Overview

overview

10

Static

static

3

Loader.exe

windows10-1703-x64

10

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Loader.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1798s
  • max time network
    1798s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-05-2024 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    353KB

  • MD5

    da4a981460566d93b7c25f1527c5d321

  • SHA1

    ad0dc4e6192057d2f80b080741cdfea83c399a0b

  • SHA256

    fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

  • SHA512

    06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93

  • SSDEEP

    6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score
10/10
xmrigzgratevasionexecutionminerpersistenceratspywarestealerupx

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Disables Task Manager via registry modification
    evasion
  • Downloads MZ/PE file
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 20 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Users\Admin\AppData\Local\Temp\Checker.exe
      "C:\Users\Admin\AppData\Local\Temp\Checker.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4076
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3140
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:412
          • C:\blockcontainerWincrtdll\Sessionperf.exe
            "C:\blockcontainerWincrtdll/Sessionperf.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3892
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.cmdline"
              6⤵
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:2512
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F18.tmp" "c:\Windows\System32\CSCD5CC967A790D48AD88533488B3BBE26.TMP"
                7⤵
                  PID:3684
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\sppsvc.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4380
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4228
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4068
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4084
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchHost.exe'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:4048
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NmFjvJVljH.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2196
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:4088
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    7⤵
                      PID:2208
                    • C:\Recovery\WindowsRE\SearchHost.exe
                      "C:\Recovery\WindowsRE\SearchHost.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:2812
          • C:\Users\Admin\AppData\Local\Temp\Utility.exe
            "C:\Users\Admin\AppData\Local\Temp\Utility.exe"
            2⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            PID:3452
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1368
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:8
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                4⤵
                  PID:4692
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:596
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1812
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4224
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3564
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe delete "QHRAJGDI"
                3⤵
                • Launches sc.exe
                PID:1904
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
                3⤵
                • Launches sc.exe
                PID:4620
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe stop eventlog
                3⤵
                • Launches sc.exe
                PID:692
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start "QHRAJGDI"
                3⤵
                • Launches sc.exe
                PID:4728
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4496
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4808
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\blockcontainerWincrtdll\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2276
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3652
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1104
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\fontdrvhost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2848
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3764
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1900
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5056
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Idle.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:8
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1812
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:416
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:904
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4720
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4724
          • C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
            C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
              2⤵
              • Command and Scripting Interpreter: PowerShell
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:2040
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1716
              • C:\Windows\system32\wusa.exe
                wusa /uninstall /kb:890830 /quiet /norestart
                3⤵
                  PID:4048
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4412
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:396
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2756
              • C:\Windows\system32\powercfg.exe
                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                2⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4992
              • C:\Windows\system32\conhost.exe
                C:\Windows\system32\conhost.exe
                2⤵
                  PID:3092
                • C:\Windows\system32\conhost.exe
                  conhost.exe
                  2⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1548
              • C:\Program Files\Google\Chrome\Application\fontdrvhost.exe
                "C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1720
              • C:\blockcontainerWincrtdll\sppsvc.exe
                C:\blockcontainerWincrtdll\sppsvc.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2804
              • C:\Recovery\WindowsRE\dwm.exe
                C:\Recovery\WindowsRE\dwm.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2348
              • C:\Users\Default User\Idle.exe
                "C:\Users\Default User\Idle.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3152
              • C:\Program Files\Google\Chrome\Application\fontdrvhost.exe
                "C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:568
              • C:\Recovery\WindowsRE\SearchHost.exe
                C:\Recovery\WindowsRE\SearchHost.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4896
              • C:\blockcontainerWincrtdll\sppsvc.exe
                C:\blockcontainerWincrtdll\sppsvc.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1012
              • C:\Recovery\WindowsRE\dwm.exe
                C:\Recovery\WindowsRE\dwm.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3264
              • C:\Program Files\Google\Chrome\Application\fontdrvhost.exe
                "C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3096
              • C:\blockcontainerWincrtdll\sppsvc.exe
                C:\blockcontainerWincrtdll\sppsvc.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2456
              • C:\Recovery\WindowsRE\dwm.exe
                C:\Recovery\WindowsRE\dwm.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4520
              • C:\Users\Default User\Idle.exe
                "C:\Users\Default User\Idle.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:948
              • C:\Program Files\Google\Chrome\Application\fontdrvhost.exe
                "C:\Program Files\Google\Chrome\Application\fontdrvhost.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4760
              • C:\Recovery\WindowsRE\SearchHost.exe
                C:\Recovery\WindowsRE\SearchHost.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1064
              • C:\blockcontainerWincrtdll\sppsvc.exe
                C:\blockcontainerWincrtdll\sppsvc.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3852

