7ba583dbe374ad0e4f57667aa407d9626a678e4e394af498ba21d3e6c4a1cc7a

Analysis

max time kernel
1401s
max time network
1226s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
24-03-2023 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cortana-2-Ana-09.cmd
Size

18KB
MD5

54e1a3a403a49c48b4c48e1751956ff8
SHA1

00e21653559df4848d5ac2f2e44ef8a63eae9c2e
SHA256

7ba583dbe374ad0e4f57667aa407d9626a678e4e394af498ba21d3e6c4a1cc7a
SHA512

fdd5b16c261c7fd59c726fd7adc18a393f362ed0b676034c42ca4ca72793291b26348fdc2244ae12adddac8b78958db3893104639efa81f132f0485844a1e911
SSDEEP

384:CGOHznpRsShAdhAdwzhcGq6XfjHlLQT2HiU4nR:CGOH1RsSKKaq6vLlLQTcJ4R

Score

8^/10

discovery exploit

Malware Config

Signatures

Possible privilege escalation attempt 12 IoCs

exploit

Processes:

icacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
2788	icacls.exe
5060	icacls.exe
5076	icacls.exe
2212	icacls.exe
4344	takeown.exe
4676	icacls.exe
1020	takeown.exe
2060	icacls.exe
1720	icacls.exe
4836	takeown.exe
3204	icacls.exe
3872	icacls.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
4344	takeown.exe
2212	icacls.exe
2060	icacls.exe
5060	icacls.exe
3204	icacls.exe
4836	takeown.exe
3872	icacls.exe
5076	icacls.exe
4676	icacls.exe
1020	takeown.exe
2788	icacls.exe
1720	icacls.exe

Drops file in System32 directory 3 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml	cmd.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml	cmd.exe
File created	C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml	cmd.exe

Runs .reg file with regedit 3 IoCs

Processes:

