0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9

Analysis

max time kernel
283s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20230703-es
resource tags

arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
31/08/2023, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TCPOptimizer.exe
Size

668KB
MD5

d8292150c8ce862a97a923318df07805
SHA1

917f917ff9fe33e199388e5e1d4c0696882d2991
SHA256

0a49dc0d2ce725af347df632539b70afcfd22b38e285920b515143332a5511e9
SHA512

3f23dd72d066d3f09a49c5dcf062471cfd412cf65934c25887774c1060d2efa8cb277df5ffb89272c5cb1aab6498e3e82b9d6ec9725b5b7263de60cc9198d475
SSDEEP

6144:h0eD/NMpAte8M0Ic61arFbMAIhTRlDDHbndz+vTEEIeh+b6YzICrz/KiiUy5q7:C1B8g1arhMAURdndzQTEEI7b6Yz3m5W

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\explorer.exe = "10"	TCPOptimizer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\iexplore.exe = "10"	TCPOptimizer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\explorer.exe = "10"	TCPOptimizer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\iexplore.exe = "10"	TCPOptimizer.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3628	PowerShell.exe
3628	PowerShell.exe
4140	PowerShell.exe
4140	PowerShell.exe
5044	PowerShell.exe
5044	PowerShell.exe
3652	PowerShell.exe
3652	PowerShell.exe
3844	powershell.exe
3844	powershell.exe
4164	PowerShell.exe
4164	PowerShell.exe
4116	PowerShell.exe
4116	PowerShell.exe
4776	PowerShell.exe
4776	PowerShell.exe
3536	PowerShell.exe
3536	PowerShell.exe
2644	PowerShell.exe
2644	PowerShell.exe
3180	PowerShell.exe
3180	PowerShell.exe
3088	PowerShell.exe
3088	PowerShell.exe
5068	PowerShell.exe
5068	PowerShell.exe
3120	PowerShell.exe
3120	PowerShell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1488	TCPOptimizer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3628	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	3628	PowerShell.exe
Token: SeSecurityPrivilege	3628	PowerShell.exe
Token: SeTakeOwnershipPrivilege	3628	PowerShell.exe
Token: SeLoadDriverPrivilege	3628	PowerShell.exe
Token: SeSystemProfilePrivilege	3628	PowerShell.exe
Token: SeSystemtimePrivilege	3628	PowerShell.exe
Token: SeProfSingleProcessPrivilege	3628	PowerShell.exe
Token: SeIncBasePriorityPrivilege	3628	PowerShell.exe
Token: SeCreatePagefilePrivilege	3628	PowerShell.exe
Token: SeBackupPrivilege	3628	PowerShell.exe
Token: SeRestorePrivilege	3628	PowerShell.exe
Token: SeShutdownPrivilege	3628	PowerShell.exe
Token: SeDebugPrivilege	3628	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	3628	PowerShell.exe
Token: SeRemoteShutdownPrivilege	3628	PowerShell.exe
Token: SeUndockPrivilege	3628	PowerShell.exe
Token: SeManageVolumePrivilege	3628	PowerShell.exe
Token: 33	3628	PowerShell.exe
Token: 34	3628	PowerShell.exe
Token: 35	3628	PowerShell.exe
Token: 36	3628	PowerShell.exe
Token: SeDebugPrivilege	4140	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4140	PowerShell.exe
Token: SeSecurityPrivilege	4140	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4140	PowerShell.exe
Token: SeLoadDriverPrivilege	4140	PowerShell.exe
Token: SeSystemProfilePrivilege	4140	PowerShell.exe
Token: SeSystemtimePrivilege	4140	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4140	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4140	PowerShell.exe
Token: SeCreatePagefilePrivilege	4140	PowerShell.exe
Token: SeBackupPrivilege	4140	PowerShell.exe
Token: SeRestorePrivilege	4140	PowerShell.exe
Token: SeShutdownPrivilege	4140	PowerShell.exe
Token: SeDebugPrivilege	4140	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4140	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4140	PowerShell.exe
