warzonerat | 4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

Analysis

max time kernel
172s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ 17253536373.pdf (1).exe
Size

1015KB
MD5

f8a2ad4544d211df3b2698e5cecaf2dc
SHA1

b2045de3aaa3c49ebb35f25771d762cf70c5a3fa
SHA256

4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641
SHA512

fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd
SSDEEP

24576:XM+L74mBfNUstzoxdpt3hvMCggcrf8PAqyU9YH3r8JN:qnt3hrgde9YHI

Score

10^/10

warzonerat infostealer persistence rat

Malware Config

Extracted

Family

warzonerat

74.119.192.210:5200

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Executes dropped EXE 5 IoCs

Processes:

images.exeimages.exeimages.exeimages.exeimages.exe

pid process

3572 images.exe
956 images.exe
4412 images.exe
3516 images.exe
2344 images.exe

pid	process
3572	images.exe
956	images.exe
4412	images.exe
3516	images.exe
2344	images.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

images.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll"	images.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ 17253536373.pdf (1).exeimages.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	RFQ 17253536373.pdf (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	images.exe

Drops startup file 2 IoCs

Processes:

RFQ 17253536373.pdf (1).exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	RFQ 17253536373.pdf (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	RFQ 17253536373.pdf (1).exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

4972 svchost.exe

pid	process
4972	svchost.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

images.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	images.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	images.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	images.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\GIiEBEj = "0"	images.exe

Drops file in System32 directory 1 IoCs

Processes:

images.exe

description ioc process

File created C:\Windows\System32\rfxvmt.dll images.exe

description	ioc	process
File created	C:\Windows\System32\rfxvmt.dll	images.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RFQ 17253536373.pdf (1).exeimages.exe

description	pid	process	target process
PID 4188 set thread context of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 3572 set thread context of 2344	3572	images.exe	images.exe

Drops file in Program Files directory 2 IoCs

Processes:

images.exe

description ioc process

File created C:\Program Files\Microsoft DN1\rdpwrap.ini images.exe
File created C:\Program Files\Microsoft DN1\sqlmap.dll images.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2848 schtasks.exe
2780 schtasks.exe
NTFS ADS 1 IoCs

Processes:

RFQ 17253536373.pdf (1).exe

description ioc process

File created C:\ProgramData:ApplicationData RFQ 17253536373.pdf (1).exe

description	ioc	process
File created	C:\Program Files\Microsoft DN1\rdpwrap.ini	images.exe
File created	C:\Program Files\Microsoft DN1\sqlmap.dll	images.exe

pid	process
2848	schtasks.exe
2780	schtasks.exe

description	ioc	process
File created	C:\ProgramData:ApplicationData	RFQ 17253536373.pdf (1).exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

RFQ 17253536373.pdf (1).exepowershell.exepowershell.exepowershell.exeimages.exepowershell.exepowershell.exepowershell.exe

pid	process
4188	RFQ 17253536373.pdf (1).exe
3604	powershell.exe
5032	powershell.exe
4188	RFQ 17253536373.pdf (1).exe
4188	RFQ 17253536373.pdf (1).exe
5032	powershell.exe
3604	powershell.exe
4160	powershell.exe
4160	powershell.exe
3572	images.exe
2368	powershell.exe
4728	powershell.exe
3572	images.exe
3572	images.exe
3572	images.exe
3572	images.exe
3572	images.exe
3572	images.exe
3572	images.exe
4728	powershell.exe
2368	powershell.exe
4788	powershell.exe
4788	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

