laplas | 753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd

Analysis

max time kernel
298s
max time network
186s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16-07-2023 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Size

2.3MB
MD5

9b06361b484531e8d71b64fbb32534d9
SHA1

6c47e8bfaf1b82c57c861312f1fe130cc5e21c96
SHA256

753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd
SHA512

dd9ab0d96801bdc8e541c60f0cb23f8c5089f8cefd4fa9041dae5d6d7e393f27ff25cc445117e3804f235fabce0fd2ae80d284463ef2278da5afb6a81f285bbb
SSDEEP

49152:SgUFBrKkyuD7ug6e1NsUfgvig28JUU1y4unHZ1IxLRoV:eJK1umgBUU+n28uUMxHXIh6

Score

10^/10

laplas redline 150723_rc_11 clipper evasion infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

150723_rc_11

rcam15.tuktuk.ug:11290

Attributes

auth_value
0b3645317afbcac212f68853bb45b46d

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 332 created 3360	332	TaskMnr.exe	25
PID 332 created 3360	332	TaskMnr.exe	25
PID 332 created 3360	332	TaskMnr.exe	25
PID 332 created 3360	332	TaskMnr.exe	25
PID 332 created 3360	332	TaskMnr.exe	25

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Octium.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TaskMnr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	TaskMnr.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Octium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Octium.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TaskMnr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TaskMnr.exe