regedit.exeregedit.exeregedit.exe

pid process

4056 regedit.exe
4636 regedit.exe
2956 regedit.exe
Runs net.exe

pid	process
4056	regedit.exe
4636	regedit.exe
2956	regedit.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4708	powershell.exe
4708	powershell.exe
4708	powershell.exe
4264	powershell.exe
4264	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
1448	powershell.exe
1448	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
4224	powershell.exe
4224	powershell.exe
4224	powershell.exe
996	powershell.exe
996	powershell.exe
996	powershell.exe
996	powershell.exe
3544	powershell.exe
3544	powershell.exe
3544	powershell.exe
1748	powershell.exe
1748	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
4792	powershell.exe
4792	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powershell.exepowershell.exetakeown.exeicacls.exepowershell.exepowershell.exepowershell.exepowershell.exetakeown.exeicacls.exepowershell.exepowershell.exepowershell.exetakeown.exeicacls.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeTakeOwnershipPrivilege	1020	takeown.exe
Token: SeRestorePrivilege	2060	icacls.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeTakeOwnershipPrivilege	4836	takeown.exe
Token: SeRestorePrivilege	3204	icacls.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeTakeOwnershipPrivilege	4344	takeown.exe
Token: SeRestorePrivilege	2212	icacls.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4356 wrote to memory of 3384	4356	cmd.exe	net.exe
PID 4356 wrote to memory of 3384	4356	cmd.exe	net.exe
PID 3384 wrote to memory of 4664	3384	net.exe	net1.exe
PID 3384 wrote to memory of 4664	3384	net.exe	net1.exe
PID 4356 wrote to memory of 4708	4356	cmd.exe	powershell.exe
PID 4356 wrote to memory of 4708	4356	cmd.exe	powershell.exe
PID 4356 wrote to memory of 4264	4356	cmd.exe	powershell.exe
PID 4356 wrote to memory of 4264	4356	cmd.exe	powershell.exe
PID 4356 wrote to memory of 1020	4356	cmd.exe	takeown.exe
PID 4356 wrote to memory of 1020	4356	cmd.exe	takeown.exe
PID 4356 wrote to memory of 2788	4356	cmd.exe	icacls.exe
PID 4356 wrote to memory of 2788	4356	cmd.exe	icacls.exe
PID 4356 wrote to memory of 2400	4356	cmd.exe	findstr.exe
PID 4356 wrote to memory of 2400	4356	cmd.exe	findstr.exe
PID 4356 wrote to memory of 2060	4356	cmd.exe	icacls.exe
PID 4356 wrote to memory of 2060	4356	cmd.exe	icacls.exe
PID 4356 wrote to memory of 1720	4356	cmd.exe	icacls.exe
PID 4356 wrote to memory of 1720	4356	cmd.exe	icacls.exe
PID 4356 wrote to memory of 524	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 524	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 620	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 620	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 4596	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 4596	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 1904	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 1904	4356	cmd.exe	reg.exe
PID 4356 wrote to memory of 4636	4356	cmd.exe	regedit.exe
PID 4356 wrote to memory of 4636	4356	cmd.exe	regedit.exe
PID 4356 wrote to memory of 980	4356	cmd.exe	powershell.exe
PID 4356 wrote to memory of 980	4356	cmd.exe	powershell.exe
PID 4356 wrote to memory of 1448	4356	cmd.exe	powershell.exe
PID 4356 wrote to memory of 1448	4356	cmd.exe	powershell.exe
PID 4792 wrote to memory of 1908	4792	cmd.exe	net.exe
PID 4792 wrote to memory of 1908	4792	cmd.exe	net.exe
PID 1908 wrote to memory of 2568	1908	net.exe	net1.exe
PID 1908 wrote to memory of 2568	1908	net.exe	net1.exe
PID 4792 wrote to memory of 4884	4792	cmd.exe	powershell.exe
PID 4792 wrote to memory of 4884	4792	cmd.exe	powershell.exe
PID 4792 wrote to memory of 4224	4792	cmd.exe	powershell.exe
PID 4792 wrote to memory of 4224	4792	cmd.exe	powershell.exe
PID 4792 wrote to memory of 4836	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 4836	4792	cmd.exe	takeown.exe
PID 4792 wrote to memory of 5060	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 5060	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 2788	4792	cmd.exe	findstr.exe
PID 4792 wrote to memory of 2788	4792	cmd.exe	findstr.exe
PID 4792 wrote to memory of 3204	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 3204	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 3872	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 3872	4792	cmd.exe	icacls.exe
PID 4792 wrote to memory of 1888	4792	cmd.exe	reg.exe
PID 4792 wrote to memory of 1888	4792	cmd.exe	reg.exe
PID 4792 wrote to memory of 960	4792	cmd.exe	reg.exe
PID 4792 wrote to memory of 960	4792	cmd.exe	reg.exe
PID 4792 wrote to memory of 2956	4792	cmd.exe	regedit.exe
PID 4792 wrote to memory of 2956	4792	cmd.exe	regedit.exe
PID 4792 wrote to memory of 996	4792	cmd.exe	powershell.exe
PID 4792 wrote to memory of 996	4792	cmd.exe	powershell.exe
PID 3672 wrote to memory of 1416	3672	cmd.exe	net.exe
PID 3672 wrote to memory of 1416	3672	cmd.exe	net.exe
PID 1416 wrote to memory of 4136	1416	net.exe	net1.exe
PID 1416 wrote to memory of 4136	1416	net.exe	net1.exe
PID 3672 wrote to memory of 3544	3672	cmd.exe	powershell.exe
PID 3672 wrote to memory of 3544	3672	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Cortana-2-Ana-09.cmd"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\system32\net.exe
NET FILE
2⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 FILE
3⤵
PID:4664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy Unrestricted
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -File "C:\Users\Admin\AppData\Local\Temp\AV.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /grant Administradores:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2788

C:\Windows\system32\findstr.exe
findstr /v "</Tokens>" "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml"
2⤵
PID:2400

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /setowner "NT SERVICE\TrustedInstaller"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /reset
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1720

C:\Windows\system32\reg.exe
reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech\Voices\Tokens "C:\Users\Admin\Cortana_Backup\hkey-local-s-m-speech-voices-tokens.reg"
2⤵
PID:524

C:\Windows\system32\reg.exe
reg export HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Isolated "C:\Users\Admin\Cortana_Backup\hkey-user-s-m-speech_onecore-isolated.reg"
2⤵
PID:620

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.EXE IMPORT ""C:\Users\Admin\AppData\Local\Temp\1-Voice-Ana-Cortana.reg""
2⤵
PID:4596

C:\Windows\system32\reg.exe
reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Isolated
2⤵
PID:1904

C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\isocode.reg"
2⤵
- Runs .reg file with regedit
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy Unrestricted
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -File "C:\Users\Admin\AppData\Local\Temp\AV.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cortana-2-Ana-09.cmd" "
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\system32\net.exe
NET FILE
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 FILE
3⤵
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy Unrestricted
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -File "C:\Users\Admin\AppData\Local\Temp\AV.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /grant Administradores:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5060

C:\Windows\system32\findstr.exe
findstr /v "</Tokens>" "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml"
2⤵
PID:2788