664
664

pid	process
664
664

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

RFQ 17253536373.pdf (1).exepowershell.exepowershell.exepowershell.exeimages.exepowershell.exepowershell.exepowershell.exeimages.exe

description	pid	process
Token: SeDebugPrivilege	4188	RFQ 17253536373.pdf (1).exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	3572	images.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	2344	images.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

images.exe

pid process

2344 images.exe

pid	process
2344	images.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RFQ 17253536373.pdf (1).exeRFQ 17253536373.pdf (1).execmd.exeimages.exeimages.exe

description	pid	process	target process
PID 4188 wrote to memory of 5032	4188	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 4188 wrote to memory of 5032	4188	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 4188 wrote to memory of 5032	4188	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 4188 wrote to memory of 3604	4188	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 4188 wrote to memory of 3604	4188	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 4188 wrote to memory of 3604	4188	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 4188 wrote to memory of 2848	4188	RFQ 17253536373.pdf (1).exe	schtasks.exe
PID 4188 wrote to memory of 2848	4188	RFQ 17253536373.pdf (1).exe	schtasks.exe
PID 4188 wrote to memory of 2848	4188	RFQ 17253536373.pdf (1).exe	schtasks.exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 4188 wrote to memory of 1376	4188	RFQ 17253536373.pdf (1).exe	RFQ 17253536373.pdf (1).exe
PID 1376 wrote to memory of 4160	1376	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 1376 wrote to memory of 4160	1376	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 1376 wrote to memory of 4160	1376	RFQ 17253536373.pdf (1).exe	powershell.exe
PID 1376 wrote to memory of 1972	1376	RFQ 17253536373.pdf (1).exe	cmd.exe
PID 1376 wrote to memory of 1972	1376	RFQ 17253536373.pdf (1).exe	cmd.exe
PID 1376 wrote to memory of 1972	1376	RFQ 17253536373.pdf (1).exe	cmd.exe
PID 1376 wrote to memory of 3572	1376	RFQ 17253536373.pdf (1).exe	images.exe
PID 1376 wrote to memory of 3572	1376	RFQ 17253536373.pdf (1).exe	images.exe
PID 1376 wrote to memory of 3572	1376	RFQ 17253536373.pdf (1).exe	images.exe
PID 1972 wrote to memory of 676	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 676	1972	cmd.exe	reg.exe
PID 1972 wrote to memory of 676	1972	cmd.exe	reg.exe
PID 3572 wrote to memory of 2368	3572	images.exe	powershell.exe
PID 3572 wrote to memory of 2368	3572	images.exe	powershell.exe
PID 3572 wrote to memory of 2368	3572	images.exe	powershell.exe
PID 3572 wrote to memory of 4728	3572	images.exe	powershell.exe
PID 3572 wrote to memory of 4728	3572	images.exe	powershell.exe
PID 3572 wrote to memory of 4728	3572	images.exe	powershell.exe
PID 3572 wrote to memory of 2780	3572	images.exe	schtasks.exe
PID 3572 wrote to memory of 2780	3572	images.exe	schtasks.exe
PID 3572 wrote to memory of 2780	3572	images.exe	schtasks.exe
PID 3572 wrote to memory of 956	3572	images.exe	images.exe
PID 3572 wrote to memory of 956	3572	images.exe	images.exe
PID 3572 wrote to memory of 956	3572	images.exe	images.exe
PID 3572 wrote to memory of 4412	3572	images.exe	images.exe
PID 3572 wrote to memory of 4412	3572	images.exe	images.exe
PID 3572 wrote to memory of 4412	3572	images.exe	images.exe
PID 3572 wrote to memory of 3516	3572	images.exe	images.exe
PID 3572 wrote to memory of 3516	3572	images.exe	images.exe
PID 3572 wrote to memory of 3516	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 3572 wrote to memory of 2344	3572	images.exe	images.exe
PID 2344 wrote to memory of 4788	2344	images.exe	powershell.exe
PID 2344 wrote to memory of 4788	2344	images.exe	powershell.exe
PID 2344 wrote to memory of 4788	2344	images.exe	powershell.exe
PID 2344 wrote to memory of 4196	2344	images.exe	cmd.exe
PID 2344 wrote to memory of 4196	2344	images.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.pdf (1).exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.pdf (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.pdf (1).exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yOQsDFUUU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yOQsDFUUU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1076.tmp"
2⤵
- Creates scheduled task(s)
PID:2848

