373701ff7f7c7d49e6af3ebb5178e907a59464c20c81052c67bd5d86168d817e

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2022 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kom.exe
Size

219KB
MD5

72d102a163f41aceb6a3aae9154445ed
SHA1

1a65685e52f6269a2370e44d5a2dca82ac892795
SHA256

373701ff7f7c7d49e6af3ebb5178e907a59464c20c81052c67bd5d86168d817e
SHA512

1c4bea8fa1513c3ef65df1196d4fb4d6fc7b49d3c6ae031e58bd91f52eeedf6fc617b071788f0ce62110ecc6e5f779f1215b52355aac1621a46707c5e27ebe8f
SSDEEP

6144:P3hqLCa8aAYFHHHHHHHHHHv8BVBb9aAqQwSBjfaRYVHlxxSXp5K:P3zCFHHHHHHHHHHvCBb9ZqEjfuYVdSXK

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 55 IoCs

pid	Process
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe
2228	kom.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3256	powershell.exe
3256	powershell.exe
1284	powershell.exe
1284	powershell.exe
4136	powershell.exe
4136	powershell.exe
360	powershell.exe
360	powershell.exe
2136	powershell.exe
2136	powershell.exe
3228	powershell.exe
3228	powershell.exe
4740	powershell.exe
4740	powershell.exe
5060	powershell.exe
5060	powershell.exe
2444	powershell.exe
2444	powershell.exe
2288	powershell.exe
2288	powershell.exe
4992	powershell.exe
4992	powershell.exe
64	powershell.exe
64	powershell.exe
2264	powershell.exe
2264	powershell.exe
1344	powershell.exe
1344	powershell.exe
1856	powershell.exe
1856	powershell.exe
864	powershell.exe
864	powershell.exe
3124	powershell.exe
3124	powershell.exe
2364	powershell.exe
2364	powershell.exe
4876	powershell.exe
4876	powershell.exe
4792	powershell.exe
4792	powershell.exe
212	powershell.exe
212	powershell.exe
4988	powershell.exe
4988	powershell.exe
2124	powershell.exe
2124	powershell.exe
4644	powershell.exe
4644	powershell.exe
4668	powershell.exe
4668	powershell.exe
4656	powershell.exe
4656	powershell.exe
1740	powershell.exe
1740	powershell.exe
2972	powershell.exe
2972	powershell.exe
3788	powershell.exe
3788	powershell.exe
1960	powershell.exe
1960	powershell.exe
1720	powershell.exe
1720	powershell.exe
4276	powershell.exe
4276	powershell.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3256	2228	kom.exe	91
PID 2228 wrote to memory of 3256	2228	kom.exe	91
PID 2228 wrote to memory of 3256	2228	kom.exe	91
PID 2228 wrote to memory of 1284	2228	kom.exe	93
PID 2228 wrote to memory of 1284	2228	kom.exe	93
PID 2228 wrote to memory of 1284	2228	kom.exe	93
PID 2228 wrote to memory of 4136	2228	kom.exe	95
PID 2228 wrote to memory of 4136	2228	kom.exe	95
PID 2228 wrote to memory of 4136	2228	kom.exe	95
PID 2228 wrote to memory of 360	2228	kom.exe	97
PID 2228 wrote to memory of 360	2228	kom.exe	97
PID 2228 wrote to memory of 360	2228	kom.exe	97
PID 2228 wrote to memory of 2136	2228	kom.exe	99
PID 2228 wrote to memory of 2136	2228	kom.exe	99
PID 2228 wrote to memory of 2136	2228	kom.exe	99
PID 2228 wrote to memory of 3228	2228	kom.exe	101
PID 2228 wrote to memory of 3228	2228	kom.exe	101
PID 2228 wrote to memory of 3228	2228	kom.exe	101
PID 2228 wrote to memory of 4740	2228	kom.exe	103
PID 2228 wrote to memory of 4740	2228	kom.exe	103
PID 2228 wrote to memory of 4740	2228	kom.exe	103
PID 2228 wrote to memory of 5060	2228	kom.exe	105
PID 2228 wrote to memory of 5060	2228	kom.exe	105
PID 2228 wrote to memory of 5060	2228	kom.exe	105
PID 2228 wrote to memory of 2444	2228	kom.exe	107
PID 2228 wrote to memory of 2444	2228	kom.exe	107
PID 2228 wrote to memory of 2444	2228	kom.exe	107
PID 2228 wrote to memory of 2288	2228	kom.exe	109
PID 2228 wrote to memory of 2288	2228	kom.exe	109
PID 2228 wrote to memory of 2288	2228	kom.exe	109
PID 2228 wrote to memory of 4992	2228	kom.exe	111
PID 2228 wrote to memory of 4992	2228	kom.exe	111
PID 2228 wrote to memory of 4992	2228	kom.exe	111
PID 2228 wrote to memory of 64	2228	kom.exe	113
PID 2228 wrote to memory of 64	2228	kom.exe	113
PID 2228 wrote to memory of 64	2228	kom.exe	113
PID 2228 wrote to memory of 2264	2228	kom.exe	115
PID 2228 wrote to memory of 2264	2228	kom.exe	115
PID 2228 wrote to memory of 2264	2228	kom.exe	115
PID 2228 wrote to memory of 1344	2228	kom.exe	117
PID 2228 wrote to memory of 1344	2228	kom.exe	117
PID 2228 wrote to memory of 1344	2228	kom.exe	117
PID 2228 wrote to memory of 1856	2228	kom.exe	120
PID 2228 wrote to memory of 1856	2228	kom.exe	120
PID 2228 wrote to memory of 1856	2228	kom.exe	120
PID 2228 wrote to memory of 864	2228	kom.exe	122
PID 2228 wrote to memory of 864	2228	kom.exe	122
PID 2228 wrote to memory of 864	2228	kom.exe	122
PID 2228 wrote to memory of 3124	2228	kom.exe	124
PID 2228 wrote to memory of 3124	2228	kom.exe	124
PID 2228 wrote to memory of 3124	2228	kom.exe	124
PID 2228 wrote to memory of 2364	2228	kom.exe	126
PID 2228 wrote to memory of 2364	2228	kom.exe	126
PID 2228 wrote to memory of 2364	2228	kom.exe	126
PID 2228 wrote to memory of 4876	2228	kom.exe	128
PID 2228 wrote to memory of 4876	2228	kom.exe	128
PID 2228 wrote to memory of 4876	2228	kom.exe	128
PID 2228 wrote to memory of 4792	2228	kom.exe	131
PID 2228 wrote to memory of 4792	2228	kom.exe	131
PID 2228 wrote to memory of 4792	2228	kom.exe	131
PID 2228 wrote to memory of 212	2228	kom.exe	133
PID 2228 wrote to memory of 212	2228	kom.exe	133
PID 2228 wrote to memory of 212	2228	kom.exe	133
PID 2228 wrote to memory of 4988	2228	kom.exe	135

