Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    15s
  • max time network
    22s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/05/2024, 07:36

General

  • Target

    6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe

  • Size

    37.6MB

  • MD5

    dbcc5cfb5b91fae4370930affd3d7ef9

  • SHA1

    5e5598375c5abeee8c18c9c28a5138e3763df29b

  • SHA256

    6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef

  • SHA512

    0b66dbb037c5e30a451732403d5e0f278588bf78d4c12d660b75f53713f05e233bb5785942155f5dab88ecb92edc789c8b583621077077f7bee1b56f20dc8584

  • SSDEEP

    393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg196l+ZArYsFRlQ6x:R3on1HvSzxAMN1FZArYsDPv47OZRqIx

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
    "C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
        3⤵
          PID:1436
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -noprofile -
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5036
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:512
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES341B.tmp" "c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\CSC818140766A5C469DBC3C62159FB5524.TMP"
              5⤵
                PID:2260
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4336
          • C:\Windows\system32\curl.exe
            curl http://api.ipify.org/ --ssl-no-revoke
            3⤵
              PID:4188
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "tasklist"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3088
            • C:\Windows\system32\tasklist.exe
              tasklist
              3⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2988
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:756
            • C:\Windows\system32\taskkill.exe
              taskkill /IM msedge.exe /F
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2424
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "tasklist"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2228
            • C:\Windows\system32\tasklist.exe
              tasklist
              3⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:3356
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')"
            2⤵
            • An obfuscated cmd.exe command-line is typically used to evade detection.
            • Suspicious use of WriteProcessMemory
            PID:2572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1492
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,217,63,211,151,50,59,23,14,157,120,173,214,75,168,44,4,86,215,197,221,15,211,57,168,170,96,26,224,123,202,176,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,18,94,83,33,10,127,43,207,118,25,163,52,85,137,171,176,54,29,140,152,151,60,207,249,173,64,112,136,115,160,201,198,48,0,0,0,128,39,129,224,38,93,129,6,223,202,165,111,102,236,160,251,177,38,22,194,235,129,171,61,192,137,129,16,112,252,72,62,10,204,202,185,244,12,160,149,156,225,125,30,180,211,209,177,64,0,0,0,217,129,143,47,147,156,214,93,117,216,121,231,75,189,241,110,215,1,53,65,179,41,61,227,177,21,51,235,139,102,59,83,7,39,162,98,116,173,160,235,7,227,134,248,109,167,4,20,209,189,188,85,142,159,80,126,61,15,85,255,177,30,169,242), $null, 'CurrentUser')"
            2⤵
            • An obfuscated cmd.exe command-line is typically used to evade detection.
            • Suspicious use of WriteProcessMemory
            PID:4448
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,217,63,211,151,50,59,23,14,157,120,173,214,75,168,44,4,86,215,197,221,15,211,57,168,170,96,26,224,123,202,176,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,18,94,83,33,10,127,43,207,118,25,163,52,85,137,171,176,54,29,140,152,151,60,207,249,173,64,112,136,115,160,201,198,48,0,0,0,128,39,129,224,38,93,129,6,223,202,165,111,102,236,160,251,177,38,22,194,235,129,171,61,192,137,129,16,112,252,72,62,10,204,202,185,244,12,160,149,156,225,125,30,180,211,209,177,64,0,0,0,217,129,143,47,147,156,214,93,117,216,121,231,75,189,241,110,215,1,53,65,179,41,61,227,177,21,51,235,139,102,59,83,7,39,162,98,116,173,160,235,7,227,134,248,109,167,4,20,209,189,188,85,142,159,80,126,61,15,85,255,177,30,169,242), $null, 'CurrentUser')
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2160
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1812
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic diskdrive get serialnumber
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4584
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
            2⤵
              PID:4512
              • C:\Windows\system32\reg.exe
                reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
                3⤵
                  PID:4452
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
                2⤵
                  PID:3908
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
                    3⤵
                    • Creates scheduled task(s)
                    PID:452
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1976
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
                    3⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2128
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.cmdline"
                      4⤵
                        PID:3808
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp" "c:\Users\Admin\AppData\Local\Temp\mctnrend\CSCF38C7E581E3047888C51AE4E1E55E0A7.TMP"
                          5⤵
                            PID:2448
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
                      2⤵
                        PID:4756
                        • C:\Windows\System32\Wbem\WMIC.exe
                          wmic bios get smbiosbiosversion
                          3⤵
                            PID:876
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
                          2⤵
                            PID:1368
                            • C:\Windows\system32\cscript.exe
                              cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
                              3⤵
                                PID:4548
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
                                  4⤵
                                    PID:2884
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
                                      5⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:4192
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
                                2⤵
                                  PID:2776
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic baseboard get serialnumber
                                    3⤵
                                      PID:1712
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
                                    2⤵
                                      PID:5036
                                      • C:\Windows\System32\Wbem\WMIC.exe
                                        wmic MemoryChip get /format:list
                                        3⤵
                                          PID:1396
                                        • C:\Windows\system32\find.exe
                                          find /i "Speed"
                                          3⤵
                                            PID:1752
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
                                          2⤵
                                            PID:2876
                                            • C:\Windows\System32\Wbem\WMIC.exe
                                              wmic path win32_computersystemproduct get uuid
                                              3⤵
                                                PID:1796
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"
                                              2⤵
                                                PID:836
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  powershell wininit.exe
                                                  3⤵
                                                    PID:2516
                                                    • C:\Windows\system32\wininit.exe
                                                      "C:\Windows\system32\wininit.exe"
                                                      4⤵
                                                        PID:2768

