6e055dafd01e88043b5349f41333b5b7c3669dad7283eb31e5683067ef1eca82

Analysis

max time kernel
1186s
max time network
1197s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
11/03/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

start.exe
Size

5.4MB
MD5

9a31e2f6ded277bf5ee020deb4d94f03
SHA1

7758a11eb96e5ff506ea61b58dc2a9a080915fb4
SHA256

6e055dafd01e88043b5349f41333b5b7c3669dad7283eb31e5683067ef1eca82
SHA512

eb24f7f13b7f8e963f0aca56be9a840ac995909d60222c342a9da6e1237ffbf67f34cb0afb8a7226c7935e16d4281206ee6e5624b4f09b2b374397aa974f4360
SSDEEP

49152:qgPHKFIljmc9lDUKorbKNMktJFzyu2YhM8tZ3J0nVjEVWpBC6GJu1rL5Ck8OR:Ff9pmKFtrzHTCNELG6c

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1332	start.exe
3736	start.exe
2692	start.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\start = "C:\\Users\\Admin\\AppData\\Roaming\\start.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe"	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 4932 set thread context of 4652	4932	start.exe	77
PID 4652 set thread context of 4136	4652	AddInProcess32.exe	78
PID 1332 set thread context of 1748	1332	start.exe	84
PID 1332 set thread context of 2112	1332	start.exe	89
PID 1332 set thread context of 4320	1332	start.exe	93
PID 1332 set thread context of 1756	1332	start.exe	100
PID 1332 set thread context of 800	1332	start.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

GoLang User-Agent 10 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	176	Go-http-client/1.1
HTTP User-Agent header	23	Go-http-client/1.1
HTTP User-Agent header	24	Go-http-client/1.1
HTTP User-Agent header	177	Go-http-client/1.1
HTTP User-Agent header	268	Go-http-client/1.1
HTTP User-Agent header	362	Go-http-client/1.1
HTTP User-Agent header	478	Go-http-client/1.1
HTTP User-Agent header	479	Go-http-client/1.1
HTTP User-Agent header	117	Go-http-client/1.1
HTTP User-Agent header	118	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4932	start.exe
4652	AddInProcess32.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
2628	powershell.exe
3736	start.exe
2628	powershell.exe
2692	start.exe
2692	start.exe
2692	start.exe
2628	powershell.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
4140	powershell.exe
1332	start.exe
1332	start.exe
4140	powershell.exe
4140	powershell.exe
1332	start.exe
1332	start.exe
4968	powershell.exe
1332	start.exe
1332	start.exe
4968	powershell.exe
4968	powershell.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
1332	start.exe
2952	powershell.exe
2952	powershell.exe
1332	start.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	start.exe
Token: SeDebugPrivilege	4652	AddInProcess32.exe
Token: SeDebugPrivilege	1332	start.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	3736	start.exe
Token: SeDebugPrivilege	2692	start.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4260	4932	start.exe	73
PID 4932 wrote to memory of 4260	4932	start.exe	73
PID 4932 wrote to memory of 4260	4932	start.exe	73
PID 4260 wrote to memory of 696	4260	cmd.exe	75
PID 4260 wrote to memory of 696	4260	cmd.exe	75
PID 4260 wrote to memory of 696	4260	cmd.exe	75
PID 4932 wrote to memory of 2496	4932	start.exe	76
PID 4932 wrote to memory of 2496	4932	start.exe	76
PID 4932 wrote to memory of 2496	4932	start.exe	76
PID 4932 wrote to memory of 2496	4932	start.exe	76
PID 4932 wrote to memory of 2496	4932	start.exe	76
PID 4932 wrote to memory of 2496	4932	start.exe	76
PID 4932 wrote to memory of 2496	4932	start.exe	76
PID 4932 wrote to memory of 2496	4932	start.exe	76
PID 4932 wrote to memory of 4652	4932	start.exe	77
PID 4932 wrote to memory of 4652	4932	start.exe	77
PID 4932 wrote to memory of 4652	4932	start.exe	77
PID 4932 wrote to memory of 4652	4932	start.exe	77
PID 4932 wrote to memory of 4652	4932	start.exe	77
PID 4932 wrote to memory of 4652	4932	start.exe	77
PID 4932 wrote to memory of 4652	4932	start.exe	77
PID 4932 wrote to memory of 4652	4932	start.exe	77
PID 4652 wrote to memory of 4136	4652	AddInProcess32.exe	78
PID 4652 wrote to memory of 4136	4652	AddInProcess32.exe	78
PID 4652 wrote to memory of 4136	4652	AddInProcess32.exe	78
PID 4652 wrote to memory of 4136	4652	AddInProcess32.exe	78
PID 4652 wrote to memory of 4136	4652	AddInProcess32.exe	78
PID 4652 wrote to memory of 4136	4652	AddInProcess32.exe	78
PID 4652 wrote to memory of 4136	4652	AddInProcess32.exe	78
PID 4652 wrote to memory of 4136	4652	AddInProcess32.exe	78
PID 4932 wrote to memory of 1332	4932	start.exe	79
PID 4932 wrote to memory of 1332	4932	start.exe	79
PID 4932 wrote to memory of 1332	4932	start.exe	79
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 804	1332	start.exe	80
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4372	1332	start.exe	81
PID 1332 wrote to memory of 4356	1332	start.exe	82
PID 1332 wrote to memory of 4356	1332	start.exe	82
PID 1332 wrote to memory of 4356	1332	start.exe	82
PID 1332 wrote to memory of 4356	1332	start.exe	82
PID 1332 wrote to memory of 4356	1332	start.exe	82
PID 1332 wrote to memory of 4356	1332	start.exe	82
PID 1332 wrote to memory of 4356	1332	start.exe	82
PID 1332 wrote to memory of 4356	1332	start.exe	82
PID 1332 wrote to memory of 4356	1332	start.exe	82