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Scheduled Task/Job

              1
              T1053

              System Services

              2
              T1569

              Service Execution

              2
              T1569.002

              Persistence

              Boot or Logon Autostart Execution

              2
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Winlogon Helper DLL

              1
              T1547.004

              Create or Modify System Process

              2
              T1543

              Windows Service

              2
              T1543.003

              Scheduled Task/Job

              1
              T1053

              Privilege Escalation

              Boot or Logon Autostart Execution

              2
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Winlogon Helper DLL

              1
              T1547.004

              Create or Modify System Process

              2
              T1543

              Windows Service

              2
              T1543.003

              Scheduled Task/Job

              1
              T1053

              Defense Evasion

              Impair Defenses

              1
              T1562

              Modify Registry

              3
              T1112

              Credential Access

              Unsecured Credentials

              1
              T1552

              Credentials In Files

              1
              T1552.001

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Command and Control

              Exfiltration

              Impact

              Service Stop

              1
              T1489

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log
                Filesize

                847B

                MD5

                2940b232afa412901f8ae5651c790f93

                SHA1

                f79bd5d1433c803515e2d9a016396344187beea2

                SHA256

                16f4a7736a0c2aee54256d3d75ce4c0816fabf130b3b92340deca34c5f5fda43

                SHA512

                553d5491c9bc358c7ce8a95caa445e882ab4bf744a2f5be1b2131c20f27321f65121389fd076558ba415f322fdad6ed36a05902e5c55cbbeace371182890af27

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                627073ee3ca9676911bee35548eff2b8

                SHA1

                4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                SHA256

                85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                SHA512

                3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                2e8eb51096d6f6781456fef7df731d97

                SHA1

                ec2aaf851a618fb43c3d040a13a71997c25bda43

                SHA256

                96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

                SHA512

                0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                aa4f31835d07347297d35862c9045f4a

                SHA1

                83e728008935d30f98e5480fba4fbccf10cefb05

                SHA256

                99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

                SHA512

                ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                e3840d9bcedfe7017e49ee5d05bd1c46

                SHA1

                272620fb2605bd196df471d62db4b2d280a363c6

                SHA256

                3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

                SHA512

                76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Checker.exe
                Filesize

                3.9MB

                MD5

                1003b37d9d942d41a38a83670eaa285c

                SHA1

                a4ee7ef69fc681caf1116d59578667abb9080ad6

                SHA256

                d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

                SHA512

                0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\NmFjvJVljH.bat
                Filesize

                212B

                MD5

                2beec5ad24e90dd22bc98da01fa2fe49

                SHA1

                5e1a749730ab661b142d00191b52cd1e7293e89d

                SHA256

                7007aab3519930a82178a42d867e34dc6fb0b1e7d60f5fdd14836d0c494ed618

                SHA512

                dba6e5e5cc3291b9abc9f1829ba4a07e3223e8938f5164d5e2af3782831c33fc30a8f07e33a63d641e4c89647d2bd986f1f2cc5335b280b2a35157316da8b28b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\RES5F18.tmp
                Filesize

                1KB

                MD5

                b08cd188315056831f63924d52293357

                SHA1

                c4cad19d29f7290f69565f9f42e7eb2c1fc57b85

                SHA256

                960511dc4e585da3cc2594224dea7a0c97c25af275eef13b2acb225c1ecf3f90

                SHA512

                ccb868f2a666c19a8fbc8a7098aec5185e51f475415dfad1ba78552cd8e194e00fa3fb61b6ca12264738b6fcca990fff84c5aaab54dcf7ab48555d8ae44c6cdb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Utility.exe
                Filesize