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  93f90bda499e44e7497ed86627232b18

                                                  SHA1

                                                  711d3ed2e1d427dd6633ac3f1f258382694ac050

                                                  SHA256

                                                  e396e532af9adbdce7bf1f018313422779f32e750bc8193131525922334821c2

                                                  SHA512

                                                  edc2522ce9afef5bbaf9b89990ecb0913fe5d033979c1015682aa2fecde84bf4d757a484d744cf1bad78904e512b9b9632f3beedba1a743a13719216b0adfb4f

                                                • C:\ProgramData\edge\Updater\Get-Clipboard.ps1

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  a8834c224450d76421d8e4a34b08691f

                                                  SHA1

                                                  73ed4011bc60ba616b7b81ff9c9cad82fb517c68

                                                  SHA256

                                                  817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5

                                                  SHA512

                                                  672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596

                                                • C:\ProgramData\edge\Updater\RunBatHidden.vbs

                                                  Filesize

                                                  146B

                                                  MD5

                                                  14a9867ec0265ebf974e440fcd67d837

                                                  SHA1

                                                  ae0e43c2daf4c913f5db17f4d9197f34ab52e254

                                                  SHA256

                                                  cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1

                                                  SHA512

                                                  36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  3f01549ee3e4c18244797530b588dad9

                                                  SHA1

                                                  3e87863fc06995fe4b741357c68931221d6cc0b9

                                                  SHA256

                                                  36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

                                                  SHA512

                                                  73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  46d6c89b6a449ce91c1a3691c516e10e

                                                  SHA1

                                                  dedf2c05d83a8fc311e39fa86af575866f9f7ece

                                                  SHA256

                                                  f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f

                                                  SHA512

                                                  bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  40ea760a8d4100ec0132da07107f9cab

                                                  SHA1

                                                  0b4c1dee23c6634bb6f8aa898929e7008959c5ce

                                                  SHA256

                                                  8c233cf826eaa081640bde9ee53964cf0997a9cbdb6c0b4f8a0dbe29da2458f0

                                                  SHA512

                                                  e136f8d523c040e75255702803021566da0f84b810b27ca48f663e2d83e803e9a9234d285e8ae39c5adab9546312dd6462d0d0d3f94876970c61e1f3c269077e

                                                • C:\Users\Admin\AppData\Local\Temp\RES341B.tmp

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  6bb13bcb668522531e12b8aa780989f2

                                                  SHA1

                                                  13d46ee674ef257f93c43b4c229e66cf35a03167

                                                  SHA256

                                                  ab4d0308827df69bcae352d77b23a5de47915734d2e279118068597a4c8ec53a

                                                  SHA512

                                                  d3a58aa9654e7180e633fdf4242bdaca48f835a1bb1b3344f1c17d397bb75e7b0a85f4b086991f55b3407873d7d00924522087b066affd88e9942b5912967de0

                                                • C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  050b5340324990343d83d43f32b58348

                                                  SHA1

                                                  fdc7e34990046a1f043dcff942fd57cfef8078d4

                                                  SHA256

                                                  8305dab8650041e8863245b5500339e23e8d09fc0ef4e66802276f37f4c1a79c

                                                  SHA512

                                                  037505c00b9a6f34f292a87b9292e13e4c7f0c37dc8fec17a582717eb489cc1462da28f0351f5014e9c9ce72fc5cd8183f75d92e4887e866d02eada1bd64e2ce

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pujn1gv.a2s.ps1

                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.dll

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  9e56d110863764bf3028af3b9a92f23e

                                                  SHA1

                                                  037de48073f1fbbccff72ddd01156ab4e0e2a283

                                                  SHA256

                                                  d78318afa5a89b0002e39cc49dd84081aeccc30883f03ba575e2e955abe31192

                                                  SHA512

                                                  d122360fc968fc47577d1a691a87d077de9a6cf7133db2be75e73be7054a5e0221dd35dfb284940187b956dbbace56a2cdd3240f4d2517829d13ba6690250806

                                                • C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

                                                  Filesize

                                                  1.8MB

                                                  MD5

                                                  66a65322c9d362a23cf3d3f7735d5430

                                                  SHA1

                                                  ed59f3e4b0b16b759b866ef7293d26a1512b952e

                                                  SHA256

                                                  f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

                                                  SHA512

                                                  0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

                                                • C:\Users\Admin\AppData\Local\Temp\temp.ps1

                                                  Filesize

                                                  379B

                                                  MD5

                                                  18047e197c6820559730d01035b2955a

                                                  SHA1

                                                  277179be54bba04c0863aebd496f53b129d47464

                                                  SHA256

                                                  348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

                                                  SHA512

                                                  1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

                                                • C:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.dll

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  eb58dbe03d1b93d8a96c67783f53dd26