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "start" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\start.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "start" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\start.exe"
    3⤵
    - Adds Run key to start application
    PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4136
- C:\Users\Admin\AppData\Roaming\start.exe
  "C:\Users\Admin\AppData\Roaming\start.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2600
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\" }"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2628
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\start.exe
      "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\" }"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\" }"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4968
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:3740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\" }"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:3696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:3064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe\" }"
      4⤵
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:4428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:3832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:3352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3fb8256e061f0569190c44d81d553d2c

SHA1
2a4609ac91d4520c8ce4b9d6cd19767cca392493

SHA256
3f839af97ceecc22af0386f3785a8af9296e7362a9ead04fd89e427414e373a4

SHA512
605a57f655e1fde1b6f4f0f403e70d9807a634391ef83e180c4f5c6c5242ce53bde26be8d27ce924d15319408fc6598f403856add405ed9897abf39d3be2f5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\start.exe.log

Filesize
1KB

MD5
f0482e62091a8498f41d1880f5be4fcf

SHA1
81d2e28d9f44b0934c3ec0b86f20a7f4fbf52878

SHA256
65853992d7c76a02404fc0cac180a6d31e89859264eecb3e7bd3667c1477ed6e

SHA512
53d922a2e22f096e5107e5318fa253c0400d096b0acf3f6e62e20f4c6f4589a2ce5ef4c974e954b336336a06647249c22b5885c5e35efbf7eafc8c5ba9b39ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3a63091b04bb5434feb88002e169722c

SHA1
20934389f0bc1d632c4dcb15931261a449fcdc49

SHA256
31e97c253bbe869059ef36dd2bae1eac046e3e4c340eaf30a6c1276037e567bc

SHA512
b5849a2b5a85263e06224d2660434fbf49c9ce3307cde2c65dfd515e43f0d2a470695fca74db9b48efe299df3d8b90b1f7bfb6c423b3336fd2db8af399a94a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
8d89c6c37f91235c23e923500420aaf1

SHA1
fae5e8af0a3b08e1dafae2203cdf74eda6c72dad

SHA256
eb55def9b3bee2cc9d8e1514592b34756dd77597decc6653f78cdd44efe32bbf

SHA512
6a16eaf0e0e2750f7ea3f24aa85b2cc362f3518b65f11058cac2a9882e3eaa9f378153005898914cc46463fdc90bf705485f8df2dfc24e431615ff3feb25e7c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
91a292f0a71e79cb0f80959bb7c28953

