66cf9aa479bdfc53f9255343b6421ba5c69149723cc9ef31373a0d0a31379fcf

Analysis

max time kernel
1800s
max time network
1578s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sss.exe
Size

208KB
MD5

9577a63626d2536e7416494f09f0eec2
SHA1

044ca0fecf2436aac3f9e7acc3c97b30588c594d
SHA256

77b4c0f9929073ce132223f3169349f3e7a626c392b7dbc1a39fa89265c2c6bf
SHA512

5098bba829a795c2aefa85a583388b71690f588dda92bb85b5304fd698e1aa77a610fe98ef93767803fc6fa11a46f94711bf1a4f9e0b7dc464ce61823b9e8763
SSDEEP

3072:KDEkVjGPsw40vLkVjqP4w6U+ToIuWNXmmZTWl/jC7gDooMLa6:K4kSuZToIuUXmmZbgDooMz

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	sss.exe
4784	sss.exe
4784	sss.exe
408	powershell.exe
408	powershell.exe
4128	powershell_ise.exe
3592	powershell_ise.exe
3592	powershell_ise.exe
4032	penis.exe
4032	penis.exe
3768	sss.exe
3768	sss.exe
3592	powershell_ise.exe
388	penis.exe
388	penis.exe
4236	sss.exe
4236	sss.exe
4236	sss.exe
5108	powershell_ise.exe
5108	powershell_ise.exe
4848	penis.exe
4848	penis.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
656	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	sss.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	4128	powershell_ise.exe
Token: SeDebugPrivilege	3592	powershell_ise.exe
Token: SeDebugPrivilege	4032	penis.exe
Token: SeDebugPrivilege	3768	sss.exe
Token: SeDebugPrivilege	388	penis.exe
Token: SeDebugPrivilege	4236	sss.exe
Token: SeDebugPrivilege	5108	powershell_ise.exe
Token: SeDebugPrivilege	4848	penis.exe
Token: SeDebugPrivilege	656	taskmgr.exe
Token: SeSystemProfilePrivilege	656	taskmgr.exe
Token: SeCreateGlobalPrivilege	656	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe
656	taskmgr.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4128	408	powershell.exe	103
PID 408 wrote to memory of 4128	408	powershell.exe	103
PID 408 wrote to memory of 3592	408	powershell.exe	104
PID 408 wrote to memory of 3592	408	powershell.exe	104
PID 3592 wrote to memory of 4032	3592	powershell_ise.exe	106
PID 3592 wrote to memory of 4032	3592	powershell_ise.exe	106
PID 4032 wrote to memory of 3768	4032	penis.exe	107
PID 4032 wrote to memory of 3768	4032	penis.exe	107
PID 408 wrote to memory of 388	408	powershell.exe	110
PID 408 wrote to memory of 388	408	powershell.exe	110
PID 388 wrote to memory of 4236	388	penis.exe	111
PID 388 wrote to memory of 4236	388	penis.exe	111
PID 388 wrote to memory of 5108	388	penis.exe	112
PID 388 wrote to memory of 5108	388	penis.exe	112
PID 2368 wrote to memory of 4848	2368	cmd.exe	116
PID 2368 wrote to memory of 4848	2368	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\sss.exe
"C:\Users\Admin\AppData\Local\Temp\sss.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" .\penis.exe .\sss.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" .\penis.exe,.\sss.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\penis.exe
    "C:\Users\Admin\AppData\Local\Temp\penis.exe" .\sss.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\sss.exe
      "C:\Users\Admin\AppData\Local\Temp\sss.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3768
- C:\Users\Admin\AppData\Local\Temp\penis.exe
  "C:\Users\Admin\AppData\Local\Temp\penis.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\sss.exe
    "C:\Users\Admin\AppData\Local\Temp\sss.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" .\penis.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5108

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c1ce948f66ab47b4bc7a7fd6a07a3778 /t 1384 /p 3768
1⤵
PID:780

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\79ce181960794574ace639949d46d0f0 /t 2240 /p 5108
1⤵
PID:952

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\penis.exe
  penis.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\penis.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell_ise.exe.log

Filesize
7KB

MD5
be28b4fce3524c74477ae819d747bc1c

SHA1
d5ebb49d5283949b9b3c035618ad4cd94da4d3f7

SHA256
d1fb9a4c7a6a6635487cb2514e51936dd99b2d6b365fd52a8ffa782a91ee2c11

SHA512
2129fbd82ff1ba24960e7950200fdad03b5d36dfc0b55a36ec57e8ca8c8551f1f17202ea24676f3a86a95591e08a2889d12408d95f2f01b74d0e56c668388b24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sss.exe.log

