Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    67s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/04/2024, 19:08

General

  • Target

    SCRIPT FREEZE IDM TIME.cmd

  • Size

    31KB

  • MD5

    cd219449e7472b4e6f35c612824635bd

  • SHA1

    f6db923ee2dbb3ae2ade5e0511533506962a689b

  • SHA256

    87e810d116c7a4d2f3baae3c98715047c901fd581fef72f3c3b218c03231f944

  • SHA512

    fa92d80645c1bc6ff55238322ce69144b4550aa6256efe3c334c0c343a937185a9ce18a1ad4c8e55e5ac42e6d937582738441d443f01f4a0590d64ac1453ec55

  • SSDEEP

    384:mNnhCo3piIUTUq5rrfmJbnl7+qK14TEJYab:mNn/ZiBAq5rrfmFl7G4gJYab

Score
4/10

Malware Config

Signatures

  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:348
    • C:\Windows\System32\sc.exe
      sc query Null
      2⤵
      • Launches sc.exe
      PID:2344
    • C:\Windows\System32\find.exe
      find /i "RUNNING"
      2⤵
        PID:1560
      • C:\Windows\System32\findstr.exe
        findstr /v "$" "SCRIPT FREEZE IDM TIME.cmd"
        2⤵
          PID:1216
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ver
          2⤵
            PID:3968
          • C:\Windows\System32\reg.exe
            reg query "HKCU\Console" /v ForceV2
            2⤵
              PID:2408
            • C:\Windows\System32\find.exe
              find /i "0x0"
              2⤵
                PID:4456
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3428
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
                  3⤵
                    PID:4536
                  • C:\Windows\System32\cmd.exe
                    cmd
                    3⤵
                      PID:1812
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" "
                    2⤵
                      PID:2040
                    • C:\Windows\System32\find.exe
                      find /i "C:\Users\Admin\AppData\Local\Temp"
                      2⤵
                        PID:3824
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3736
                      • C:\Windows\System32\find.exe
                        find /i "FullLanguage"
                        2⤵
                          PID:1580
                        • C:\Windows\System32\fltMC.exe
                          fltmc
                          2⤵
                            PID:680
                          • C:\Windows\System32\conhost.exe
                            conhost.exe powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '"""C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd""" -el -qedit'"
                            2⤵
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:1968
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe "$t=[AppDomain]::CurrentDomain.DefineDynamicAssembly(4, 1).DefineDynamicModule(2, $False).DefineType(0); $t.DefinePInvokeMethod('GetStdHandle', 'kernel32.dll', 22, 1, [IntPtr], @([Int32]), 1, 3).SetImplementationFlags(128); $t.DefinePInvokeMethod('SetConsoleMode', 'kernel32.dll', 22, 1, [Boolean], @([IntPtr], [Int32]), 1, 3).SetImplementationFlags(128); $k=$t.CreateType(); $b=$k::SetConsoleMode($k::GetStdHandle(-10), 0x0080); & cmd.exe '/c' '\"C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd\" -el -qedit'"
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2280
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" -el -qedit"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3316
                                • C:\Windows\System32\sc.exe
                                  sc query Null
                                  5⤵
                                  • Launches sc.exe
                                  PID:4544
                                • C:\Windows\System32\find.exe
                                  find /i "RUNNING"
                                  5⤵
                                    PID:1484
                                  • C:\Windows\System32\findstr.exe
                                    findstr /v "$" "SCRIPT FREEZE IDM TIME.cmd"
                                    5⤵
                                      PID:4308
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ver
                                      5⤵
                                        PID:1332
                                      • C:\Windows\System32\reg.exe
                                        reg query "HKCU\Console" /v ForceV2
                                        5⤵
                                          PID:4884
                                        • C:\Windows\System32\find.exe
                                          find /i "0x0"
                                          5⤵
                                            PID:3876
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
                                            5⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:4244
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
                                              6⤵
                                                PID:4500
                                              • C:\Windows\System32\cmd.exe
                                                cmd
                                                6⤵
                                                  PID:4656
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd" "
                                                5⤵
                                                  PID:4516
                                                • C:\Windows\System32\find.exe
                                                  find /i "C:\Users\Admin\AppData\Local\Temp"
                                                  5⤵
                                                    PID:2756
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':PowerShellTest:\s*';iex ($f[1])"
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4560
                                                  • C:\Windows\System32\find.exe
                                                    find /i "FullLanguage"
                                                    5⤵
                                                      PID:2972
                                                    • C:\Windows\System32\fltMC.exe
                                                      fltmc
                                                      5⤵
                                                        PID:1740
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c ping -4 -n 1 iasupdatecheck.massgrave.dev
                                                        5⤵
                                                          PID:452
                                                          • C:\Windows\System32\PING.EXE
                                                            ping -4 -n 1 iasupdatecheck.massgrave.dev
                                                            6⤵
                                                            • Runs ping.exe
                                                            PID:1696
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"
                                                          5⤵
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3172
                                                        • C:\Windows\System32\find.exe
                                                          find /i "computersystem"
                                                          5⤵
                                                            PID:924
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul
                                                            5⤵
                                                              PID:3948
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"
                                                                6⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1288
                                                            • C:\Windows\System32\reg.exe
                                                              reg query HKU\\Software
                                                              5⤵
                                                                PID:1216
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul
                                                                5⤵
                                                                  PID:3968
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"
                                                                    6⤵
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:3932
                                                                • C:\Windows\System32\reg.exe
                                                                  reg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software
                                                                  5⤵
                                                                    PID:4520
                                                                  • C:\Windows\System32\reg.exe
                                                                    reg delete HKCU\IAS_TEST /f
                                                                    5⤵
                                                                    • Modifies registry key
                                                                    PID:4808
                                                                  • C:\Windows\System32\reg.exe
                                                                    reg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST /f
                                                                    5⤵
                                                                      PID:3632
                                                                    • C:\Windows\System32\reg.exe
                                                                      reg add HKCU\IAS_TEST
                                                                      5⤵
                                                                      • Modifies registry key
                                                                      PID:3396
                                                                    • C:\Windows\System32\reg.exe
                                                                      reg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST
                                                                      5⤵
                                                                        PID:4932
                                                                      • C:\Windows\System32\reg.exe
                                                                        reg delete HKCU\IAS_TEST /f
                                                                        5⤵
                                                                        • Modifies registry key
                                                                        PID:1572
                                                                      • C:\Windows\System32\reg.exe
                                                                        reg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\IAS_TEST /f
                                                                        5⤵
                                                                          PID:4356
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
                                                                          5⤵
                                                                            PID:4972
                                                                            • C:\Windows\System32\reg.exe
                                                                              reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
                                                                              6⤵
                                                                                PID:1620
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\DownloadManager" /v ExePath 2>nul
                                                                              5⤵
                                                                                PID:4572
                                                                                • C:\Windows\System32\reg.exe
                                                                                  reg query "HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\DownloadManager" /v ExePath
                                                                                  6⤵
                                                                                    PID:4836
                                                                                • C:\Windows\System32\reg.exe
                                                                                  reg add HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
                                                                                  5⤵
                                                                                  • Modifies registry class
                                                                                  PID:2720
