6a90d89e0fb0a9e5ffa3da1423b1518f90fabc0bd242cb91ad9a734f7884cd56

Analysis

max time kernel
117s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2023, 09:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Get-DefenderIntegrity.txt
Size

7KB
MD5

3b5a4e389d1b9b18630cdc693395eabb
SHA1

ab8a8d7c70db9042ccb4455267cae68a73b0c5bd
SHA256

6a90d89e0fb0a9e5ffa3da1423b1518f90fabc0bd242cb91ad9a734f7884cd56
SHA512

5a7125dc7b478ada719660796a1a61b790eece4cbb4dd5a4b54dac71b6f4af09e94bf1802f613f2e2ab38af27e2ca5abcde7906bd91d1f08400fcbe39bfad3a9
SSDEEP

192:RA3CzhVZgT2K56lLtjYybBPGzaqMBgeEpMRZkMV:BeL56lxjYkBPI1MAMoMV

Score

3^/10

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1440	2636	WerFault.exe	84

Modifies registry class 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000060ac268a6d45d9011ad2a9926d45d9013a8341946d45d90114000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1836	notepad.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3672	powershell.exe
3672	powershell.exe
5100	powershell.exe
5100	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1184	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1184	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4584	3672	powershell.exe	92
PID 3672 wrote to memory of 4584	3672	powershell.exe	92
PID 5100 wrote to memory of 4032	5100	powershell.exe	95
PID 5100 wrote to memory of 4032	5100	powershell.exe	95

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Get-DefenderIntegrity.txt
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 2636 -ip 2636
1⤵
PID:1256

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2636 -s 840
1⤵
- Program crash
PID:1440

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\test.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\test.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\system32\mode.com
  "C:\Windows\system32\mode.com" con:cols=100 lines=1
  2⤵
  PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\test.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\system32\mode.com
  "C:\Windows\system32\mode.com" con:cols=100 lines=1
  2⤵
  PID:4032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
948df6ba4b0ca457ce87b3088e363bcb

SHA1
a33d10bcadf6f090f6bc98e632647c6a9f8a2872

SHA256
70e09eefe0caadc63817f9af0d2ffebaf7e2856146225d980a8af5f54a857295

SHA512
edd8e36c2c310540d6afcf116f95394ab60b2bf462177566babd2a1d08e8fd2356cd4f85292887937bcaecd5d46d5045fe637bae383aee0de3418f21f92165e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
3KB

MD5
6cbe188ec183f2da97273a7ec6e1bf1f

SHA1
eea011fa5180151c243990e2300321b44f99097c

SHA256
9a27e65f36bac9cae81e7c6d05807ac8acb5d1acdf93a6ee6f638017edb21a45

SHA512
c6ecf175b94f5454eb2bcc4ae3bc9ef22dada3a5af83ba8a85427cc5b991caa2c05c63125c3bf2817900ee7e486ff6ce869a449dde9cddfa5d2ce4b3c1f76917

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nsufemqn.vqd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmic_nt\wmic_tmp.zip

Filesize
473KB

MD5
8c09caa6b47622f4fb30b1565831d0f3

SHA1
26caf49e30ab73851ccd519f61c5f5340c7032c7

SHA256
a82e60a9d28ce002be80c5ec72ae23e8a314878457cbb2059b3356035d42714d

SHA512
3873299df7080c8b15aef6eb6f105aa4ad8cdc86a9783b474d947c7a4ab372e58002b9fceb9f8b697f13f70152ffb64935d9bb9a0d27546efaed145f2f95df65

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmic_tmp\FormatUpdate.txt

Filesize
472KB

MD5
3311ec20f3ccf726afb5ba087b6b5241

SHA1
5eb6626e527550a21258d4d994d11f4892cd2169

SHA256
d821580c32d6a284fda55392815a8c65e5d9695c93a68410d60ceacbe30d7033

SHA512
9c737665f31c3202c5fc1f512f4ffaca8da3384437fd525bd6b53ad6544983ea112266c6c2ffe18a5076e3bf84ea3dc200b43f09de66ea0025f98862a60419ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmic_tmp\wmic_clp.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
497e250633b6d00c05027c9e79cd4b10