C:\Users\Admin\AppData\Local\Temp\kom.exe
"C:\Users\Admin\AppData\Local\Temp\kom.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6B6570CB -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656C3197 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A3A41D7 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656176C0 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x46696EC0 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x41286F85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3228
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x72342289 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20692295 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x78383295 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30303295 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x302C22CC -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20302E85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x70203289 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20692291 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30783A95 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30296B8B -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x723322FC -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6B6570CB -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656C3197 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A3A54CC -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x727477C4 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6C416EC9 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6F632ACC -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x302C6B85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30783395 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30303295 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30783195 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30302E85 -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x692032DD -bxor 677
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x34302BD5 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2E7233FC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6B6570CB -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656C3197 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A3A51C0 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x74466BC9 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x65506DCC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6E7467D7 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x286922D7 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x332C22CC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20323685 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x302C6B85 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30296B8B -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x723222FC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6B6570CB -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x656C3197 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3A3A50C0 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x616444CC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6C652ACC -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x72332E85 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x69207094 -bxor 677
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C206B85 -bxor 677
  2⤵
  PID:4528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30783395 -bxor 677
  2⤵
  PID:1848
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x30303295 -bxor 677
  2⤵
  PID:3964
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2C2A6B85 -bxor 677
  2⤵
  PID:948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x302C22CC -bxor 677
  2⤵
  PID:1528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x20302BCC -bxor 677
  2⤵
  PID:4344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x2E7230FC -bxor 677
  2⤵
  PID:4208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x757367D7 -bxor 677
  2⤵
  PID:780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x3332389F -bxor 677
  2⤵
  PID:4492
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x43616EC9 -bxor 677
  2⤵
  PID:640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x57696CC1 -bxor 677
  2⤵
  PID:3052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6F7752D7 -bxor 677
  2⤵
  PID:3272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe 0x6F63438D -bxor 677
  2⤵
  PID:2524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
638d3b345e0d725bd96202bb913fcaa2