C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.pdf (1).exe
"C:\Users\Admin\AppData\Local\Temp\RFQ 17253536373.pdf (1).exe"
2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
4⤵
PID:676

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\images.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yOQsDFUUU.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yOQsDFUUU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB5A.tmp"
4⤵
- Creates scheduled task(s)
PID:2780

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:956

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:4412

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
PID:3516

C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
4⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
5⤵
PID:4196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft DN1\sqlmap.dll
Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\images.exe
Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\ProgramData\images.exe
Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\ProgramData\images.exe
Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\ProgramData\images.exe
Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\ProgramData\images.exe
Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\ProgramData\images.exe
Filesize
1015KB

MD5
f8a2ad4544d211df3b2698e5cecaf2dc

SHA1
b2045de3aaa3c49ebb35f25771d762cf70c5a3fa

SHA256
4fe82d810dd80e56a8e2effdf825a9259a812bc9e14193f22193342bf5e66641

SHA512
fb94796b343d75d98b512e9f2f35fa17a5b33d6a382ba6188671bc232649f0428d969e37d7a2b35a427dea14c697d9ba9e27c9395770412960b2be77ee987ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
881dfef149fd15d17eb5204053c007e8

SHA1
b1dab299cd0f93e05c6f6b0cf2be6ccccf82a36a

SHA256
2fb54ed6eacbda05a2a76e2376a3898f9b1f3e1fec83f16e3514b97382aa8c4c

SHA512
8c32635d6de9fbed31933d6f179e2ac51dd3cc7faf2b2e1106671e3ab355889fc6a8d77dedf558fe71f2f406d82f7de1aab131ac3106598104e2343e60653909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
136B

MD5
69026b75d7c7cdb05873f195a3c5594a

SHA1
054b1744352bdaec1fd251c2a82a2543c2a42694

SHA256
66a8acaf9c9d8e7bbaceba7cfa3e62c0067ac139b4a0c44e367cdaf51d5c09ae

SHA512
3bd65f8e352b5e9ee06a71185d4177273cdde676263c46f8164f71062acde64202c0b4ca9fdfea3f4cc5c1cda6fa49e5ed6d3001733e2973c6505488ea24b3dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
434d193d809819ba7c6dedb6f039841c

SHA1
8b5fbf592dfc1cc658ebad99a46b9e5150385da9

SHA256
edbf4fe154bc6909097bf4102fad138a8964007ef16dc03d1d3b25532c63a90b

SHA512
c2dd5f60db6f8f78cf5f902813710f382bffc8842020d1970628e669dcf91d391c4d4db4d2f7788d868ae2dd02f5bd7524a62a1280b5158864a93f2289616136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
d2b4db027b8f7bc0670f1bd4e045e14f

SHA1
8d028e2d08e46a9f283862bb09db831127141f3f

SHA256
ca683d6118fcebdd1cc0d29353fe7acbb8c42f462536de48e16b09a904832b78

SHA512
7f91464eff494f2747290554ce7de18fddf7856f3ff840dbf1290c827dafcbe313b65c87190cbeb7da1baf89aa54b1862715f492b666a5b39add440f25b25d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
104B

MD5
3c6a8ac2e95509edeb24499bd702e531

SHA1
e2f2a65151ac7fa84309059457fd0b2418ba17b4

SHA256
d7f4e1820721f99caffe84252f513da2e561086868508dc6f51322819fa15569

SHA512
9e5a540ad4e83906b45e204e1bd519a24c96c7419b09f6192e795cfc9069a74113a8e932489f4c4676746386528042e07619ea4ca6c5b51db68fa2d8ba96977e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1076.tmp
Filesize
1KB

MD5
2e3a48703e60b6e411a29427289d68a1

SHA1
c4e2b34f4a0d703ceddd98a367585bc65c5f98b3

SHA256
a21e07729648c9d84599a07b8edf788a1fd6524599bb7dea252f98e570c3f102

SHA512
9d2f016ef8d58fe63fa383cfc4580960310a0c21fd7c4b8f23bc57f2304d3c9d760b650ea8e3ae3375d868eee08f022aba7848f3295ccf2de127b307fd51965e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB5A.tmp
Filesize
1KB