Filesize
6KB

MD5
ad2900d9e1e3efada98eeb49fd743851

SHA1
8fba5242fbf8cedc67e9204cad43b55b7e6c7c3a

SHA256
db7ca4262c1a588b85503af5bcb868a7e321c80a12698c4e07bc22a46faa88a5

SHA512
11ae1ffe38286d83c1465eb3f06b9f68d5eca95e7899e6ee47026206ec392190c641483f903189a52c636688717adb755369113d285c2edd6772fbb1e5d89201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-86268\PowerShellISEPipeName_1_2f4f7be1-1588-4a8d-b8d5-71a9d5bcd6dd

Filesize
3B

MD5
10400c6faf166902b52fb97042f1e0eb

SHA1
d583c3aa489ed954df3be71e71deae3a9895857e

SHA256
df4e26a04a444901b95afef44e4a96cfae34690fff2ad2c66389c70079cdff2b

SHA512
b89cf2145f5528fa96fa0e68f7aa6e1fafe18c9886ec12f6a0cad20c970a514841f8109e8b2ed1a748a1afa4c44dd2834667069a165f7dd35532abe4db8c5a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-86268\PowerShellISEPipeName_1_2f4f7be1-1588-4a8d-b8d5-71a9d5bcd6dd

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-86268\PowerShellISEPipeName_1_2f4f7be1-1588-4a8d-b8d5-71a9d5bcd6dd

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-86268\PowerShellISEPipeName_1_2f4f7be1-1588-4a8d-b8d5-71a9d5bcd6dd

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
6a1d732af6eb2d5e39917fb6d0d3cd40

SHA1
2981e90b27d16f79c07433cd177d5f77b0f26b42

SHA256
fb7e11ee05163c7dbcc973b194c6789afe2d8949c693b2e5b5ae71eb615fd563

SHA512
01750f3b62298f335786bcaddbd127c79c91cde0c2b2200dea8299e0a6ec45287b4cec597dfb556bde0d9ee7ac1227aeb26f05b7ca4859e6633aa202128dfca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
7a5b827ed6f4c842a6647e6f20bd934e

SHA1
83897c144857034f6770aec846b693a08769bd4c

SHA256
4242421979b67f3a403061780f2940c26052a223a1449598fca33941499084b2

SHA512
0a0d795491b8d05ef337fde45ed64d09d051a9f3a0b7f2fabcde9538490bef58bdc8f95bb7c563f91380a451b8117997d9a112837f699ca40495d4d93ea9ec91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\bjwdfvja.newcfg

Filesize
10KB

MD5
1610a44fbd181a68b2ebcbe5fd14b551

SHA1
9ef92014b925072f19ef7151d128dd9646f7e619

SHA256
82789ded885bbbc1b5198611c6baa8a92309221495e4b4f69205f9b9f84c212c

SHA512
b4bf7166ddf274b34321f62102d8be6cb0284210d5bfbbc7e46d1e3c37d692bf1c458c4a171b822995750e20baeb4a33ce123f47b55290af2977d4ae517cc42e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\user.config

Filesize
10KB

MD5
2263f49fc984bab1c35e6044912e96ee

SHA1
c4fc79406b3d0dbeddf2335cef3785c1a32aba0d

SHA256
f71d672fb7fc352cf5408756668affc56f681827abcbb501523fa22349abe1b7

SHA512
cf05d1ea555cbbf03e790a064c1620ddc96644b3f0741a215599e9d10c8d8698e2de96b7c6ce90b6be2a9023e5f896ecaf373ec6e0beb4522f392070daf4a7ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\sss.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\5lexfmmi.newcfg

Filesize
9KB

MD5
aa2e584f144f5dfb78ca34e844ded427

SHA1
658aac37353d4bd2ea62675444080edd5151aafa

SHA256
b30f9b38bcaa846f168f3d78e70f7b37eb9b618d6b2f691ff98a161da3480ab4

SHA512
be01e9ecd030e1f5fa316e8ac129a2314dc85d126847b11476d7fe0fee486652a3d3f36c68d13b96f72763e024d2cf53927583eb505bce49c23a040ad075c2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\sss.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\lshsj11u.tmp

Filesize
191B

MD5
7ffa55ff6ac84742fc67b49b83be3f12

SHA1
446ffc4c9e1d7626f078755e81e91d914e142f67

SHA256
786cb96e30e42c16784374e9e5e14298976752e69cfaaf7fcb2ed016d9e3b6bb

SHA512
59d9467f12f8386138b4a13ab68a98bddb3a8e213af4afb3cdce78d56d16d56f21453138e4ad183f228974ffa710ebe123e657a05f0ee2623c5e845c93c2b096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft_Corporation\sss.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\user.config