SHA1
4116aaafd47ac7bb4f0cdd8bd966abe0632587a1

SHA256
9e220afaee7227355b39a6b281e4146db8abbe26fcfff5b5327083b1d19a3131

SHA512
1f3b99373708c9117b4fe41b5fab92ddf202674545110a691a20f521dd12016f82ca3aead5a538198bd69a8b2c1ad605e2e8c20101b318db490fe7ae63f39aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
8bc7bde49247c42e6399a60d6036d929

SHA1
dbbb8693a0c5cbe4c3e40aee13784ddaef549ef5

SHA256
c19ba06499ffb28f23b651d28fc5129466c6d4122399d5b196d7c90776c2a051

SHA512
e24bdfcb31a9f73e453daea1032bbaf4ff24f1c4c48a126fdf6f4611eadc35c3e8184bc7dd579491a6a5fcc6ddc56e42ffc81f678ca7f6b28baa1d76901e5d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
9943c8a556fe184849366ba45bed4006

SHA1
da95d36d21edbf03a32e07b62467ef67b083164d

SHA256
30658ad24938ed7f80f0510dede26a0727e8c876d7c837bf4a7582363f8b1a74

SHA512
64157d76d466e308d19d9632ec957c21cccfe7c259b172135bd70045f239b608ad377cd4b5b6396c018b51dcb5e3cd573450ca19e1b17b5d2af66fd8525b7c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e893531dcb1c7ae186c3304750e3beb9

SHA1
75baac1b7416a5a0b51c55cedad05171f5763e4c

SHA256
f430a08e8add882bfed380caf0a822f10a4389e6a08c10ca25294e581f5c56cd

SHA512
5b440779f1ba92f61d577b958cdd59a479d998370d8c60907748ca6c29709e7708bc853d2a6e0dfbc41c881335e798dbab43f585ff98eae6f0e6fb40e16a4b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e62d42a5d514b86a76557238b9d34105

SHA1
3d03ee485b0a94f7f51fdb842f1766f74ef30d7e

SHA256
ad87ca5aaddff7ab22e27ad2529d05b878d0c38ae7ff6a6810fe2bf2506d0eeb

SHA512
3c6e1384e2973f0c9d665a76b409153356f0edd9f4767af497f07f6efd87b1373f2b0a52fa1f4fe3cb4f13c27001f5d4932a975d3c3625cbea39ada72dba4caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
bab08792d9f9aa523ed13634d04ba8d3

SHA1
3674e1ed1fb7e3b6fb52ab554a82c0bc057e2646

SHA256
f1c17de526a98e9403cbd464915b40dc061916490f58a09b12f0a9ae9d4530ce

SHA512
cefacc3a943a30a366b037d4ef2b0adb8b625cd92cb2e297fff208d1f233382d94ad31fe77d14bd4fb542a32b17bc303bf3b01df1f951bfec45df0df52928485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a31eff838dd401e86adbbd367322ada3

SHA1
fa6117659a246c142b9e116f1b9a86d1d0f966f5

SHA256
7ac4a43a1e03356834811c404dd9e27b01024b491ebaca9d954c7c4bda95b6e9

SHA512
dd5390321118d5bf74b98f88e20916daafe70433243a4c0a43412c8cfe293c599b849340dfab649ca1ecda6e6430a136812ffc2c05ee54408897386f746bf83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c6ee54e067f53248864eb69d77a5f8b4