SHA1
73b1957888845968478523797ffb22d6a100e3a6

SHA256
535a33a8def6b5b2800553b00d4b1c92b9b86a716b18ede976852c4a2cb4697a

SHA512
2bbf9819071ca15b84837b5e948d96b06a7fd64394a5326eb3494f344771c95b2ab0d5c153a15db0256ee139e8c65e1c55c2457e454df4c0afe1ba7a0f83350e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
3c01e3113856d6a95b79ff528486c7d6

SHA1
48918eaaf89cd53ed971b58e063b5030acd5796b

SHA256
134eb62960970590d33ade9a2bb9d08c9c12beb4a08452bf5a395036b8e43f0a

SHA512
2d163800b4b3ddf083fcafeed6d17ab159f107866009062a1480cc4eb46dedd97965fd52fd31a9af83c12b848e8835a94976daba67c29e860055024e8bbf52ef

Download Submit
C:\Users\Admin\Desktop\test.ps1

Filesize
7KB

MD5
3b5a4e389d1b9b18630cdc693395eabb

SHA1
ab8a8d7c70db9042ccb4455267cae68a73b0c5bd

SHA256
6a90d89e0fb0a9e5ffa3da1423b1518f90fabc0bd242cb91ad9a734f7884cd56

SHA512
5a7125dc7b478ada719660796a1a61b790eece4cbb4dd5a4b54dac71b6f4af09e94bf1802f613f2e2ab38af27e2ca5abcde7906bd91d1f08400fcbe39bfad3a9

Download Submit
memory/3672-166-0x000001E5F7690000-0x000001E5F76A0000-memory.dmp

Filesize
64KB

Download
memory/3672-147-0x000001E5F7690000-0x000001E5F76A0000-memory.dmp

Filesize
64KB

Download
memory/3672-163-0x000001E5F7690000-0x000001E5F76A0000-memory.dmp

Filesize
64KB

Download
memory/3672-164-0x000001E5F7690000-0x000001E5F76A0000-memory.dmp

Filesize
64KB

Download
memory/3672-165-0x000001E5F7690000-0x000001E5F76A0000-memory.dmp

Filesize
64KB

Download
memory/3672-155-0x000001E5F7650000-0x000001E5F765A000-memory.dmp

Filesize
40KB

Download
memory/3672-154-0x000001E5F7660000-0x000001E5F7672000-memory.dmp

Filesize
72KB

Download
memory/3672-152-0x000001E5F7BB0000-0x000001E5F7C26000-memory.dmp

Filesize
472KB

Download
memory/3672-151-0x000001E5F7AE0000-0x000001E5F7B24000-memory.dmp

Filesize
272KB

Download
memory/3672-149-0x000001E5F7690000-0x000001E5F76A0000-memory.dmp

Filesize
64KB

Download
memory/3672-142-0x000001E5F75E0000-0x000001E5F7602000-memory.dmp

Filesize
136KB

Download
memory/3672-162-0x000001E5F7690000-0x000001E5F76A0000-memory.dmp

Filesize
64KB

Download
memory/3672-148-0x000001E5F7690000-0x000001E5F76A0000-memory.dmp

Filesize
64KB

Download
memory/5100-189-0x000001A1AF6A0000-0x000001A1AF6B0000-memory.dmp

Filesize
64KB

Download
memory/5100-190-0x000001A1AF6A0000-0x000001A1AF6B0000-memory.dmp

Filesize
64KB

Download
memory/5100-188-0x000001A1AF6A0000-0x000001A1AF6B0000-memory.dmp

Filesize
64KB

Download
memory/5100-201-0x000001A1AF6A0000-0x000001A1AF6B0000-memory.dmp

Filesize
64KB

Download
memory/5100-202-0x000001A1AF6A0000-0x000001A1AF6B0000-memory.dmp

Filesize
64KB

Download
memory/5100-203-0x000001A1AF6A0000-0x000001A1AF6B0000-memory.dmp

Filesize
64KB

Download
memory/5100-204-0x000001A1AF6A0000-0x000001A1AF6B0000-memory.dmp

Filesize
64KB

Download
memory/5100-205-0x000001A1AF6A0000-0x000001A1AF6B0000-memory.dmp

Filesize
64KB

Download