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /setowner "NT SERVICE\TrustedInstaller"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /reset
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3872

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.EXE IMPORT ""C:\Users\Admin\AppData\Local\Temp\1-Voice-Ana-Cortana.reg""
2⤵
PID:1888

C:\Windows\system32\reg.exe
reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Isolated
2⤵
PID:960

C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\isocode.reg"
2⤵
- Runs .reg file with regedit
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy Unrestricted
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cortana-2-Ana-09.cmd"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\system32\net.exe
NET FILE
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 FILE
3⤵
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy Unrestricted
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -File "C:\Users\Admin\AppData\Local\Temp\AV.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /A
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /grant Administradores:f
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5076

C:\Windows\system32\findstr.exe
findstr /v "</Tokens>" "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml"
2⤵
PID:4508

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /setowner "NT SERVICE\TrustedInstaller"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\Speech_OneCore\common\es-ES\tokens_TTS_es-ES.xml" /reset
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4676

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.EXE IMPORT ""C:\Users\Admin\AppData\Local\Temp\1-Voice-Ana-Cortana.reg""
2⤵
PID:1576

C:\Windows\system32\reg.exe
reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Isolated
2⤵
PID:4032

C:\Windows\regedit.exe
regedit /s "C:\Users\Admin\AppData\Local\Temp\isocode.reg"
2⤵
- Runs .reg file with regedit
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-ExecutionPolicy Unrestricted
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -File "C:\Users\Admin\AppData\Local\Temp\AV.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
68d9ca8c399bebe25f29235eccf2623b

SHA1
0e239ea54bad1cc9e32e0efa91e7266649700fea

SHA256
021ef3f885d13b8d2c271e4a12fcf43b2683076b16b490bffb945e9cc94065a9

SHA512
63030e954e5260a77827c62708db9e87b896ede7160249eb60b1a59931639007fb7ac124089bc7f0be331ebb3bed4540f730f4c1759403fa74bb6bdfee9610d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
12efdf287ccde9be0310b0ce12f62d57

SHA1
94defb43877b89cf4f4445575ce6e996c4c24c96

SHA256
1639dad8878d2307e62adbc8cba08e4b31791f5032e02d343f149f4a447e79f9

SHA512
bf9a1a3c0d080c84cb8180f09222b6b8e29fc53a0a596e4b47f6290d3a91789292f31a9461b0262f8cfd75ccad1deab726c954045995e68ea20c937d41724a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1-Voice-Ana-Cortana.reg
Filesize
4KB

MD5
ff1f5d24922166b47bb303d1c0781e93

SHA1
73954d4ea4ec02465d50df5542ca97f94955b120

SHA256
39568832b87437ab04b3fb3f0402ecf77e9188ca6fcfa7f9c247af2319f6457b

SHA512
974aaf209a9c9c30b8579fcaede9ff12603ec60e12ab508b80d661c6b88ffd87667a20315197d9dfb4cc7be971059b77534ab1b1987b81c16086de5044ccf40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1-Voice-Ana-Cortana.reg
Filesize
4KB

MD5
e7185331680934585e86d3206f196a91

SHA1
41d57a2d3002607fbd00af6e37083c2ad884e2ab

SHA256
e9f648956fed9f34f0677eb3050ff0a0fa3b22496fd1eb773c3aaf8a1722e8e9

SHA512
b817946172ff1b3167f1f222f5c8f284c679b20aa3c10856c9e03b7d052fcbcce2aabb136319e6d7ef34310b6afc0c1c8bf8988de1810b36415189310b57f135

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.ps1
Filesize
577B

MD5
e687f60b8e32eeacb539b75fbc628d20

SHA1
db37eb796e87ba1da7216be4f5e9d771276d5768

SHA256
7b1659dc75157f1ca400849fe3306ec71c630c606f833e12691b1218c1f2535e

SHA512
06e9198e41ae0aa5e0b90b5a53119a82c171836a977042c9bf81ead545ed2f5d8ff11d75d70ee709e87fc52f5a79ab02bc232f2ab1e0203e7e954e2472a5c925

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ana-token.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ana-token.txt
Filesize
1KB

MD5
3c6a7479b5c245ea3f7f54f343d52695

SHA1
3f8e52db2263197708a3571530029a7cc6928925

SHA256
14160553bf2d56a3c20f1514ab0ba4172d5a74b9348aae9e5132f168c239ae48

SHA512
39c72475bb10e18aa7df7b11ef8e89d54bf0245f9e425da4064ff3b7bbc3f80827bda1efd8a7ee95386d52326cbfdad3d17c1377bcd3a03e354d30591641b0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ana-token.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG8FC1.tmp
Filesize
15KB