Executes dropped EXE 3 IoCs

pid	Process
4188	Octium.exe
332	TaskMnr.exe
1200	ntlhost.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1452-128-0x00000000009C0000-0x0000000000F7A000-memory.dmp	themida
behavioral2/memory/1452-168-0x00000000009C0000-0x0000000000F7A000-memory.dmp	themida
behavioral2/files/0x000700000001afcf-607.dat	themida
behavioral2/files/0x000700000001afcf-608.dat	themida
behavioral2/memory/332-611-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-613-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-614-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-615-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-616-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-617-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-619-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-625-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-646-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida
behavioral2/memory/332-760-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	Octium.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Octium.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TaskMnr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
4188	Octium.exe
332	TaskMnr.exe
1200	ntlhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1452 set thread context of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	TaskMnr.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2600	sc.exe
2532	sc.exe
3176	sc.exe
2336	sc.exe
844	sc.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	11	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
1044	AppLaunch.exe
1044	AppLaunch.exe
332	TaskMnr.exe
332	TaskMnr.exe
4172	powershell.exe
4172	powershell.exe
332	TaskMnr.exe
332	TaskMnr.exe
4172	powershell.exe
332	TaskMnr.exe
332	TaskMnr.exe
332	TaskMnr.exe
332	TaskMnr.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
332	TaskMnr.exe
332	TaskMnr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
Token: SeDebugPrivilege	1044	AppLaunch.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeIncreaseQuotaPrivilege	4172	powershell.exe
Token: SeSecurityPrivilege	4172	powershell.exe
Token: SeTakeOwnershipPrivilege	4172	powershell.exe
Token: SeLoadDriverPrivilege	4172	powershell.exe
Token: SeSystemProfilePrivilege	4172	powershell.exe
Token: SeSystemtimePrivilege	4172	powershell.exe
Token: SeProfSingleProcessPrivilege	4172	powershell.exe
Token: SeIncBasePriorityPrivilege	4172	powershell.exe
Token: SeCreatePagefilePrivilege	4172	powershell.exe
Token: SeBackupPrivilege	4172	powershell.exe
Token: SeRestorePrivilege	4172	powershell.exe
Token: SeShutdownPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeSystemEnvironmentPrivilege	4172	powershell.exe
Token: SeRemoteShutdownPrivilege	4172	powershell.exe
Token: SeUndockPrivilege	4172	powershell.exe
Token: SeManageVolumePrivilege	4172	powershell.exe
Token: 33	4172	powershell.exe
Token: 34	4172	powershell.exe
Token: 35	4172	powershell.exe
Token: 36	4172	powershell.exe
Token: SeShutdownPrivilege	4640	powercfg.exe
Token: SeCreatePagefilePrivilege	4640	powercfg.exe
Token: SeShutdownPrivilege	1012	powercfg.exe
Token: SeCreatePagefilePrivilege	1012	powercfg.exe
Token: SeShutdownPrivilege	676	powercfg.exe
Token: SeCreatePagefilePrivilege	676	powercfg.exe
Token: SeShutdownPrivilege	3432	powercfg.exe
Token: SeCreatePagefilePrivilege	3432	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1672	powershell.exe
Token: SeSecurityPrivilege	1672	powershell.exe
Token: SeTakeOwnershipPrivilege	1672	powershell.exe
Token: SeLoadDriverPrivilege	1672	powershell.exe
Token: SeSystemProfilePrivilege	1672	powershell.exe
Token: SeSystemtimePrivilege	1672	powershell.exe
Token: SeProfSingleProcessPrivilege	1672	powershell.exe
Token: SeIncBasePriorityPrivilege	1672	powershell.exe
Token: SeCreatePagefilePrivilege	1672	powershell.exe
Token: SeBackupPrivilege	1672	powershell.exe
Token: SeRestorePrivilege	1672	powershell.exe
Token: SeShutdownPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeSystemEnvironmentPrivilege	1672	powershell.exe
Token: SeRemoteShutdownPrivilege	1672	powershell.exe
Token: SeUndockPrivilege	1672	powershell.exe
Token: SeManageVolumePrivilege	1672	powershell.exe
Token: 33	1672	powershell.exe
Token: 34	1672	powershell.exe
Token: 35	1672	powershell.exe
Token: 36	1672	powershell.exe
Token: SeIncreaseQuotaPrivilege	1672	powershell.exe
Token: SeSecurityPrivilege	1672	powershell.exe
Token: SeTakeOwnershipPrivilege	1672	powershell.exe
Token: SeLoadDriverPrivilege	1672	powershell.exe
Token: SeSystemProfilePrivilege	1672	powershell.exe
Token: SeSystemtimePrivilege	1672	powershell.exe
Token: SeProfSingleProcessPrivilege	1672	powershell.exe
Token: SeIncBasePriorityPrivilege	1672	powershell.exe
Token: SeCreatePagefilePrivilege	1672	powershell.exe
Token: SeBackupPrivilege	1672	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69
PID 1452 wrote to memory of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69
PID 1452 wrote to memory of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69
PID 1452 wrote to memory of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69
PID 1452 wrote to memory of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69
PID 1452 wrote to memory of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69
PID 1452 wrote to memory of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69
PID 1452 wrote to memory of 1044	1452	753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe	69
PID 1044 wrote to memory of 4188	1044	AppLaunch.exe	71
PID 1044 wrote to memory of 4188	1044	AppLaunch.exe	71
PID 1044 wrote to memory of 332	1044	AppLaunch.exe	72
PID 1044 wrote to memory of 332	1044	AppLaunch.exe	72
PID 4188 wrote to memory of 1200	4188	Octium.exe	73
PID 4188 wrote to memory of 1200	4188	Octium.exe	73
PID 4892 wrote to memory of 2532	4892	cmd.exe	79
PID 4892 wrote to memory of 2532	4892	cmd.exe	79
PID 4892 wrote to memory of 3176	4892	cmd.exe	80
PID 4892 wrote to memory of 3176	4892	cmd.exe	80
PID 4892 wrote to memory of 2600	4892	cmd.exe	87
PID 4892 wrote to memory of 2600	4892	cmd.exe	87
PID 4892 wrote to memory of 844	4892	cmd.exe	86
PID 4892 wrote to memory of 844	4892	cmd.exe	86
PID 4892 wrote to memory of 2336	4892	cmd.exe	85
PID 4892 wrote to memory of 2336	4892	cmd.exe	85
PID 3832 wrote to memory of 4640	3832	cmd.exe	88
PID 3832 wrote to memory of 4640	3832	cmd.exe	88
PID 3832 wrote to memory of 1012	3832	cmd.exe	89
PID 3832 wrote to memory of 1012	3832	cmd.exe	89
PID 3832 wrote to memory of 676	3832	cmd.exe	91
PID 3832 wrote to memory of 676	3832	cmd.exe	91
PID 3832 wrote to memory of 3432	3832	cmd.exe	92
PID 3832 wrote to memory of 3432	3832	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe
  "C:\Users\Admin\AppData\Local\Temp\753fbc1dfa05d6007c5dfa534a7d019cbb24d07224b67ae9d48c9772039c63cd.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\Octium.exe
      "C:\Users\Admin\AppData\Local\Temp\Octium.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe
      "C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4172
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2532
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3176
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2336
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:844
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2600
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd9d8ef3f6a077833e1351defb5446ff