SHA1
8217b0a3606bb3fddba43cc3ded5b90d67e22307

SHA256
f96d3afc9c21cfb84eaa649ede8d19a21b7475b3fc0d9119b5da3fde37d5cf85

SHA512
56fc2640ce94321b2a619df319f2662fb8345b1d0916eb3314b7a523fd77222429bd1c4eec8c8f799c1d75925ab1416afffea3b09857077d15c88edbc2cb77d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
87ce9cc377a00181fd46741f1f81ae49

SHA1
d08e989158f88ce7254b2369f6304848a0ad457f

SHA256
b4f859e753676ec0fdc10a97db4c5a3d5aff319691d1fd414144942a598d0229

SHA512
ad9d4936ef5a932775eac50fd5c650149a5089337a26fcb07fa822526b3ec9c3473475304dab9ad84e7d826b06bc56027a11646b469af22ca79ec97c714363b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tifhe3cl.tne.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.txt

Filesize
54B

MD5
5e837e1e72e0ab6253245a161ad4cd2d

SHA1
db6effcb9032abb29ff7daccac9ed481f92d8086

SHA256
42b51509412cc0b3992f2d6b2f57e36b3ac5077f139683aa46992fa32f9f0629

SHA512
c0015ddf552fa52bef29aa246092b04cd7afe01a600376286b5a5c49c76331516c940fa7a15d46938957b631c3b6d3c2b629fc9d5fcc95743d79b8e724c9b418

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.txt

Filesize
54B

MD5
d1834c87bcdb672fa7daf16706e86c54

SHA1
fe67ae2dcc1f51a8a6e2e1a10c3eef2956d7ec01

SHA256
cfa2a26e4742206886e03bb5185603fca1c814d8b9ac432d2481be7407168040

SHA512
2ce4a48d00330e86cd6b38fff7afdea8d97461e7454e03ed2dc9f6238f2c4aa081ad9b6f6af2d08aea88ff535ffb7180db03ac04bda7da17a32530c7bdcab289

Download Submit
C:\Users\Admin\AppData\Roaming\start.exe

Filesize
1.9MB

MD5
7814c80dad26099ba2ca396d72e7edca

SHA1
a2ca3235d2a7404d42b76d5fdd0f8ddb96384db8

SHA256
3748926d5e81c0cd6e1b1183690a0c9ce13435b07160fd994b760087e14dab6f

SHA512
e8c74afca2d475b4938a0202e87606c069d798d0b7fb95d5e4cd4ed826a279c2185c6f132b29f55ad1d0cd7365a37eec6311a88c62b32aec85772ec7747c418f

Download Submit
C:\Users\Admin\AppData\Roaming\start.exe

Filesize
1.6MB

MD5
5ce2c55e56d244a940e80bb46833c60a

SHA1
c0db681e95a1bd59dd6d6f80b6b7ede30b60e4d4

SHA256
c7e18ff2527fcdd8c745b9e63214734ac61961c251b4a9ab8a59d9ca65b14b89

SHA512
237f5f0fa13490a8b15922c202c7fcf60565d755cdf74091cfee9708b30c9cbc7d9161f06ba80d8e21c203a6817d64cc92bc0042ae33ea73bc6c1e7f303056e1

Download Submit
memory/800-229-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/800-230-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/800-257-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/800-228-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/800-258-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1332-29-0x0000000000D20000-0x0000000001290000-memory.dmp

Filesize
5.4MB

Download
memory/1332-37-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1332-36-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1332-35-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1332-31-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1332-30-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1332-28-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1748-48-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1748-54-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1748-53-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1748-110-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1748-112-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1748-52-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1748-49-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1756-222-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1756-194-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1756-193-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1756-221-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/1756-192-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2112-119-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2112-118-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2112-150-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2112-149-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2112-120-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2628-101-0x00000000087C0000-0x00000000087DA000-memory.dmp