                                                                                • C:\Windows\System32\reg.exe
                                                                                  reg query HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
                                                                                  5⤵
                                                                                    PID:1500
                                                                                  • C:\Windows\System32\reg.exe
                                                                                    reg delete HKU\S-1-5-21-877519540-908060166-1852957295-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f
                                                                                    5⤵
                                                                                    • Modifies registry class
                                                                                    PID:5080
                                                                                  • C:\Windows\System32\mode.com
                                                                                    mode 75, 28
                                                                                    5⤵
                                                                                      PID:5084
                                                                                    • C:\Windows\System32\choice.exe
                                                                                      choice /C:123450 /N
                                                                                      5⤵
                                                                                        PID:5116
                                                                                      • C:\Windows\System32\mode.com
                                                                                        mode 113, 35
                                                                                        5⤵
                                                                                          PID:1692
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
                                                                                          5⤵
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4988
                                                                                        • C:\Windows\System32\tasklist.exe
                                                                                          tasklist /fi "imagename eq idman.exe"
                                                                                          5⤵
                                                                                          • Enumerates processes with tasklist
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4604
                                                                                        • C:\Windows\System32\findstr.exe
                                                                                          findstr /i "idman.exe"
                                                                                          5⤵
                                                                                            PID:2440
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
                                                                                            5⤵
                                                                                              PID:2404
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
                                                                                                6⤵
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:4184
                                                                                            • C:\Windows\System32\reg.exe
                                                                                              reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240427-190952889.reg"
                                                                                              5⤵
                                                                                                PID:1696
                                                                                              • C:\Windows\System32\reg.exe
                                                                                                reg query "HKCU\Software\DownloadManager" "/v" "FName"
                                                                                                5⤵
                                                                                                  PID:3292
                                                                                                • C:\Windows\System32\reg.exe
                                                                                                  reg query "HKCU\Software\DownloadManager" "/v" "LName"
                                                                                                  5⤵
                                                                                                    PID:3584
                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                    reg query "HKCU\Software\DownloadManager" "/v" "Email"
                                                                                                    5⤵
                                                                                                      PID:4956
                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                      reg query "HKCU\Software\DownloadManager" "/v" "Serial"
                                                                                                      5⤵
                                                                                                        PID:1924
                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                        reg query "HKCU\Software\DownloadManager" "/v" "scansk"
                                                                                                        5⤵
                                                                                                          PID:3172
                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                          reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
                                                                                                          5⤵
                                                                                                            PID:4320
                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                            reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
                                                                                                            5⤵
                                                                                                              PID:1668
                                                                                                            • C:\Windows\System32\reg.exe
                                                                                                              reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
                                                                                                              5⤵
                                                                                                                PID:2476
                                                                                                              • C:\Windows\System32\reg.exe
                                                                                                                reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
                                                                                                                5⤵
                                                                                                                  PID:2184
                                                                                                                • C:\Windows\System32\reg.exe
                                                                                                                  reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
                                                                                                                  5⤵
                                                                                                                    PID:4912
                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                    reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
                                                                                                                    5⤵
                                                                                                                      PID:4976
                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      powershell.exe "$sid = 'S-1-5-21-877519540-908060166-1852957295-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\SCRIPT FREEZE IDM TIME.cmd') -split ':regscan\:.*';iex ($f[1])"
                                                                                                                      5⤵
                                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                      PID:3588
                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                      reg add "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
                                                                                                                      5⤵
                                                                                                                        PID:3044
                                                                                                                      • C:\Windows\System32\mode.com
                                                                                                                        mode 75, 28
                                                                                                                        5⤵
                                                                                                                          PID:2444
                                                                                                                        • C:\Windows\System32\choice.exe
                                                                                                                          choice /C:123450 /N
                                                                                                                          5⤵
                                                                                                                            PID:5108
                                                                                                                          • C:\Windows\System32\mode.com
                                                                                                                            mode 113, 35
                                                                                                                            5⤵
                                                                                                                              PID:2484
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              powershell.exe "&{$W=$Host.UI.RawUI.WindowSize;$B=$Host.UI.RawUI.BufferSize;$W.Height=34;$B.Height=300;$Host.UI.RawUI.WindowSize=$W;$Host.UI.RawUI.BufferSize=$B;}"
                                                                                                                              5⤵
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:3256
                                                                                                                            • C:\Windows\System32\mode.com
                                                                                                                              mode 75, 28
                                                                                                                              5⤵
                                                                                                                                PID:4960
                                                                                                                              • C:\Windows\System32\choice.exe
                                                                                                                                choice /C:123450 /N
                                                                                                                                5⤵
                                                                                                                                  PID:4580