Token: SeUndockPrivilege	4140	PowerShell.exe
Token: SeManageVolumePrivilege	4140	PowerShell.exe
Token: 33	4140	PowerShell.exe
Token: 34	4140	PowerShell.exe
Token: 35	4140	PowerShell.exe
Token: 36	4140	PowerShell.exe
Token: SeDebugPrivilege	5044	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	5044	PowerShell.exe
Token: SeSecurityPrivilege	5044	PowerShell.exe
Token: SeTakeOwnershipPrivilege	5044	PowerShell.exe
Token: SeLoadDriverPrivilege	5044	PowerShell.exe
Token: SeSystemProfilePrivilege	5044	PowerShell.exe
Token: SeSystemtimePrivilege	5044	PowerShell.exe
Token: SeProfSingleProcessPrivilege	5044	PowerShell.exe
Token: SeIncBasePriorityPrivilege	5044	PowerShell.exe
Token: SeCreatePagefilePrivilege	5044	PowerShell.exe
Token: SeBackupPrivilege	5044	PowerShell.exe
Token: SeRestorePrivilege	5044	PowerShell.exe
Token: SeShutdownPrivilege	5044	PowerShell.exe
Token: SeDebugPrivilege	5044	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	5044	PowerShell.exe
Token: SeRemoteShutdownPrivilege	5044	PowerShell.exe
Token: SeUndockPrivilege	5044	PowerShell.exe
Token: SeManageVolumePrivilege	5044	PowerShell.exe
Token: 33	5044	PowerShell.exe
Token: 34	5044	PowerShell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1488	TCPOptimizer.exe
1488	TCPOptimizer.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 864	1488	TCPOptimizer.exe	82
PID 1488 wrote to memory of 864	1488	TCPOptimizer.exe	82
PID 1488 wrote to memory of 864	1488	TCPOptimizer.exe	82
PID 1488 wrote to memory of 664	1488	TCPOptimizer.exe	84
PID 1488 wrote to memory of 664	1488	TCPOptimizer.exe	84
PID 1488 wrote to memory of 3628	1488	TCPOptimizer.exe	87
PID 1488 wrote to memory of 3628	1488	TCPOptimizer.exe	87
PID 1488 wrote to memory of 4140	1488	TCPOptimizer.exe	96
PID 1488 wrote to memory of 4140	1488	TCPOptimizer.exe	96
PID 1488 wrote to memory of 5044	1488	TCPOptimizer.exe	98
PID 1488 wrote to memory of 5044	1488	TCPOptimizer.exe	98
PID 1488 wrote to memory of 1492	1488	TCPOptimizer.exe	102
PID 1488 wrote to memory of 1492	1488	TCPOptimizer.exe	102
PID 1488 wrote to memory of 3652	1488	TCPOptimizer.exe	104
PID 1488 wrote to memory of 3652	1488	TCPOptimizer.exe	104
PID 1488 wrote to memory of 3844	1488	TCPOptimizer.exe	109
PID 1488 wrote to memory of 3844	1488	TCPOptimizer.exe	109
PID 1488 wrote to memory of 4164	1488	TCPOptimizer.exe	112
PID 1488 wrote to memory of 4164	1488	TCPOptimizer.exe	112
PID 1488 wrote to memory of 4116	1488	TCPOptimizer.exe	116
PID 1488 wrote to memory of 4116	1488	TCPOptimizer.exe	116
PID 1488 wrote to memory of 4776	1488	TCPOptimizer.exe	118
PID 1488 wrote to memory of 4776	1488	TCPOptimizer.exe	118
PID 1488 wrote to memory of 3536	1488	TCPOptimizer.exe	120
PID 1488 wrote to memory of 3536	1488	TCPOptimizer.exe	120
PID 1488 wrote to memory of 2644	1488	TCPOptimizer.exe	122
PID 1488 wrote to memory of 2644	1488	TCPOptimizer.exe	122
PID 1488 wrote to memory of 2204	1488	TCPOptimizer.exe	124
PID 1488 wrote to memory of 2204	1488	TCPOptimizer.exe	124
PID 1488 wrote to memory of 3180	1488	TCPOptimizer.exe	126
PID 1488 wrote to memory of 3180	1488	TCPOptimizer.exe	126
PID 1488 wrote to memory of 3088	1488	TCPOptimizer.exe	128
PID 1488 wrote to memory of 3088	1488	TCPOptimizer.exe	128
PID 1488 wrote to memory of 5068	1488	TCPOptimizer.exe	130
PID 1488 wrote to memory of 5068	1488	TCPOptimizer.exe	130
PID 1488 wrote to memory of 3044	1488	TCPOptimizer.exe	132
PID 1488 wrote to memory of 3044	1488	TCPOptimizer.exe	132
PID 1488 wrote to memory of 3120	1488	TCPOptimizer.exe	134
PID 1488 wrote to memory of 3120	1488	TCPOptimizer.exe	134