Filesize
104KB

Download
memory/2628-60-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2628-109-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2628-73-0x0000000007D90000-0x00000000080E0000-memory.dmp

Filesize
3.3MB

Download
memory/2628-105-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2628-102-0x00000000092F0000-0x0000000009312000-memory.dmp

Filesize
136KB

Download
memory/2628-100-0x00000000095A0000-0x0000000009634000-memory.dmp

Filesize
592KB

Download
memory/2628-58-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2628-57-0x0000000004C80000-0x0000000004CB6000-memory.dmp

Filesize
216KB

Download
memory/2628-84-0x0000000008470000-0x00000000084E6000-memory.dmp

Filesize
472KB

Download
memory/2628-61-0x0000000007600000-0x0000000007C28000-memory.dmp

Filesize
6.2MB

Download
memory/2628-68-0x0000000007C30000-0x0000000007C96000-memory.dmp

Filesize
408KB

Download
memory/2628-62-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2628-79-0x0000000007D10000-0x0000000007D2C000-memory.dmp

Filesize
112KB

Download
memory/2628-65-0x00000000075D0000-0x00000000075F2000-memory.dmp

Filesize
136KB

Download
memory/2628-70-0x0000000007CA0000-0x0000000007D06000-memory.dmp

Filesize
408KB

Download
memory/2692-80-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-111-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3736-71-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3736-72-0x0000000000A60000-0x0000000000A7A000-memory.dmp

Filesize
104KB

Download
memory/3736-83-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4136-47-0x0000000006200000-0x000000000624B000-memory.dmp

Filesize
300KB

Download
memory/4136-38-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/4136-43-0x0000000006F00000-0x0000000007506000-memory.dmp

Filesize
6.0MB

Download
memory/4136-44-0x00000000060F0000-0x00000000061FA000-memory.dmp

Filesize
1.0MB

Download
memory/4136-63-0x0000000001870000-0x0000000001880000-memory.dmp

Filesize
64KB

Download
memory/4136-59-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4136-40-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4136-45-0x0000000006020000-0x0000000006032000-memory.dmp

Filesize
72KB

Download
memory/4136-46-0x0000000006080000-0x00000000060BE000-memory.dmp

Filesize
248KB

Download
memory/4136-42-0x0000000001870000-0x0000000001880000-memory.dmp

Filesize
64KB

Download
memory/4140-124-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4140-125-0x0000000006810000-0x0000000006820000-memory.dmp

Filesize
64KB

Download
memory/4140-126-0x0000000006810000-0x0000000006820000-memory.dmp

Filesize
64KB

Download
memory/4140-127-0x0000000007480000-0x00000000077D0000-memory.dmp

Filesize
3.3MB

Download
memory/4320-186-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4320-158-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4320-185-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4320-157-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4320-156-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/4652-33-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/4652-34-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/4652-41-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4652-19-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/4652-16-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4652-20-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/4652-32-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4652-15-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/4652-18-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4932-13-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4932-9-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4932-0-0x0000000000DC0000-0x0000000001330000-memory.dmp

Filesize
5.4MB

Download
memory/4932-27-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4932-12-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4932-11-0x0000000008860000-0x0000000008866000-memory.dmp

Filesize
24KB

Download
memory/4932-10-0x0000000008830000-0x000000000884A000-memory.dmp

Filesize
104KB

Download
memory/4932-14-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4932-8-0x000000000E500000-0x000000000E50A000-memory.dmp

Filesize
40KB

Download
memory/4932-7-0x00000000055D0000-0x00000000055D6000-memory.dmp

Filesize
24KB

Download
memory/4932-6-0x0000000007560000-0x00000000075BA000-memory.dmp

Filesize
360KB

Download
memory/4932-5-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4932-4-0x0000000005CB0000-0x0000000005D4C000-memory.dmp

Filesize
624KB

Download
memory/4932-3-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/4932-2-0x0000000005FD0000-0x00000000064CE000-memory.dmp

Filesize
5.0MB

Download
memory/4932-1-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download