Filesize
9KB

MD5
aa2e584f144f5dfb78ca34e844ded427

SHA1
658aac37353d4bd2ea62675444080edd5151aafa

SHA256
b30f9b38bcaa846f168f3d78e70f7b37eb9b618d6b2f691ff98a161da3480ab4

SHA512
be01e9ecd030e1f5fa316e8ac129a2314dc85d126847b11476d7fe0fee486652a3d3f36c68d13b96f72763e024d2cf53927583eb505bce49c23a040ad075c2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPF\3wwxeylj.rgb

Filesize
4KB

MD5
f04a2805f60770668268454edfc499fa

SHA1
e65c58ef4c7387231f2d14ee39bdebb59b816bfe

SHA256
ab3a68d162953659e8c02dbd5c13121df9db824d404824450fd38134e32f5adf

SHA512
aa018fa1d2b6f54ea05252c042b20b093d00313e7673809948e8b0cbf78e61f8b0cb14f37108d4ae10b15094dde4f35d820300dd47fa9b99fde45f17030b6a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxdfdvs1.qqk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
156B

MD5
4cbe09785ce5c1407bfc687a785abe6c

SHA1
5de61b6631d889644b36af9bda89dd777a646fd6

SHA256
8bf47b9ea65df58ffbfba75690c06a66ee34586c4b722eb5a9f5b3fa23e34c2f

SHA512
a2f4d48cffb29c2d6157cd95804ab59db3e1ff46fd3d5be45126ff5542b04a1f100b2c59fd51f2559fa9c258269bf8ff85a7ab7222e17a12741ef536dcdb0b6c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
199B

MD5
9fee756b687398a5d94df85b3d824b6f

SHA1
37b178d132ef26aacec5f4de2e844bb84a4ee0fb

SHA256
b8cc61744285f45469275153ccb13bddcfbec489f9b4631212cbfb5e36e6a7da

SHA512
c06f927cd9f87a2106fbff8bde13b6d020e6db89aa13d8d98b57ceded42627f2776082906d95c147a859fc0af5d42f3815bcec1d89d786dd4f1ab15e5a926084

Download Submit
memory/388-412-0x000002B25B300000-0x000002B25B310000-memory.dmp

Filesize
64KB

Download
memory/388-406-0x000002B25B300000-0x000002B25B310000-memory.dmp

Filesize
64KB

Download
memory/388-408-0x000002B25B300000-0x000002B25B310000-memory.dmp

Filesize
64KB

Download
memory/388-407-0x000002B25B300000-0x000002B25B310000-memory.dmp

Filesize
64KB

Download
memory/388-410-0x000002B25B300000-0x000002B25B310000-memory.dmp

Filesize
64KB

Download
memory/388-411-0x000002B25B300000-0x000002B25B310000-memory.dmp

Filesize
64KB

Download
memory/408-195-0x000001E6D0BD0000-0x000001E6D0BE0000-memory.dmp

Filesize
64KB

Download
memory/408-196-0x000001E6D0BD0000-0x000001E6D0BE0000-memory.dmp

Filesize
64KB

Download
memory/408-208-0x000001E6D1C30000-0x000001E6D1CA6000-memory.dmp

Filesize
472KB

Download
memory/408-209-0x000001E6D0BD0000-0x000001E6D0BE0000-memory.dmp

Filesize
64KB

Download
memory/408-210-0x000001E6D0BD0000-0x000001E6D0BE0000-memory.dmp

Filesize
64KB

Download
memory/408-211-0x000001E6D0BD0000-0x000001E6D0BE0000-memory.dmp

Filesize
64KB

Download
memory/408-212-0x000001E6D0BD0000-0x000001E6D0BE0000-memory.dmp

Filesize
64KB

Download
memory/408-219-0x000001E6D1BB0000-0x000001E6D1BCE000-memory.dmp

Filesize
120KB

Download
memory/408-206-0x000001E6D1B60000-0x000001E6D1BA4000-memory.dmp

Filesize
272KB

Download
memory/656-689-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-690-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-682-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-683-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-684-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-691-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-688-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-694-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-693-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/656-692-0x0000026C466F0000-0x0000026C466F1000-memory.dmp

Filesize
4KB

Download
memory/3592-242-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-247-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-248-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-249-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-250-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-246-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-245-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-244-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-243-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-240-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-226-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3592-225-0x000001C4A2040000-0x000001C4A2050000-memory.dmp