C:\Users\Admin\AppData\Local\Temp\TCPOptimizer.exe
"C:\Users\Admin\AppData\Local\Temp\TCPOptimizer.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\netsh.exe
  netsh int tcp show supplemental
  2⤵
  PID:864
- C:\Windows\SYSTEM32\netsh.exe
  netsh int ip show interfaces
  2⤵
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetAdapterLso -Name '*'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetAdapterChecksumOffload '*'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetTCPSetting -SettingName internet
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SYSTEM32\netsh.exe
  netsh int tcp show global
  2⤵
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetOffloadGlobalSetting
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe Set-NetOffloadGlobalSetting -ReceiveSegmentCoalescing disabled
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Disable-NetAdapterLso -Name *
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Enable-NetAdapterChecksumOffload -Name *
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Set-NetTCPSetting -SettingName internet -EcnCapability default
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Set-NetTCPSetting -SettingName internet -MaxSynRetransmissions 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Set-NetTCPSetting -SettingName internet -InitialRto 2000
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Windows\SYSTEM32\netsh.exe
  netsh int ip show interfaces
  2⤵
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetAdapterLso -Name '*'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetAdapterChecksumOffload '*'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetTCPSetting -SettingName internet
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Windows\SYSTEM32\netsh.exe
  netsh int tcp show global
  2⤵
  PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell.exe Get-NetOffloadGlobalSetting
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fa657552781362e0c7febc015952f2f1

SHA1
8a4a011bbd48b164f801394b128eb76d536692cb

SHA256
437caa0214c9e08fc2ed4e73132b7220f2ebcf92dfc8747b9eda08fd6a09b8bc

SHA512
9a09aff6c35bcab5df800c5937d6874d5c6516b7e988567ac5b10bd192ffde1f9a15420b52c5a97d36b8f900e6ecf0f1076011138e5d389976167732f767f73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
221780d8c15b54b96307b218ede5c445

SHA1
6dcb2aa8b6a33d8b9e4d667bea4a66e8a52f70bd

SHA256
692e07daac73e47cdb8412cc2e5400f339d10e02a13ef4b5bfe460f44e3732f1

SHA512
8b4c0bf4bddd195fb1f6649073a513627d398ad3789fd47875a28eca4ae825eb1a6d6d37c844d25864f1c6b71a88be2a37145441a3d540cd8102cb19d8c6e514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0308c92cf90946b1002c1121607f5b86

SHA1
edaafbd445a52723b5a8441ffd7ed7cf304246bc

SHA256
c8a754cbf81defa7e8a4f26af951a080834574ea8cd809be8492c0b58b5860cc

SHA512
832e4b5220d8231696bc04e41a8c54d0dcddcfd0cb3160bbbddccf792dc051dd741b66863cfa15d13e4ff37ae2e3aec778b6add9cd62bc51471aeb16aeaceeaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a4a3f91771808e387efc96de73c201a