SHA1
2b19c80e3e98a54e4d9f97e78a6d49da7f17b19f

SHA256
2768a970139b048a938ac3711725750d8c652d458d57ee599843bfc7cf2dd8c6

SHA512
a8fb5726fe357b0775afc01e268655757c9b067cb19899d5f046ae3cd09a21eb384c51d407279058dee134162e78000ce19624212322f3f22a8c59dca2119e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
5.1MB

MD5
2f5fffc7e0e41a5c84b551ce5a423389

SHA1
c95e5360ce09ac18d25e89e66c4f51db9cdec43b

SHA256
807f54c88592025c02077930259ed3a4c6a3e216a8d53350bbebcb5c597bab2d

SHA512
7dba8647e20f929d6debd98f2c6254e5cc54ea3249263df4743d9d6048a5061b9632ca595507e00e7230dd297736b9d5dd2fdfcc4451906793b29edc00f3234a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Octium.exe

Filesize
5.1MB

MD5
2f5fffc7e0e41a5c84b551ce5a423389

SHA1
c95e5360ce09ac18d25e89e66c4f51db9cdec43b

SHA256
807f54c88592025c02077930259ed3a4c6a3e216a8d53350bbebcb5c597bab2d

SHA512
7dba8647e20f929d6debd98f2c6254e5cc54ea3249263df4743d9d6048a5061b9632ca595507e00e7230dd297736b9d5dd2fdfcc4451906793b29edc00f3234a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskMnr.exe

Filesize
12.5MB

MD5
8dbc96129e97e6f44fe615670544f915

SHA1
8b93742b542ea62e08ff1e78e9f5cf8d53d4a57a

SHA256
0cd34919fdb6f1b491d68f0702444567f77bb2afeb13a6d834cab12ea8b5c683

SHA512
63363bb30aa06ce40b7c0d72991ded014823b9f427e8439e6d20064aa533659eb0d31de955ee3d511de7e3c2c7d67269f7072b1f6a2f0aa19c5fa2a64180ef7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hyrfp5h.5sy.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
822.1MB

MD5
5605a45cfa40172ba2fd8400ad84fa62

SHA1
4d084db6ab9aa221209f87ee7c5845655c933074

SHA256
0f1a8f3a689e2967f8dc102136b52b3dcf4e152a34c3c54cd6fa4e8af78e9ac0

SHA512
9cf55f6200dba0f5605c4e43ce909576822cf21d50815eb1e0b596bfe4de54bb89d5a51d6317a1d5d04726075948f4aeec0968cefd06fc3fdf3e2b3446c1db57