Filesize
64KB

Download
memory/3768-283-0x000001EAE7F70000-0x000001EAE7F80000-memory.dmp

Filesize
64KB

Download
memory/3768-263-0x000001EAE7F70000-0x000001EAE7F80000-memory.dmp

Filesize
64KB

Download
memory/3768-281-0x000001EAE7F70000-0x000001EAE7F80000-memory.dmp

Filesize
64KB

Download
memory/3768-284-0x000001EAE7F70000-0x000001EAE7F80000-memory.dmp

Filesize
64KB

Download
memory/3768-285-0x000001EAE7F70000-0x000001EAE7F80000-memory.dmp

Filesize
64KB

Download
memory/3768-282-0x000001EAE7F70000-0x000001EAE7F80000-memory.dmp

Filesize
64KB

Download
memory/3768-280-0x000001EAE7F70000-0x000001EAE7F80000-memory.dmp

Filesize
64KB

Download
memory/3768-264-0x000001EAE7F70000-0x000001EAE7F80000-memory.dmp

Filesize
64KB

Download
memory/4128-221-0x0000022765FF0000-0x0000022766028000-memory.dmp

Filesize
224KB

Download
memory/4128-223-0x00000227027F0000-0x0000022702800000-memory.dmp

Filesize
64KB

Download
memory/4128-222-0x00000227027F0000-0x0000022702800000-memory.dmp

Filesize
64KB

Download
memory/4236-474-0x0000019332630000-0x0000019332640000-memory.dmp

Filesize
64KB

Download
memory/4236-473-0x0000019332630000-0x0000019332640000-memory.dmp

Filesize
64KB

Download
memory/4236-431-0x0000019332630000-0x0000019332640000-memory.dmp

Filesize
64KB

Download
memory/4236-430-0x0000019332630000-0x0000019332640000-memory.dmp

Filesize
64KB

Download
memory/4236-415-0x0000019332630000-0x0000019332640000-memory.dmp

Filesize
64KB

Download
memory/4236-414-0x0000019332630000-0x0000019332640000-memory.dmp

Filesize
64KB

Download
memory/4784-137-0x000002756A020000-0x000002756A02E000-memory.dmp

Filesize
56KB

Download
memory/4784-134-0x000002756A070000-0x000002756A0BA000-memory.dmp

Filesize
296KB

Download
memory/4784-143-0x000002756A050000-0x000002756A058000-memory.dmp

Filesize
32KB

Download
memory/4784-153-0x000002756A420000-0x000002756A442000-memory.dmp

Filesize
136KB

Download
memory/4784-154-0x000002754E5D0000-0x000002754E5E0000-memory.dmp

Filesize
64KB

Download
memory/4784-155-0x000002756A120000-0x000002756A128000-memory.dmp

Filesize
32KB

Download
memory/4784-156-0x000002756A130000-0x000002756A138000-memory.dmp

Filesize
32KB

Download
memory/4784-136-0x000002754E5D0000-0x000002754E5E0000-memory.dmp

Filesize
64KB

Download
memory/4784-135-0x000002754E5D0000-0x000002754E5E0000-memory.dmp

Filesize
64KB

Download
memory/4784-138-0x000002756A0C0000-0x000002756A0F8000-memory.dmp

Filesize
224KB

Download
memory/4784-157-0x0000027569840000-0x0000027569848000-memory.dmp

Filesize
32KB

Download
memory/4784-163-0x000002754E5D0000-0x000002754E5E0000-memory.dmp

Filesize
64KB

Download
memory/4784-165-0x0000027569A60000-0x0000027569A72000-memory.dmp

Filesize
72KB

Download
memory/4784-166-0x0000027569AC0000-0x0000027569AFC000-memory.dmp

Filesize
240KB

Download
memory/4784-158-0x0000027569880000-0x00000275698A6000-memory.dmp

Filesize
152KB

Download
memory/4784-159-0x000002754E5D0000-0x000002754E5E0000-memory.dmp

Filesize
64KB

Download
memory/4784-133-0x000002754C9A0000-0x000002754C9D8000-memory.dmp

Filesize
224KB

Download
memory/4784-160-0x000002754E5D0000-0x000002754E5E0000-memory.dmp

Filesize
64KB

Download
memory/4784-161-0x000002754E5D0000-0x000002754E5E0000-memory.dmp

Filesize
64KB

Download
memory/4784-162-0x000002754E5D0000-0x000002754E5E0000-memory.dmp

Filesize
64KB

Download