MD5
e842f0253238d4406a98b8e1c9cedf5b

SHA1
409378f8a3130de8d7b75e0fa1afc138652f675a

SHA256
011ffe13997ec60941e78f95d148f5850be6f693811d47880ab6742005d5e9b2

SHA512
f550a807b1ff43ec8cd3d63218c664a5a4123241568cdbec0764cc9b66be686e2dbbe360a235dae9db174ed5d5e882824eb4a3e9ccef2985c38fe2308346e9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4ycfmek.5sw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cortana2ana.log
Filesize
51B

MD5
24fa563068de3a6a8764168a5329d6c5

SHA1
62149162081f78db70165e748041b9379ea39449

SHA256
7a03798e64b6236f986c3797c672af18fbf472feb8bdcfdfb9a694de1726fe0d

SHA512
b67e1a46e2781330c941eb70d1eb5346eb487f0a6d11feb37196424da8e09ce9b5734510c962a45caa35e2893fea8a73f5b6f7732045dda1c30539c6d01e010b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cortana2ana.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cortana2ana.log
Filesize
51B

MD5
24fa563068de3a6a8764168a5329d6c5

SHA1
62149162081f78db70165e748041b9379ea39449

SHA256
7a03798e64b6236f986c3797c672af18fbf472feb8bdcfdfb9a694de1726fe0d

SHA512
b67e1a46e2781330c941eb70d1eb5346eb487f0a6d11feb37196424da8e09ce9b5734510c962a45caa35e2893fea8a73f5b6f7732045dda1c30539c6d01e010b

Download Submit
C:\Users\Admin\AppData\Local\Temp\isocode.log
Filesize
6B

MD5
e0f27654640d6641a4cb2559d7faee24

SHA1
b802a36ba28c6cf36db5d4e00f4e141c6df59ee4

SHA256
ac06b1f2ab7f2c498c5a479495f5fada7d38144ae9fcc6c48ace2c1dad554023

SHA512
72f4f85fca25c98362dde1e03f638295e1d891dee16e57da607a4c996402d56a831cea6ec1bee6ab9219346f77c04d0cda2c82e1290ac04520c63e30b053fac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\isocode.log
Filesize
6B

MD5
e0f27654640d6641a4cb2559d7faee24

SHA1
b802a36ba28c6cf36db5d4e00f4e141c6df59ee4

SHA256
ac06b1f2ab7f2c498c5a479495f5fada7d38144ae9fcc6c48ace2c1dad554023

SHA512
72f4f85fca25c98362dde1e03f638295e1d891dee16e57da607a4c996402d56a831cea6ec1bee6ab9219346f77c04d0cda2c82e1290ac04520c63e30b053fac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\isocode.log
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\isocode.reg
Filesize
900B

MD5
c46fab845d8e5f246c0d3064be35c9cf

SHA1
bfa9a640c68f90b407d1a3de17119a85cc7747dc

SHA256
c43b5e8c99e9a529d6f4ada10982d6b1952eb023eb7491f1258488f7b7891e3b

SHA512
eee77d2e2f428a02e3e9e383ffc85626a8ad93047a1e2b6e072054ced13fede2fff6623e5870462f858b0d5561bc48ea42a4fd8a1d34e4f8c1a59d9a9eada206

Download Submit
C:\Users\Admin\AppData\Local\Temp\isocode.reg
Filesize
900B

MD5
c46fab845d8e5f246c0d3064be35c9cf

SHA1
bfa9a640c68f90b407d1a3de17119a85cc7747dc

SHA256
c43b5e8c99e9a529d6f4ada10982d6b1952eb023eb7491f1258488f7b7891e3b

SHA512
eee77d2e2f428a02e3e9e383ffc85626a8ad93047a1e2b6e072054ced13fede2fff6623e5870462f858b0d5561bc48ea42a4fd8a1d34e4f8c1a59d9a9eada206

Download Submit
C:\Users\Admin\AppData\Local\Temp\isocode.reg
Filesize
900B

MD5
c46fab845d8e5f246c0d3064be35c9cf

SHA1
bfa9a640c68f90b407d1a3de17119a85cc7747dc

SHA256
c43b5e8c99e9a529d6f4ada10982d6b1952eb023eb7491f1258488f7b7891e3b

SHA512
eee77d2e2f428a02e3e9e383ffc85626a8ad93047a1e2b6e072054ced13fede2fff6623e5870462f858b0d5561bc48ea42a4fd8a1d34e4f8c1a59d9a9eada206