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
822.1MB

MD5
5605a45cfa40172ba2fd8400ad84fa62

SHA1
4d084db6ab9aa221209f87ee7c5845655c933074

SHA256
0f1a8f3a689e2967f8dc102136b52b3dcf4e152a34c3c54cd6fa4e8af78e9ac0

SHA512
9cf55f6200dba0f5605c4e43ce909576822cf21d50815eb1e0b596bfe4de54bb89d5a51d6317a1d5d04726075948f4aeec0968cefd06fc3fdf3e2b3446c1db57

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
822.1MB

MD5
5605a45cfa40172ba2fd8400ad84fa62

SHA1
4d084db6ab9aa221209f87ee7c5845655c933074

SHA256
0f1a8f3a689e2967f8dc102136b52b3dcf4e152a34c3c54cd6fa4e8af78e9ac0

SHA512
9cf55f6200dba0f5605c4e43ce909576822cf21d50815eb1e0b596bfe4de54bb89d5a51d6317a1d5d04726075948f4aeec0968cefd06fc3fdf3e2b3446c1db57

Download Submit
memory/332-625-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-758-0x00007FFAF7320000-0x00007FFAF74FB000-memory.dmp

Filesize
1.9MB

Download
memory/332-619-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-617-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-616-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-615-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-614-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-613-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-611-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-760-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/332-610-0x00007FFAF7320000-0x00007FFAF74FB000-memory.dmp

Filesize
1.9MB

Download
memory/332-627-0x00007FFAF7320000-0x00007FFAF74FB000-memory.dmp

Filesize
1.9MB

Download
memory/332-646-0x00007FF6AD770000-0x00007FF6AE710000-memory.dmp

Filesize
15.6MB

Download
memory/1044-573-0x0000000006CE0000-0x0000000006CF0000-memory.dmp

Filesize
64KB

Download
memory/1044-185-0x000000000AB10000-0x000000000B00E000-memory.dmp

Filesize
5.0MB

Download
memory/1044-184-0x0000000009810000-0x0000000009876000-memory.dmp

Filesize
408KB

Download
memory/1044-194-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1044-193-0x000000000CC90000-0x000000000D1BC000-memory.dmp

Filesize
5.2MB

Download
memory/1044-167-0x0000000006CC0000-0x0000000006CC6000-memory.dmp

Filesize
24KB

Download
memory/1044-169-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-192-0x000000000B010000-0x000000000B1D2000-memory.dmp

Filesize
1.8MB

Download
memory/1044-612-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1044-172-0x00000000099F0000-0x0000000009FF6000-memory.dmp

Filesize
6.0MB

Download
memory/1044-173-0x00000000094F0000-0x00000000095FA000-memory.dmp

Filesize
1.0MB

Download
memory/1044-174-0x0000000006CE0000-0x0000000006CF0000-memory.dmp

Filesize
64KB

Download
memory/1044-175-0x0000000009400000-0x0000000009412000-memory.dmp

Filesize
72KB

Download
memory/1044-176-0x0000000009460000-0x000000000949E000-memory.dmp

Filesize
248KB

Download
memory/1044-177-0x0000000009600000-0x000000000964B000-memory.dmp

Filesize
300KB

Download
memory/1044-182-0x0000000009790000-0x0000000009806000-memory.dmp

Filesize
472KB

Download
memory/1044-183-0x00000000098B0000-0x0000000009942000-memory.dmp

Filesize
584KB

Download
memory/1200-640-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-632-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-736-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-710-0x00007FFAF7320000-0x00007FFAF74FB000-memory.dmp

Filesize
1.9MB

Download
memory/1200-686-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-664-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-660-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-649-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-647-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-645-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-644-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-642-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-641-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-639-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-638-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-637-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-636-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-635-0x0000000000230000-0x0000000000C58000-memory.dmp

Filesize
10.2MB

Download
memory/1200-634-0x00007FFAF7320000-0x00007FFAF74FB000-memory.dmp

Filesize
1.9MB

Download
memory/1452-130-0x00000000009C0000-0x0000000000F7A000-memory.dmp

Filesize
5.7MB

Download
memory/1452-170-0x0000000074270000-0x0000000074432000-memory.dmp

Filesize
1.8MB

Download
memory/1452-150-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-148-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-146-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-144-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-142-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-140-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-137-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-138-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-123-0x0000000074FF0000-0x00000000750C0000-memory.dmp