SHA1
bd29803080e4bc0534382263af4302922303a3b3

SHA256
f84b680865d2f579cf5cc31e773de1c3480d1e2f88fc27a04993d62637ea74d7

SHA512
f6e570c42074b5fad90cd548ead07b7fc6503b6a36f6e5cc4680559b63af44fed1999a0753833071abfaf117b0989321eb4470f880e5d3351f3042153f5f0432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c745771bc758060a28a180556bbea9f0

SHA1
0d1de18eaf46072947beb04614c97abd05524d40

SHA256
3281ef45536b28513a2adf2af913e9bd1934a945490901bc4657fd5a774623a1

SHA512
d7b3a92b0c06030df434f0f61b1d47287bc517d56e4a04b3290f9cb71b9e5154a748d605caa7733f4a103563fc967d72164e5a7098bdf415cc63ef41e70ad2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be6adb103f05b44cdff89c810df3d571

SHA1
ccbdce8d16d198c4f4dba434f0a564ab490934d3

SHA256
2da95d969200b1560ca9a1f591da7138ddae82eac4f662d15b441234f1362b91

SHA512
bb5b3e8126e1b3d9f3923c5c7a64afbc1443a5ddc30c252a8622da60ebbf8e8cf21ef6f58a83ee15dccf5a98fdfaddcf48e60a01aaf99d005cf24d68d37cc6b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a8c7052d0ceb101afa3a8164ecfb3c6

SHA1
1e5a09e16e6d45401910dd4afb09edfed0233469

SHA256
eea7d90996add012a77d3f99b6fc59faed70e59f9bd3bb70c3342000bd802085

SHA512
c749a048e3dfbc52bb57c65a3eeb25831d3e6c5f7c2027afb71008cf8acdaaf3af2720d34469f0ea7d977408eee0139b0734ac5ea399a35bca3896c2a0e87dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b892d7c8698c40011e5c98354a5e79d

SHA1
fcce41ee7b5ca7672335132471f593d1fa96be66

SHA256
e57eb1844753148d4792b715ad00d23540ec39bec75cdb6aa58043abdda15c9d

SHA512
a5c8b7c0ae50ae7636413b5bd21b39da1de797970b9254e82c38fbced1ab1798eec9aabda8e3679bdf8f6ac41b4daef68dcbc1111c5c7a7d9ea03006c2e8a7fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e79540d70125066d4a4e3c202968d51

SHA1
7b76add9e8b9e7a29f11e19c94414f155becce2c

SHA256
d3b3f33f32de81aa4aaa148e324fa95fd84e651fa529133af889489dfc9d7c2b

SHA512
16f459eedd0905a8ff18fdf8dc405cc81d88f33f735da4b799d13292b37d2efdec6dd1601943af33479a953e122d18af481d9357f29e5075e5c3a7c00cb8ef08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dc05f70803a87866da249762062f75eb

SHA1
d15c4f362903d41b9965fdfcff0a52669b21c504

SHA256
2980d5b8034a9b1aeb363cb6d9c96ff50ed82b4ba1575af77587fca11dab61b7

SHA512
2bcd3ecc11d6ba826b09d451af9137ad689065e36ac3690179709d84d137c9f8709077c95495c82b1519fb382de8614934b6784225b02e259353c15795a4ff0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af146717a40006d7ae6360665a71d0e3

SHA1
4fd231c5094f474f66294ed24a518269d8755165

SHA256
ddabfea9c5322784cb0cc60cae6e1c5dab0dad48861bfdac6c8e89cf84d366bb

SHA512
5a1b7d860a75fa65b70a06f1fe26ab399d41a620d98b3012a1a50c7cbc68540be94135402a642854031c739f937bb3441ca7c45c8562f199167f1252c17b6a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
686f349cbc6c61b53d451e19a3575e6c

SHA1
0bf1146b0188376071464a1adb3b368811fdf8cc

SHA256
7c1bb61d14f056a040c266dc276afc737075ad570361b82345926e6d1f8c22f3

SHA512
b379fb40b0ac556216be1acf8615b795b4dbe3222f6f9b598e9a032884d7abdc6a8bf19b341689bdc89c9ed0f604592004705832a2df3ddc9960162c0342795c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a206d34453b2a107a4c38de19659dd1