                                                                                                                        Network

                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                        Replay Monitor

                                                                                                                        Loading Replay Monitor...

                                                                                                                        Downloads

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          2f57fde6b33e89a63cf0dfdd6e60a351

                                                                                                                          SHA1

                                                                                                                          445bf1b07223a04f8a159581a3d37d630273010f

                                                                                                                          SHA256

                                                                                                                          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                                                                                                                          SHA512

                                                                                                                          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Filesize

                                                                                                                          1KB

                                                                                                                          MD5

                                                                                                                          c20ac38ae3022e305b8752804aadf486

                                                                                                                          SHA1

                                                                                                                          4c144d6cfafb5c37ab4810ff3c1744df81493cdb

                                                                                                                          SHA256

                                                                                                                          03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

                                                                                                                          SHA512

                                                                                                                          c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Filesize

                                                                                                                          1KB

                                                                                                                          MD5

                                                                                                                          7c45b4a4ae4935383aaac5e3f00b0906

                                                                                                                          SHA1

                                                                                                                          acd563a6b0651d2b0be21b9bf4398216994501df

                                                                                                                          SHA256

                                                                                                                          2c7beaa50f3cff453eca4d601e09c0ee38bd3f4e1d5b4d608046662d9d79828d

                                                                                                                          SHA512

                                                                                                                          177389f2406de32d7eef9f827abb4a6e6c926951de47073f16224b7117bbe86c038ed0aa1affbb23d557b984df78a1eb6fc8567dba16f3e6592da64fe19d99d7

