee0d4187d2b6dd6bb1da5b8501008233ec5aff402a2b6f4aa70a164e16cc39e43cc0b06024df67d1f62fd4549dc755c2122b0365cbd1e9d09be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
MD5
7f81c20b2808d92704fc8b4557114e6a

SHA1
3dc8bdc97f644739f560706ada6e3cc046bc5492

SHA256
c2002b69bedabbd48f0f0f1259ffe1928fe83671940587994c3bf46cbfdcfd07

SHA512
98377aff59a9ee0d4187d2b6dd6bb1da5b8501008233ec5aff402a2b6f4aa70a164e16cc39e43cc0b06024df67d1f62fd4549dc755c2122b0365cbd1e9d09be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yfqxiynzbvwsbkccphx.vbs
MD5
5cf439cacfb9b463e1934e96e627d9c3

SHA1
82c194d1a7536ebbcd51bececc513b12d0a7b46f

SHA256
66d47ac86775468e2e4cb7b02025067660338ddaeb13cead03a21d68aec102e5

SHA512
fa7a1aa8cb40a802ebf7b0807d9b28423a64cbf9528df91d545857606eee2d34dc6fbeb55f6131a5cbeca9013c4602b91327859d1c67b8eb6bcec603b47d5333

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
25a5784b76e20087c1dd9b6e36fcf51c

SHA1
79fa78b6fb9b7ff43132274b692265fb3139eff7

SHA256
6aa01f3d279a430c1f031fd6e09588fbf1c556f74d88ba3e3d5059a945b7141f

SHA512
ef428d7a7edfe7283f72a3b9cb36c71c5b34721035ba3e2742c243823c03b29b23deedd5407ceb00b0c94ef3baccd2800839425210d92a1dcb9c9625951d6739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
25a5784b76e20087c1dd9b6e36fcf51c

SHA1
79fa78b6fb9b7ff43132274b692265fb3139eff7

SHA256
6aa01f3d279a430c1f031fd6e09588fbf1c556f74d88ba3e3d5059a945b7141f

SHA512
ef428d7a7edfe7283f72a3b9cb36c71c5b34721035ba3e2742c243823c03b29b23deedd5407ceb00b0c94ef3baccd2800839425210d92a1dcb9c9625951d6739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
25a5784b76e20087c1dd9b6e36fcf51c

SHA1
79fa78b6fb9b7ff43132274b692265fb3139eff7

SHA256
6aa01f3d279a430c1f031fd6e09588fbf1c556f74d88ba3e3d5059a945b7141f

SHA512
ef428d7a7edfe7283f72a3b9cb36c71c5b34721035ba3e2742c243823c03b29b23deedd5407ceb00b0c94ef3baccd2800839425210d92a1dcb9c9625951d6739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
25a5784b76e20087c1dd9b6e36fcf51c

SHA1
79fa78b6fb9b7ff43132274b692265fb3139eff7

SHA256
6aa01f3d279a430c1f031fd6e09588fbf1c556f74d88ba3e3d5059a945b7141f

SHA512
ef428d7a7edfe7283f72a3b9cb36c71c5b34721035ba3e2742c243823c03b29b23deedd5407ceb00b0c94ef3baccd2800839425210d92a1dcb9c9625951d6739

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
25a5784b76e20087c1dd9b6e36fcf51c

SHA1
79fa78b6fb9b7ff43132274b692265fb3139eff7

SHA256
6aa01f3d279a430c1f031fd6e09588fbf1c556f74d88ba3e3d5059a945b7141f

SHA512
ef428d7a7edfe7283f72a3b9cb36c71c5b34721035ba3e2742c243823c03b29b23deedd5407ceb00b0c94ef3baccd2800839425210d92a1dcb9c9625951d6739

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
\Users\Admin\AppData\Local\Temp\Ghbauogxqhiavkucqejhjxjfoconsoleapp14.exe
MD5
6c4640762a587011c9afbe5d9431e187

SHA1
4fce7fc0f242de8201b46f10b209b27041cc9ef6

SHA256
d51879fd5d54afb39fe027677503d46058b0dfbd8b8c8f6eafc891b05b7a3aef

SHA512
28c4f6e855b03fc7e770c8bedf1c7fd6e685c2b7275dfd8aae48b3ea106007f39df5bea596b44005fb9f3058fcabc51739d62932ce27f8392e5c3273bc2bc7ea