SHA1
ee6a1d490a03b222ea381f68373b4ba0edc06a51

SHA256
c462eae354478004768225f55a2015a8537512c16eba2e296c28965c0e02bc28

SHA512
a9c6c504e3ee64460e269d90ea406ee4e09870624dfbcf7f91cf0f38480c3def77e8c6c95ca650a8347c846327ecaca107cafda40fdd54f85fe82b7899d4cefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstBackup.spg

Filesize
1KB

MD5
0e0a5d5b2c9c5f00d9a027b2a6de5d2e

SHA1
2b23bfb7f498713655524148890bbf083293909b

SHA256
f106fadb611ef923cbf5301c14b5a1761f5cd2685ce8f54dd4ab735b3ab92074

SHA512
a28581673a1ef285a99537f3e478af91ea7259484a063e6098bc9212fddd5c27fec12658b71786b227e39b3052e82b635793970076f1203b2af32be8dff45490

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstBackup.spg

Filesize
1KB

MD5
7776dcefff9396d9ae4c5fd4c735bc14

SHA1
a2f97253c5414c401f1d00d46fbc7d967fc9203e

SHA256
f6af6ccbd81123904e8cef77bf1e332b5ee2136808141fc34cb2e0992cf7babb

SHA512
45c7f14b2f01574b693ef097f421c16fbca633ba2f28afae5df5b943ef543c066d05060edd70ae9aaaaddbcad8c6c45af0d0739fc04959d3bcf291ce444fa234

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o02itexu.xea.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2644-195-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/2644-209-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/2644-196-0x000001DF74B60000-0x000001DF74B70000-memory.dmp

Filesize
64KB

Download
memory/2644-207-0x000001DF74B60000-0x000001DF74B70000-memory.dmp

Filesize
64KB

Download
memory/3088-224-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/3088-236-0x000001BE588A0000-0x000001BE588B0000-memory.dmp

Filesize
64KB

Download
memory/3088-238-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/3088-225-0x000001BE588A0000-0x000001BE588B0000-memory.dmp

Filesize
64KB

Download
memory/3180-210-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/3180-223-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/3180-211-0x0000016C6F070000-0x0000016C6F080000-memory.dmp

Filesize
64KB

Download
memory/3536-192-0x000001987EBE0000-0x000001987EBF0000-memory.dmp

Filesize
64KB

Download
memory/3536-180-0x000001987EBE0000-0x000001987EBF0000-memory.dmp

Filesize
64KB

Download
memory/3536-179-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/3536-194-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/3536-191-0x000001987EBE0000-0x000001987EBF0000-memory.dmp