                                                  SHA1

                                                  9f15357b4878d633e8b2f2d796c39701212ce63e

                                                  SHA256

                                                  19056ffa65c9bbf1a1cf936d7c5334d5ca809f4124f2f5c5f75d8cdfab22af07

                                                  SHA512

                                                  dd26df0ae30a212b4ce214ca0438f96f9f7a54c446aa89ad22a687af426c2e3b785f0ef3d2e987ceb6474fae8b7aa18f85fec7a81e613a36624a231a25e23ddd

                                                • \??\c:\Users\Admin\AppData\Local\Temp\mctnrend\CSCF38C7E581E3047888C51AE4E1E55E0A7.TMP

                                                  Filesize

                                                  652B

                                                  MD5

                                                  f48ac7dfbfda82c97609716a05853d14

                                                  SHA1

                                                  fe9e419ae14375eaaf0963be6c954649c238db09

                                                  SHA256

                                                  1d749ded5523936dd849bba0e45f692d0f772fe58e01d75f42e5fb8644cf2bcd

                                                  SHA512

                                                  7baf96cf72e5bd56aac778be21f9886ccdaa8e1cd30d05d09392362bc385ce66a8ab26831a8228729485211898d359f9c235ef890c3e9425a46d0b54e4bed534

                                                • \??\c:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.0.cs

                                                  Filesize

                                                  426B

                                                  MD5

                                                  b462a7b0998b386a2047c941506f7c1b

                                                  SHA1

                                                  61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

                                                  SHA256

                                                  a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

                                                  SHA512

                                                  eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

                                                • \??\c:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.cmdline

                                                  Filesize

                                                  369B

                                                  MD5

                                                  212306e615dad0968457af27a94ae92c

                                                  SHA1

                                                  5e71813de6e6dc23816cac9f7d31c055135e65e2

                                                  SHA256

                                                  7349202208eb796aa93c4094ee1b8db13bdf7608f445e7c42124f8d3dc6d51d0

                                                  SHA512

                                                  6d78ff17af372237223360c0f44ff02b1279da4af779c33c1408dcb466506681be60628f6df10af0f86102abc46c90fbd1d7377fb0b9b8355c824ee733d6d0ce

                                                • \??\c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\CSC818140766A5C469DBC3C62159FB5524.TMP

                                                  Filesize

                                                  652B

                                                  MD5

                                                  78a4c9e2e691607e82e1cfde039cc162

                                                  SHA1

                                                  38e9c574f3591c335ee1ac76f71453b05a7c6ddf

                                                  SHA256

                                                  6870c02ab68204d57e74325acb5c0da6f618ef0374802c7c891cc451d701f460

                                                  SHA512

                                                  e744cfd77578192339386a2f1ea4b255bfff668c742b5e07e2bbfb697c29da2a20ab9384fcd641f4c04b5cfb0c59361b35f9ace1a475d5c6445c74567873f393

                                                • \??\c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.0.cs

                                                  Filesize

                                                  311B

                                                  MD5

                                                  7bc8de6ac8041186ed68c07205656943

                                                  SHA1

                                                  673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

                                                  SHA256

                                                  36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

                                                  SHA512

                                                  0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

                                                • \??\c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.cmdline

                                                  Filesize

                                                  369B

                                                  MD5

                                                  c92fb2951a2884189fd4d2ea33b8cad6

                                                  SHA1

                                                  0cfb61840d77c74da6e8b9d630c2141ae4266362

                                                  SHA256

                                                  2c1b61bcc010365793c12e9e1f9e4cc2e597443775dad05eb08fff5c067433a1

                                                  SHA512

                                                  c3de254803a46ac3dc0cf93e0546ce4825a317739af94af32ee87723170f24be0853f8e7fd823e3e5e19f12670357c89f64841da58854dc631310700590eefd6

                                                • memory/1492-117-0x000001625E750000-0x000001625E7A0000-memory.dmp

                                                  Filesize

                                                  320KB

                                                • memory/2128-185-0x000001ECB2240000-0x000001ECB2248000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/5036-85-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/5036-104-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/5036-100-0x000002A407A20000-0x000002A407A28000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/5036-87-0x000002A422450000-0x000002A4224C6000-memory.dmp

                                                  Filesize

                                                  472KB

                                                • memory/5036-86-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/5036-84-0x000002A421FF0000-0x000002A422034000-memory.dmp

                                                  Filesize

                                                  272KB

                                                • memory/5036-83-0x00007FFAE3680000-0x00007FFAE4141000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                • memory/5036-73-0x000002A421E30000-0x000002A421E52000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/5036-72-0x00007FFAE3683000-0x00007FFAE3685000-memory.dmp

                                                  Filesize

                                                  8KB