                5.0MB

                MD5

                b1ac2ea973651a70ea72597e13a10f0a

                SHA1

                07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

                SHA256

                e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

                SHA512

                02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fweqgnbz.tb4.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe
                Filesize

                228B

                MD5

                4f702b152f4098393712e3fe99b04fbd

                SHA1

                fec2f913e1fac5053127e175f1ba048c9d8dd25c

                SHA256

                f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

                SHA512

                7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

                Download Submit

              • C:\blockcontainerWincrtdll\Sessionperf.exe
                Filesize

                3.6MB

                MD5

                bf0f63bb48eb95aaec6fc6a001c974ce

                SHA1

                19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

                SHA256

                bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

                SHA512

                130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

                Download Submit

              • C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat
                Filesize

                201B

                MD5

                159297f9e35114bf97d74622097780d8

                SHA1

                2aaaf993b9ecb9bae43ccd41585734512ff08355

                SHA256

                650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

                SHA512

                a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.0.cs
                Filesize

                369B

                MD5

                aa143456ce0c100dbe52c6f26860bf6e

                SHA1

                a158af4607915edbe05c4ef2d4b8d889ee470bed

                SHA256

                ef2a71abf56daf6e1d5d25b7a731b217a161ecd415a82cdc2fcd2631aa75e01a

                SHA512

                c2c132d439bca422909d8e35cca66da2dbb8b9f4c9daf88837f7cf59dce9c19bbe08cbf5306862c77d7482a0ef1b753c271b802ff5ee0a46883817b518a0e4e6

                Download Submit

              • \??\c:\Users\Admin\AppData\Local\Temp\cavg5ra0\cavg5ra0.cmdline
                Filesize

                235B

                MD5

                a80f938991ff2427734a3e9f1a3ffc5a

                SHA1

                de671400ece423518c7f6a463cbbb79b72dc28f6

                SHA256

                40ed650d1bed8634e1f10783f273d9afcd04c488231d0be41e6b028e82e40df7

                SHA512

                51fd52227936e2a9be8f5b25462889448644b74f508100b08f8cc34337213e0d24f0158978f3753ecdd0b491362db7541ddd8928a8b3be96b58f6d6ffe7e8d0f

                Download Submit

              • \??\c:\Windows\System32\CSCD5CC967A790D48AD88533488B3BBE26.TMP
                Filesize

                1KB

                MD5

                ea2f5a870429cbb69781d4e52b72ae9a

                SHA1

                db13a37a4edc79d97ffa246cf2772215a204bce9

                SHA256

                341d3939c2cfbd6d7b4687d412fe896e3c2590523d03119616cb068a0c85cb45

                SHA512

                f9f4e0170e33f075bdbd7ea5cfabff0109ea04b63121a50fa6226e68c8955f0e6828d8c46d3c02341dd68adde2028998a9fd0d25db560f956fa37d8dc73e94c4

                Download Submit

              • memory/1368-210-0x000001D12E3D0000-0x000001D12E51F000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/1548-261-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-262-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-258-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-255-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-257-0x0000015985C10000-0x0000015985C30000-memory.dmp

                Filesize

                128KB

                Download

              • memory/1548-250-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-251-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-252-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-260-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-259-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-254-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-256-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-253-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-298-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/1548-299-0x0000000140000000-0x0000000140848000-memory.dmp

                Filesize

                8.3MB

                Download

              • memory/2040-231-0x00000198D4050000-0x00000198D4103000-memory.dmp

                Filesize

                716KB

                Download

              • memory/2040-232-0x00000198D4020000-0x00000198D402A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2040-230-0x00000198D4030000-0x00000198D404C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/2040-233-0x00000198D4230000-0x00000198D424C000-memory.dmp

                Filesize

                112KB

                Download

              • memory/2040-234-0x00000198D4210000-0x00000198D421A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2040-235-0x00000198D4270000-0x00000198D428A000-memory.dmp