Filesize
64KB

Download
memory/3628-17-0x00000167FA140000-0x00000167FA18A000-memory.dmp

Filesize
296KB

Download
memory/3628-14-0x00000167E1070000-0x00000167E1080000-memory.dmp

Filesize
64KB

Download
memory/3628-9-0x00000167E1040000-0x00000167E1062000-memory.dmp

Filesize
136KB

Download
memory/3628-2-0x00007FFDDC0A0000-0x00007FFDDCB61000-memory.dmp

Filesize
10.8MB

Download
memory/3628-13-0x00000167F9680000-0x00000167F9690000-memory.dmp

Filesize
64KB

Download
memory/3628-15-0x00000167F9680000-0x00000167F9690000-memory.dmp

Filesize
64KB

Download
memory/3628-16-0x00000167FA250000-0x00000167FA352000-memory.dmp

Filesize
1.0MB

Download
memory/3628-1-0x00000167F9580000-0x00000167F9602000-memory.dmp

Filesize
520KB

Download
memory/3628-20-0x00007FFDDC0A0000-0x00007FFDDCB61000-memory.dmp

Filesize
10.8MB

Download
memory/3652-67-0x00007FFDDC0A0000-0x00007FFDDCB61000-memory.dmp

Filesize
10.8MB

Download
memory/3652-64-0x00007FFDDC0A0000-0x00007FFDDCB61000-memory.dmp

Filesize
10.8MB

Download
memory/3652-65-0x00000159CF150000-0x00000159CF160000-memory.dmp

Filesize
64KB

Download
memory/3844-114-0x000001847EEE0000-0x000001847EEF0000-memory.dmp

Filesize
64KB

Download
memory/3844-113-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/3844-125-0x000001847EEE0000-0x000001847EEF0000-memory.dmp

Filesize
64KB

Download
memory/3844-127-0x000001847EEE0000-0x000001847EEF0000-memory.dmp

Filesize
64KB

Download
memory/3844-126-0x000001847F440000-0x000001847F448000-memory.dmp

Filesize
32KB

Download
memory/3844-129-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/4116-148-0x00000285F1E50000-0x00000285F1E60000-memory.dmp

Filesize
64KB

Download
memory/4116-162-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/4116-160-0x00000285F1E50000-0x00000285F1E60000-memory.dmp

Filesize
64KB

Download
memory/4116-159-0x00000285F1E50000-0x00000285F1E60000-memory.dmp

Filesize
64KB

Download
memory/4116-147-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/4140-37-0x00007FFDDC0A0000-0x00007FFDDCB61000-memory.dmp

Filesize
10.8MB

Download
memory/4140-35-0x00000111209F0000-0x0000011120A00000-memory.dmp

Filesize
64KB

Download
memory/4140-24-0x00000111209F0000-0x0000011120A00000-memory.dmp

Filesize
64KB

Download
memory/4140-22-0x00007FFDDC0A0000-0x00007FFDDCB61000-memory.dmp

Filesize
10.8MB

Download
memory/4140-23-0x00000111209F0000-0x0000011120A00000-memory.dmp

Filesize
64KB

Download
memory/4164-143-0x000001E0C2870000-0x000001E0C2880000-memory.dmp

Filesize
64KB

Download
memory/4164-146-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/4164-130-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/4164-140-0x000001E0C2870000-0x000001E0C2880000-memory.dmp

Filesize
64KB

Download
memory/4164-141-0x000001E0C2870000-0x000001E0C2880000-memory.dmp

Filesize
64KB

Download
memory/4164-144-0x000001E0C2870000-0x000001E0C2880000-memory.dmp

Filesize
64KB

Download
memory/4776-172-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/4776-178-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/4776-174-0x000001B5FA510000-0x000001B5FA520000-memory.dmp

Filesize
64KB

Download
memory/4776-173-0x000001B5FA510000-0x000001B5FA520000-memory.dmp

Filesize
64KB

Download
memory/4776-176-0x000001B5FA510000-0x000001B5FA520000-memory.dmp

Filesize
64KB

Download
memory/5044-50-0x00000205EF110000-0x00000205EF120000-memory.dmp

Filesize
64KB

Download
memory/5044-51-0x00000205EFCF0000-0x00000205EFD04000-memory.dmp

Filesize
80KB

Download
memory/5044-53-0x00007FFDDC0A0000-0x00007FFDDCB61000-memory.dmp

Filesize
10.8MB

Download
memory/5044-39-0x00000205EF110000-0x00000205EF120000-memory.dmp

Filesize
64KB

Download
memory/5044-38-0x00007FFDDC0A0000-0x00007FFDDCB61000-memory.dmp

Filesize
10.8MB

Download
memory/5068-239-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download
memory/5068-250-0x000001ABD27C0000-0x000001ABD27D0000-memory.dmp

Filesize
64KB

Download
memory/5068-251-0x000001ABD27C0000-0x000001ABD27D0000-memory.dmp

Filesize
64KB

Download
memory/5068-253-0x00007FFDDC1A0000-0x00007FFDDCC61000-memory.dmp

Filesize
10.8MB

Download