Filesize
832KB

Download
memory/1452-136-0x0000000003140000-0x000000000315C000-memory.dmp

Filesize
112KB

Download
memory/1452-135-0x0000000074FF0000-0x00000000750C0000-memory.dmp

Filesize
832KB

Download
memory/1452-154-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-122-0x0000000074FF0000-0x00000000750C0000-memory.dmp

Filesize
832KB

Download
memory/1452-152-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-134-0x0000000074270000-0x0000000074432000-memory.dmp

Filesize
1.8MB

Download
memory/1452-125-0x0000000074FF0000-0x00000000750C0000-memory.dmp

Filesize
832KB

Download
memory/1452-133-0x0000000074FF0000-0x00000000750C0000-memory.dmp

Filesize
832KB

Download
memory/1452-132-0x0000000074FF0000-0x00000000750C0000-memory.dmp

Filesize
832KB

Download
memory/1452-171-0x0000000074FF0000-0x00000000750C0000-memory.dmp

Filesize
832KB

Download
memory/1452-156-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-128-0x00000000009C0000-0x0000000000F7A000-memory.dmp

Filesize
5.7MB

Download
memory/1452-129-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/1452-158-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-124-0x0000000074270000-0x0000000074432000-memory.dmp

Filesize
1.8MB

Download
memory/1452-168-0x00000000009C0000-0x0000000000F7A000-memory.dmp

Filesize
5.7MB

Download
memory/1452-160-0x0000000003140000-0x0000000003155000-memory.dmp

Filesize
84KB

Download
memory/1452-121-0x00000000009C0000-0x0000000000F7A000-memory.dmp

Filesize
5.7MB

Download
memory/1672-766-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-709-0x00000230DC990000-0x00000230DC9A0000-memory.dmp

Filesize
64KB

Download
memory/1672-711-0x00000230DC990000-0x00000230DC9A0000-memory.dmp

Filesize
64KB

Download
memory/1672-737-0x00000230DC990000-0x00000230DC9A0000-memory.dmp

Filesize
64KB

Download
memory/1672-708-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/4172-688-0x00000291376E0000-0x00000291376F0000-memory.dmp

Filesize
64KB

Download
memory/4172-731-0x00000291376E0000-0x00000291376F0000-memory.dmp

Filesize
64KB

Download
memory/4172-735-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/4172-665-0x000002914FF80000-0x000002914FFF6000-memory.dmp

Filesize
472KB

Download
memory/4172-658-0x00000291376E0000-0x00000291376F0000-memory.dmp

Filesize
64KB

Download
memory/4172-655-0x000002914FE50000-0x000002914FE72000-memory.dmp

Filesize
136KB

Download
memory/4172-656-0x00007FFADB7C0000-0x00007FFADC1AC000-memory.dmp

Filesize
9.9MB

Download
memory/4172-657-0x00000291376E0000-0x00000291376F0000-memory.dmp

Filesize
64KB

Download
memory/4188-624-0x00007FFAF7320000-0x00007FFAF74FB000-memory.dmp

Filesize
1.9MB

Download
memory/4188-587-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-588-0x00007FFAF7320000-0x00007FFAF74FB000-memory.dmp

Filesize
1.9MB

Download
memory/4188-589-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-590-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-591-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-592-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-596-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-599-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-601-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-602-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-603-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-633-0x00007FFAF7320000-0x00007FFAF74FB000-memory.dmp

Filesize
1.9MB

Download
memory/4188-605-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-631-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-626-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-623-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-621-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download
memory/4188-618-0x00000000000C0000-0x0000000000AE8000-memory.dmp

Filesize
10.2MB

Download