MD5
2e3a48703e60b6e411a29427289d68a1

SHA1
c4e2b34f4a0d703ceddd98a367585bc65c5f98b3

SHA256
a21e07729648c9d84599a07b8edf788a1fd6524599bb7dea252f98e570c3f102

SHA512
9d2f016ef8d58fe63fa383cfc4580960310a0c21fd7c4b8f23bc57f2304d3c9d760b650ea8e3ae3375d868eee08f022aba7848f3295ccf2de127b307fd51965e

Download Submit
memory/676-167-0x0000000000000000-mapping.dmp

Download
memory/956-179-0x0000000000000000-mapping.dmp

Download
memory/1376-151-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1376-146-0x0000000000000000-mapping.dmp

Download
memory/1376-165-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1376-147-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1376-149-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1972-159-0x0000000000000000-mapping.dmp

Download
memory/2344-200-0x0000000004AF0000-0x0000000004C90000-memory.dmp

Filesize
1.6MB

Download
memory/2344-185-0x0000000000000000-mapping.dmp

Download
memory/2344-191-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2344-190-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2344-201-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/2368-192-0x0000000070E90000-0x0000000070EDC000-memory.dmp

Filesize
304KB

Download
memory/2368-175-0x0000000000000000-mapping.dmp

Download
memory/2780-177-0x0000000000000000-mapping.dmp

Download
memory/2848-139-0x0000000000000000-mapping.dmp

Download
memory/3516-183-0x0000000000000000-mapping.dmp

Download
memory/3572-161-0x0000000000000000-mapping.dmp

Download
memory/3604-150-0x0000000005EA0000-0x0000000005EBE000-memory.dmp

Filesize
120KB

Download
memory/3604-168-0x0000000007350000-0x000000000735E000-memory.dmp

Filesize
56KB

Download
memory/3604-138-0x0000000000000000-mapping.dmp

Download
memory/3604-157-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/3604-145-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/3604-153-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

Filesize
304KB

Download
memory/4160-158-0x0000000000000000-mapping.dmp

Download
memory/4160-173-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

Filesize
304KB

Download
memory/4188-136-0x0000000007C30000-0x0000000007CCC000-memory.dmp

Filesize
624KB

Download
memory/4188-133-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/4188-134-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/4188-135-0x00000000054B0000-0x00000000054BA000-memory.dmp

Filesize
40KB

Download
memory/4188-132-0x00000000009F0000-0x0000000000AF2000-memory.dmp

Filesize
1.0MB

Download
memory/4196-196-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4196-195-0x0000000000000000-mapping.dmp

Download
memory/4412-181-0x0000000000000000-mapping.dmp

Download
memory/4728-193-0x0000000070E90000-0x0000000070EDC000-memory.dmp

Filesize
304KB

Download
memory/4728-176-0x0000000000000000-mapping.dmp

Download
memory/4788-198-0x0000000070E90000-0x0000000070EDC000-memory.dmp

Filesize
304KB

Download
memory/4788-194-0x0000000000000000-mapping.dmp

Download
memory/5032-170-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/5032-160-0x0000000007B00000-0x0000000007B0A000-memory.dmp

Filesize
40KB

Download
memory/5032-152-0x0000000006D20000-0x0000000006D52000-memory.dmp

Filesize
200KB

Download
memory/5032-156-0x0000000008120000-0x000000000879A000-memory.dmp

Filesize
6.5MB

Download
memory/5032-137-0x0000000000000000-mapping.dmp

Download
memory/5032-166-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/5032-169-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/5032-140-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/5032-144-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/5032-141-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/5032-155-0x0000000006D00000-0x0000000006D1E000-memory.dmp

Filesize
120KB

Download
memory/5032-154-0x0000000070EC0000-0x0000000070F0C000-memory.dmp

Filesize
304KB

Download
memory/5032-143-0x00000000056A0000-0x00000000056C2000-memory.dmp

Filesize
136KB

Download