SHA1
8127f814969189b01a20086660c16001d17fa1eb

SHA256
45e236dbf666cfcecd58c060654e4279e63041818ce08b4f578591d669f6fff5

SHA512
52d3295d7e0b01166e7da9e17ed9991db3fbc79a5c924370d501e935272e49f7bbad48b98764eb68a0390543b6acc8f9bf37d6a1b248a5f48bb2bf7e221536d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
1d0ed987d8d77ae4c179e95459ccf2c2

SHA1
6de88f72c8b59d5360f7ccdedf285970e71f6569

SHA256
8525dbcc90f8c84bd752f35579332113461c1b0653f590d712bfdf88509492ef

SHA512
52978274ed157202a1f1f3645118b10624a105b7eca4413e9fc45908dd71ac69b81d3cc11e46ae544c7bc72197af47529855cc44a2dffa03401b32e064fdbbff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
e71fb4ec7f652283894ce7f817c420a2

SHA1
808f001d26f36817ef65d2ffe09cc36c7b4fafeb

SHA256
824121c4f1a92bb4122345a6057a04c256a2d7ee11513ac1c9bddea67f2dd8bc

SHA512
7b260f05f4c25798eb2dbff0674d879d3901df38993f9e85afd5b4618f188ffa38651069a964daa1f91f9e62c34fdd53e627c14870afa75ba5bd20505ed1384b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
dacd00ef3a9513154ac50a14a55785dd

SHA1
c10381b4604a4690782f42230d6ac514553b25a1

SHA256
cf586599f93d354cc8d7f33ee97cb44134ba4bcbb8c33d408c65cb30bcadc93b

SHA512
a70cd80c8029948d15f6f93898c309827a0b9625728f9ececa70b46f7f23e80217f64d3de2e6192fb2a2511c7b24db7bc91236612807e2c6a0c718d3c4f79fa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
bf542000a716f7f974ac70dedee5ca72

SHA1
b20b33e03a6952525c3a391cf5a7a55e1a84babd

SHA256
0dc2551f846e9311fc5b8461f8c08391003788fd7d593eab4b57fb37d662dd7e

SHA512
2ba1316baa52fc14aa7c7ac52274b8b4785cb1058e60dbe39baf410c0508429476ddf0646b0ef32fb4a91ac829d72dbfa54a5dc4c5a0ca3b4ad08d2b5b3afc87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
4da8ef72f9bfe172272dbcb2ab69c4f3

SHA1
dc539ea74bfef9eec333c693ae5f2b716e5e7e6d

SHA256
573d7191320419429eee637897288bf30adcdd7626345e1c809c45532460fbfa

SHA512
9c185f96251934aff5e54359fb4daf50fbfd7f23ccb51b8fd660a70ad7ea28dcc28883938b2ae56a6e5c4d56fe28b2114e341e1acda3068b33e8c2d9c13aac94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7728ad65dccfea934ed1b52d55826097

SHA1
34a3d31b27f9eea9921cbe1ab912779643aeca75

SHA256
6d055d09638d93ec715f5b2aa34e5cf5f99f7396619513e665b2245cd231d5fd

SHA512
ea582d94ac02ea002f230a2de31cee8078bf55cc02880a781268abc9e97c4bca99bbe3b7935c648a03bf234e6905b5ca6394cee26ad1f8cd375a001a220a99df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
8f2dd8b59b2672c5618cd2d1d2a61f99

SHA1
61e9535ed955a3694447c35f3c6d2c35dc32ce0b

SHA256
02f58dd0d474aa4350b2d385e58f43f1df345ca8bf2aece8734ac753d50bf595

SHA512
ba103c7d872a7c6e2a7f731cc1d3370a20181f8e7415ba1ad53fa8a34eaeab864bc2a0c375fd8d52f003dcabcacd7646d6d09762292ed330375687c0a5e03799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
835698caa7077aa6e0825ed1f1582fde