Download Submit
C:\Users\Admin\AppData\Local\Temp\isocode.reg
Filesize
900B

MD5
c46fab845d8e5f246c0d3064be35c9cf

SHA1
bfa9a640c68f90b407d1a3de17119a85cc7747dc

SHA256
c43b5e8c99e9a529d6f4ada10982d6b1952eb023eb7491f1258488f7b7891e3b

SHA512
eee77d2e2f428a02e3e9e383ffc85626a8ad93047a1e2b6e072054ced13fede2fff6623e5870462f858b0d5561bc48ea42a4fd8a1d34e4f8c1a59d9a9eada206

Download Submit
C:\Users\Admin\AppData\Local\Temp\isolated.log
Filesize
6B

MD5
e0f27654640d6641a4cb2559d7faee24

SHA1
b802a36ba28c6cf36db5d4e00f4e141c6df59ee4

SHA256
ac06b1f2ab7f2c498c5a479495f5fada7d38144ae9fcc6c48ace2c1dad554023

SHA512
72f4f85fca25c98362dde1e03f638295e1d891dee16e57da607a4c996402d56a831cea6ec1bee6ab9219346f77c04d0cda2c82e1290ac04520c63e30b053fac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\isolated.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tokens_TTS_es-ES.xml
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tokens_TTS_es-ES.xml
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/996-464-0x000002C0FA3F0000-0x000002C0FA400000-memory.dmp

Filesize
64KB

Download
memory/996-465-0x000002C0FA3F0000-0x000002C0FA400000-memory.dmp

Filesize
64KB

Download
memory/996-466-0x000002C0FA3F0000-0x000002C0FA400000-memory.dmp

Filesize
64KB

Download
memory/1448-362-0x000002B451500000-0x000002B451510000-memory.dmp

Filesize
64KB

Download
memory/1448-360-0x000002B451500000-0x000002B451510000-memory.dmp

Filesize
64KB

Download
memory/1448-361-0x000002B451500000-0x000002B451510000-memory.dmp

Filesize
64KB

Download
memory/2568-562-0x00000173AFB30000-0x00000173AFB40000-memory.dmp

Filesize
64KB

Download
memory/2568-561-0x00000173AFB30000-0x00000173AFB40000-memory.dmp

Filesize
64KB

Download
memory/2568-563-0x00000173AFB30000-0x00000173AFB40000-memory.dmp

Filesize
64KB

Download
memory/3544-579-0x00000265B0F40000-0x00000265B0F50000-memory.dmp

Filesize
64KB

Download
memory/3544-479-0x00000265B0F40000-0x00000265B0F50000-memory.dmp

Filesize
64KB

Download
memory/4224-391-0x0000023C505F0000-0x0000023C50600000-memory.dmp

Filesize
64KB

Download
memory/4224-390-0x0000023C505F0000-0x0000023C50600000-memory.dmp

Filesize
64KB

Download
memory/4224-392-0x0000023C505F0000-0x0000023C50600000-memory.dmp

Filesize
64KB

Download
memory/4264-263-0x0000021CC1470000-0x0000021CC1480000-memory.dmp

Filesize
64KB

Download
memory/4264-264-0x0000021CC1470000-0x0000021CC1480000-memory.dmp

Filesize
64KB

Download
memory/4708-257-0x00000171DC150000-0x00000171DC172000-memory.dmp

Filesize
136KB

Download
memory/4708-256-0x00000171C1B90000-0x00000171C1BA0000-memory.dmp

Filesize
64KB

Download
memory/4708-258-0x00000171DC450000-0x00000171DC552000-memory.dmp

Filesize
1.0MB

Download
memory/4708-259-0x00000171DC140000-0x00000171DC14A000-memory.dmp

Filesize
40KB

Download
memory/4708-246-0x00000171DC1B0000-0x00000171DC232000-memory.dmp

Filesize
520KB

Download
memory/4792-575-0x0000024AD2300000-0x0000024AD2310000-memory.dmp

Filesize
64KB

Download
memory/4792-576-0x0000024AD2300000-0x0000024AD2310000-memory.dmp

Filesize
64KB

Download
memory/4792-577-0x0000024AD2300000-0x0000024AD2310000-memory.dmp

Filesize
64KB

Download
memory/4884-376-0x0000015D7BC80000-0x0000015D7BC90000-memory.dmp

Filesize
64KB

Download
memory/4884-377-0x0000015D7BC80000-0x0000015D7BC90000-memory.dmp

Filesize
64KB

Download
memory/4884-379-0x0000015D7BC80000-0x0000015D7BC90000-memory.dmp

Filesize
64KB

Download