Download Submit
\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
MD5
7f81c20b2808d92704fc8b4557114e6a

SHA1
3dc8bdc97f644739f560706ada6e3cc046bc5492

SHA256
c2002b69bedabbd48f0f0f1259ffe1928fe83671940587994c3bf46cbfdcfd07

SHA512
98377aff59a9ee0d4187d2b6dd6bb1da5b8501008233ec5aff402a2b6f4aa70a164e16cc39e43cc0b06024df67d1f62fd4549dc755c2122b0365cbd1e9d09be5

Download Submit
\Users\Admin\AppData\Local\Temp\Jscxuucrnkfaconsoleapp17.exe
MD5
7f81c20b2808d92704fc8b4557114e6a

SHA1
3dc8bdc97f644739f560706ada6e3cc046bc5492

SHA256
c2002b69bedabbd48f0f0f1259ffe1928fe83671940587994c3bf46cbfdcfd07

SHA512
98377aff59a9ee0d4187d2b6dd6bb1da5b8501008233ec5aff402a2b6f4aa70a164e16cc39e43cc0b06024df67d1f62fd4549dc755c2122b0365cbd1e9d09be5

Download Submit
memory/336-132-0x0000000000B32000-0x0000000000B33000-memory.dmp

Filesize
4KB

Download
memory/336-131-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/336-129-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/336-125-0x0000000000000000-mapping.dmp

Download
memory/336-130-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/336-128-0x00000000020F0000-0x00000000020F1000-memory.dmp

Filesize
4KB

Download
memory/336-134-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/336-133-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/804-109-0x0000000000000000-mapping.dmp

Download
memory/1080-60-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1080-108-0x0000000005860000-0x0000000005A76000-memory.dmp

Filesize
2.1MB

Download
memory/1080-118-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/1080-62-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1080-110-0x0000000004A50000-0x0000000004AA7000-memory.dmp

Filesize
348KB

Download
memory/1388-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1388-189-0x0000000000417A8B-mapping.dmp

Download
memory/1412-141-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1412-138-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1412-144-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1412-143-0x00000000049F2000-0x00000000049F3000-memory.dmp

Filesize
4KB

Download
memory/1412-142-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/1412-140-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1412-139-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1412-135-0x0000000000000000-mapping.dmp

Download
memory/1484-65-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/1484-73-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/1484-70-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1484-66-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1484-88-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/1484-67-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1484-68-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/1484-69-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/1484-78-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1484-79-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1484-80-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1484-63-0x0000000000000000-mapping.dmp

Download
memory/1484-87-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1524-89-0x0000000000000000-mapping.dmp

Download
memory/1524-152-0x000000000041A684-mapping.dmp

Download
memory/1524-151-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1524-95-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1524-107-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1524-92-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1524-97-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1524-94-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1524-96-0x0000000004962000-0x0000000004963000-memory.dmp

Filesize
4KB

Download
memory/1524-161-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1524-93-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1568-160-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1568-192-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/1568-157-0x0000000000000000-mapping.dmp

Download
memory/1600-120-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1600-111-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1600-112-0x00000000004407D8-mapping.dmp

Download
memory/1816-175-0x0000000000000000-mapping.dmp

Download
memory/1816-179-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1816-181-0x0000000004A82000-0x0000000004A83000-memory.dmp

Filesize
4KB

Download
memory/1860-200-0x0000000000000000-mapping.dmp

Download
memory/1956-146-0x0000000000000000-mapping.dmp

Download
memory/1972-199-0x0000000000000000-mapping.dmp

Download
memory/1996-147-0x0000000000BA0000-0x0000000000BBB000-memory.dmp

Filesize
108KB

Download
memory/1996-145-0x0000000005380000-0x00000000054B8000-memory.dmp

Filesize
1.2MB

Download
memory/1996-119-0x0000000000000000-mapping.dmp

Download
memory/1996-159-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1996-122-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/2036-168-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2036-164-0x0000000000000000-mapping.dmp

Download
memory/2036-170-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2036-169-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/2036-173-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2036-172-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/2036-171-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download