SHA1
dfa587fb350444bd8ea4f0199c5515fd19237ec9

SHA256
e867fbb745d2d8005340118505db0dc428ababb24b9be6db8b5b9fc70784ab3a

SHA512
87fcb9f3b8867a7bcea463f108d1d10b96574c1826d240b7ec7507a5541dbcada877916e717da5d2ec4b204ec94114714e86a0bc6bae6bc4e267198f8aec248b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
10cf2672d79bc6af75db7933e3eb4093

SHA1
b3428c1e0d0af92794bad837ed9a2890e2f3ea2e

SHA256
f9e9a2019cdbba9bf646c9cb71b446bb65a5ba26781abe1b79232762f3129887

SHA512
edee899f7742948727d21fedaf03e915458d599f45071045ab8162e651ae47567512af32ad1942aa4873c991ab39718e6565f7def141db493c38f119da39a626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
c2a4dfafb68643feb24f257730d72cad

SHA1
aeb15b810bdc5b88b449a9a1a6f3f26108e37542

SHA256
219384252471a9753b000e96ed12571cdb4e388592807d325b8f1b5c6fadd9e9

SHA512
c966e82383b3ae3afec892ca952eba168b13a2b81302aa77096aa89bbc75747f84cbb0f0c78e6ebe631b53bc0ce59094d9cfe6673ed6617fd37c9ecca04c46ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
25ad550af12520eea0cdb476897e6557

SHA1
04a8895ee3eb979cf91a08b07289bafa9a03a4a4

SHA256
b768082cd55ad6c39e441940a926851353ad19e43d834905346621ba9d0984e8

SHA512
0bb09d93f8c145baaad48627f9fe8cf18ee377d5e5d03eee8b324b5b40bbdb37af69086827355b93beecec59cf7e2ab1af71d99a0d56265965078602021f1cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
9d9d401a62de5965bbab0abcf0d2f932

SHA1
5db11bf6be5f3289f56559e2222278c8bdfc2c94

SHA256
65fde873e0239838d9906d8ec80d7f1e0b5e399da7c3f22759baff2f45e4fd5e

SHA512
f2ba9694da6da9d64ed9cbd9678e9d62cd38b3dc5c184582526b0999bc16cf80ef1a3d78617a903df33101fa47989b57f254f1e9cff4e252fdd57632dc2f2786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
51688a0050b3634bd0211315436cb764

SHA1
09ff3a44ef3cc172d79bc33561b5739be0c6ba99

SHA256
d69574f65aff1fb0b1802be48590415b577ddd50cbc12b9704b7c1dc59cdc521

SHA512
1f27ec2a030f2f66f89e8aa0351551a289c721294cb146dc22d1e96fc4d5e0482582dd4551cd175e963a0fbe1ea84ef0a971a973e0b20868354a3707c9680b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
bbd66cbed943043441cf28efe9cfa354

SHA1
52daa2d4c722a4d97910a20aea60fba35f08a114

SHA256
bedd8598f5476a1f47be67af82e81be4782009f3416c1ee8077e493a0c56d1b5

SHA512
7715a58a7f05b292dd565a4a0a24b430bf7e8548ec7a9d3927497f885e01b0369b2beba3174baf2d776d65599b3a4c8d80b60caa54fb0bbf5e2b32c743540140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
9a862ab93c5ee4858cb9e8bea514ad4e

SHA1
5ab1db11ac9aca7af004ca776a0d039331ef227d

SHA256
e99bb50c1e8b6f7a45e890f6795487fda2aca64e62f2d550fdc1c4466efd73a6

SHA512
ed29c9bf5fa21bcd5a0ec7bdecd279216cc01c29a65426e2bd801d0e1c70f9b02f074370042600fda6b81ab472728fd27d33d8fd4f194484bc2416cc8e1a92a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
101a930b6809742b32e14c050e59ff12

SHA1
9e668feba2a718304147ceabf9a3bb1d7f064068

SHA256
12d63b9a1ef5d77c7971df510fbbbe9a42d532ac34398d6a8d00c949bd3858db

SHA512
71b45dcad7e764f2b7c4254a0ef09d11df9e50d17d0c0d65464aa92bb00dfe9976672e15a39848aa04226aeff08eecc3e458b76bd793ad535a127846076f3559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
9b29e459e5c5d8b30e27236aa67ca264