                Filesize

                104KB

                Download

              • memory/2040-236-0x00000198D4220000-0x00000198D4228000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2040-237-0x00000198D4250000-0x00000198D4256000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2040-238-0x00000198D4260000-0x00000198D426A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2040-241-0x00000198D3B70000-0x00000198D3CBF000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/2812-265-0x000000001CC10000-0x000000001CC7F000-memory.dmp

                Filesize

                444KB

                Download

              • memory/2812-264-0x000000001CA70000-0x000000001CA79000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2812-263-0x000000001D3E0000-0x000000001D48F000-memory.dmp

                Filesize

                700KB

                Download

              • memory/3092-244-0x0000000140000000-0x000000014000E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3092-246-0x0000000140000000-0x000000014000E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3092-249-0x0000000140000000-0x000000014000E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3092-242-0x0000000140000000-0x000000014000E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3092-243-0x0000000140000000-0x000000014000E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3092-245-0x0000000140000000-0x000000014000E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3892-51-0x0000000002720000-0x0000000002730000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3892-63-0x000000001BFE0000-0x000000001BFF6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/3892-86-0x000000001C360000-0x000000001C3AE000-memory.dmp

                Filesize

                312KB

                Download

              • memory/3892-84-0x000000001C060000-0x000000001C06C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/3892-82-0x000000001C2F0000-0x000000001C308000-memory.dmp

                Filesize

                96KB

                Download

              • memory/3892-80-0x000000001C050000-0x000000001C05E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3892-78-0x000000001C040000-0x000000001C050000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3892-76-0x000000001C030000-0x000000001C03E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3892-74-0x000000001C090000-0x000000001C0EA000-memory.dmp

                Filesize

                360KB

                Download

              • memory/3892-72-0x000000001C020000-0x000000001C030000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3892-70-0x000000001BFB0000-0x000000001BFC0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3892-68-0x000000001BFA0000-0x000000001BFAE000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3892-66-0x000000001C550000-0x000000001CA78000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/3892-36-0x00000000001C0000-0x0000000000562000-memory.dmp

                Filesize

                3.6MB

                Download

              • memory/3892-38-0x000000001B210000-0x000000001B236000-memory.dmp

                Filesize

                152KB

                Download

              • memory/3892-40-0x0000000000E00000-0x0000000000E0E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3892-42-0x000000001BEE0000-0x000000001BEFC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/3892-43-0x000000001BF50000-0x000000001BFA0000-memory.dmp

                Filesize

                320KB

                Download

              • memory/3892-65-0x000000001C000000-0x000000001C012000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3892-45-0x0000000000E10000-0x0000000000E20000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3892-61-0x000000001BF40000-0x000000001BF50000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3892-59-0x000000001BF10000-0x000000001BF1C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/3892-57-0x000000001BFC0000-0x000000001BFD2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3892-55-0x000000001BF00000-0x000000001BF0E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3892-53-0x000000001B240000-0x000000001B24E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/3892-147-0x000000001CD80000-0x000000001CE2F000-memory.dmp

                Filesize

                700KB

                Download

              • memory/3892-49-0x0000000000E20000-0x0000000000E30000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3892-47-0x000000001BF20000-0x000000001BF38000-memory.dmp

                Filesize

                96KB

                Download

              • memory/4048-172-0x000001EFF3420000-0x000001EFF356F000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/4068-169-0x0000022256C50000-0x0000022256D9F000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/4084-163-0x000002876E290000-0x000002876E3DF000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/4228-166-0x00000219F3930000-0x00000219F3A7F000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/4380-162-0x000001A233090000-0x000001A2331DF000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/4380-117-0x000001A21AE20000-0x000001A21AE42000-memory.dmp

                Filesize

                136KB

                Download

              • memory/5004-0-0x00007FF815A93000-0x00007FF815A95000-memory.dmp

                Filesize

                8KB

                Download

              • memory/5004-31-0x00007FF815A90000-0x00007FF816552000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/5004-2-0x00007FF815A90000-0x00007FF816552000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/5004-1-0x0000000000920000-0x000000000097E000-memory.dmp

                Filesize

                376KB

                Download