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Filesize

                                                                                                                          1KB

                                                                                                                          MD5

                                                                                                                          e89c193840c8fb53fc3de104b1c4b092

                                                                                                                          SHA1

                                                                                                                          8b41b6a392780e48cc33e673cf4412080c42981e

                                                                                                                          SHA256

                                                                                                                          920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c

                                                                                                                          SHA512

                                                                                                                          865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Filesize

                                                                                                                          1KB

                                                                                                                          MD5

                                                                                                                          83d9b53573ceb7befdd720af28cab520

                                                                                                                          SHA1

                                                                                                                          60baa3f5b7b6329121ea27d727bd249fc22d6d0f

                                                                                                                          SHA256

                                                                                                                          d25db7242c40ddcffc09f7277be0ea4ec676f53a8058057bfc995c1a1af1b289

                                                                                                                          SHA512

                                                                                                                          30aed460d420549b39ba9f1b0bf5f13bd7d96a2217ac76de9756f77b0288812e548f2170e4df58ff5ae5f8900df775cc0abca2e02ab039b5121afb43fed838f0

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Filesize

                                                                                                                          1KB

                                                                                                                          MD5

                                                                                                                          d45679c8b58392ba3e7174a4c662d530

                                                                                                                          SHA1

                                                                                                                          d50d65ddb618a8b4b91bc66772368ef10f3d1156

                                                                                                                          SHA256

                                                                                                                          abb662fe832ffbdfa41b3da262cf5b5a77a197b54644d598e27a2b2d2d50c0ff

                                                                                                                          SHA512

                                                                                                                          fa8dc9d48ceedbbec1e5edea6e5986aeac82c44af663fa646596b63843ae9191fb2cb7b20196f6862fd9f25c5671c17050a9a39a165cf1d58b4bdee2c1db74c6

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Filesize

                                                                                                                          1KB

                                                                                                                          MD5

                                                                                                                          cae1fca4772c3bb8bca5cd474c2d4c1a

                                                                                                                          SHA1

                                                                                                                          d8dd8f4c30d43f899776cc8db969973ceef5f047

                                                                                                                          SHA256

                                                                                                                          0db954e2532209c30c277400c9c5399c145259b73afe02ba4db67b71cb3d965e

                                                                                                                          SHA512

                                                                                                                          18182c00b0f0f32c7e5edcf44b6bc549502018802efa30a4e05887dc9d2037926217daf2feaef79c700863f1ffd8a50231ab5c3a9b1a177632e23675715f3a8f

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Filesize

                                                                                                                          1KB

                                                                                                                          MD5

                                                                                                                          2a9c3225d7b5e1f983edda0d4c2ca869

                                                                                                                          SHA1

                                                                                                                          0f7627d5489de499fb82d67435a5f63754dc0603

                                                                                                                          SHA256

                                                                                                                          d74ce17d2f33c85603df92e7a1d368e3bd0e34f42170ddec0ef1d1de194b8207

                                                                                                                          SHA512

                                                                                                                          e394feb2601f3a7c71dd99aa95bb60478e92a76c4232b3cc689704f46b1ebe4832a53558e54f433f79c5d4e231fbeb43424bf54e9654883dc5affbdd68d91f79

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Filesize

                                                                                                                          944B

                                                                                                                          MD5

                                                                                                                          1542328a8546914b4e2f1aef9cb42bea

                                                                                                                          SHA1

                                                                                                                          7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

                                                                                                                          SHA256

                                                                                                                          7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

                                                                                                                          SHA512

                                                                                                                          b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\REGE510.tmp

                                                                                                                          Filesize

                                                                                                                          32KB

                                                                                                                          MD5

                                                                                                                          e9d06132591c36129e4455d063612beb

                                                                                                                          SHA1

                                                                                                                          798619665c9915bc2f50bec9f0d9d0707a5a485e

                                                                                                                          SHA256

                                                                                                                          357e1fb247f831c9b4a0363445a0a7446af42dea4585f5c7357391e5732f4b2c

                                                                                                                          SHA512

                                                                                                                          6eabef2e10285611260d6ea1503bbb2eafb830c3dc4544f064edfa0e6821f21bbe65a77878cb18f8ebfd80ff520459e9a65f274f9c0eec7e772bec1c41d0476e

                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2foxoih0.eap.ps1

                                                                                                                          Filesize

                                                                                                                          60B

                                                                                                                          MD5

                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                          SHA1

                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                          SHA256

                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                          SHA512

                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                        • memory/3736-12-0x0000015C4FD60000-0x0000015C4FF7C000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          2.1MB

                                                                                                                        • memory/3736-9-0x0000015C4DC40000-0x0000015C4DC62000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          136KB