SHA1
6f2b9e5d2e863df4396c7a3f22e7037ba148791d

SHA256
2082954853539ba3a7831946857ecec9d53c7bb05b382e19650f291b676e0d57

SHA512
ea0d00708d9fa069527bd89d34945266a8708e9dcfb93b90b28f9ff1c74910ed85fce624e6aaf26a681d4fd29bc84185d4c63ae59c431fcd8db624c610030307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
201f184fd3b4a2e7f979f054217125dc

SHA1
3efd7d28f6f9071db2018891807e0479fdf31a1b

SHA256
0c89c53ac09f427295808a6d0f5c17152cab967d801f64f2d1ae43b6277385ce

SHA512
b1f746bfe91c201c21e9a8af5773bb34d7ed7dcc16629c4aeb2d716e45489a4263fc4c9f7a7f002240ac4d56cd5e9b6a5e4cb70579406a911a65da9c8d9de86b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
ea05f204fbb3edf6b9f75e1c362b6820

SHA1
286cf72eb5f628ebed003c24a72d5c83a8517ca9

SHA256
de0efc8fc46109ecbc807c7cfa8c919d3eca6c4be43ed1fc904a0b0c9d4ee26f

SHA512
4d542d71ff00b69a1158b8899c6d6b476b84a26e45d8e27f3e166c23a1861db338f7b87dc87be412c6e72d4d21c209a7b807fdc91aecb41be3bbf65ed85f532b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
18eec73d470aea311af08704ebc93adc

SHA1
a8ee1f52f8c3955f26e91a6b478b5074cb8d4523

SHA256
4873a136a8bbe572a43cf9d7a1ce502d9004783d84852c51d76f0f59f2950ae9

SHA512
5b0bf5748554e7d43214b5e081f921dc34c849ee9f70ec818d4dca6fa1c6183b4c57e9e06dc36339b3daf3684dced4a1d6ad3f43d8055c250c5b50aabba46917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
f757a2e2259452e68d7c2145985b82b8

SHA1
570645b4eaa3d046a33bdc9c0b6dc7b0c9f53e83

SHA256
9cd2cb7d101b4844887b81fa40fa2077cf4ffbc97ab4adaab048b3ebb5195bb7

SHA512
8e673806788d631e995721f1dc66cf59b7d85141ea80ca8c632b73d0d773f1f253240c69b86615656aaad1f0e1d6359b5889fff6c494582b6c79bf8921a17591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
054357634b76626410b74db278538f9c

SHA1
62b66614735394b7023e54334dda8511798e3a75

SHA256
ba6cb2b18dc9f6ac408d76c7d70a512cbe28dec580d4bbe1ba390fe2a814848d

SHA512
e286248e549a63cc57795cf82c85874d5d06960b1c748172f10d050ba96760f928c532adeb59c109ad3a9171b524e3c709695bebc93ba835a31e156fa335e05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8195.tmp\nsExec.dll

Filesize
7KB

MD5
4c77a65bb121bb7f2910c1fa3cb38337

SHA1
94531e3c6255125c1a85653174737d275bc35838

SHA256
5e66489393f159aa0fd30b630bb345d03418e9324e7d834b2e4195865a637cfe

SHA512
df50eadf312469c56996c67007d31b85d00e91a4f40355e786536fc0336ac9c2fd8ad9df6e65ab390cc6f031aca28c92212ea23cc40eb600b82a63be3b5b8c04

Download Submit
memory/3256-135-0x0000000005520000-0x0000000005B48000-memory.dmp

Filesize
6.2MB

Download
memory/3256-136-0x0000000005400000-0x0000000005422000-memory.dmp

Filesize
136KB

Download
memory/3256-139-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/3256-138-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/3256-134-0x0000000004E00000-0x0000000004E36000-memory.dmp

Filesize
216KB

Download
memory/3256-137-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download