b566ae677715b04a4def6b4cdd07ec7122ceabdc78c8f3bb39be9fee2fdda152

Resubmissions

27/06/2024, 22:56

240627-2w6n6ayfnl 8

27/06/2024, 08:38

240627-kj39tsvdjl 10

27/06/2024, 08:23

240627-kadykstdnr 10

Analysis

max time kernel
123s
max time network
123s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/06/2024, 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Voruse.exe
Size

6KB
MD5

054bbba876dc2d8952893f820db51ec2
SHA1

2d4ff8b89b79eb81770c40ce987da0ce85ed2543
SHA256

b566ae677715b04a4def6b4cdd07ec7122ceabdc78c8f3bb39be9fee2fdda152
SHA512

d3d87fdd4aad0296d45d57be0cc979d60c8ac93a2ded615ba0d306bf6e1e5ed7c65ff6d74857e45db78ec4fc81b526a38fb83c8455c637144c61398175f143ea
SSDEEP

96:ML1nIspKBH15rvOEYrjUQ79RCPYmhhVQVUY1sYckgzNt:ML1nNevQE29RNmPuti

Score

10^/10

evasion trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3388-37-0x0000023254860000-0x00000232548A2000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ms-content.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ms-content.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ms-content.com

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	ms-content.com

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
380	ms-content.com
2528	ms-content.com
3864	ms-content.com
3388	ms-content.com

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ms-content.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	ms-content.com

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
10	discord.com
16	raw.githubusercontent.com
2	raw.githubusercontent.com
5	raw.githubusercontent.com
6	discord.com
7	discord.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com
1	raw.githubusercontent.com
4	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
18	api.ipify.org
19	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3700	taskkill.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2528	ms-content.com
2528	ms-content.com
3388	ms-content.com
3388	ms-content.com
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
4156	powershell.exe
4156	powershell.exe
3912	powershell.exe
3576	powershell.exe
4156	powershell.exe
4156	powershell.exe
3576	powershell.exe
3576	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4688	powershell.exe
4688	powershell.exe
3576	powershell.exe
4764	powershell.exe
4764	powershell.exe
3912	powershell.exe
3912	powershell.exe
4764	powershell.exe
4688	powershell.exe
4764	powershell.exe
4644	powershell.exe
4644	powershell.exe
2452	powershell.exe
2452	powershell.exe
4688	powershell.exe
4852	powershell.exe
4852	powershell.exe
3724	powershell.exe
3724	powershell.exe
3912	powershell.exe
3724	powershell.exe
1728	powershell.exe
1728	powershell.exe
3196	powershell.exe
3196	powershell.exe
2452	powershell.exe
4852	powershell.exe
592	powershell.exe
592	powershell.exe
3724	powershell.exe
1728	powershell.exe
4852	powershell.exe
2452	powershell.exe
3196	powershell.exe
592	powershell.exe
1728	powershell.exe
3196	powershell.exe
592	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	204	Voruse.exe
Token: SeDebugPrivilege	380	ms-content.com
Token: SeDebugPrivilege	2528	ms-content.com
Token: SeDebugPrivilege	3864	ms-content.com
Token: SeDebugPrivilege	3388	ms-content.com
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeIncreaseQuotaPrivilege	2060	powershell.exe
Token: SeSecurityPrivilege	2060	powershell.exe
Token: SeTakeOwnershipPrivilege	2060	powershell.exe
Token: SeLoadDriverPrivilege	2060	powershell.exe
Token: SeSystemProfilePrivilege	2060	powershell.exe
Token: SeSystemtimePrivilege	2060	powershell.exe
Token: SeProfSingleProcessPrivilege	2060	powershell.exe
Token: SeIncBasePriorityPrivilege	2060	powershell.exe
Token: SeCreatePagefilePrivilege	2060	powershell.exe
Token: SeBackupPrivilege	2060	powershell.exe
Token: SeRestorePrivilege	2060	powershell.exe
Token: SeShutdownPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeSystemEnvironmentPrivilege	2060	powershell.exe
Token: SeRemoteShutdownPrivilege	2060	powershell.exe
Token: SeUndockPrivilege	2060	powershell.exe
Token: SeManageVolumePrivilege	2060	powershell.exe
Token: 33	2060	powershell.exe
Token: 34	2060	powershell.exe
Token: 35	2060	powershell.exe
Token: 36	2060	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	3912	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeIncreaseQuotaPrivilege	4156	powershell.exe
Token: SeSecurityPrivilege	4156	powershell.exe
Token: SeTakeOwnershipPrivilege	4156	powershell.exe
Token: SeLoadDriverPrivilege	4156	powershell.exe
Token: SeSystemProfilePrivilege	4156	powershell.exe
Token: SeSystemtimePrivilege	4156	powershell.exe
Token: SeProfSingleProcessPrivilege	4156	powershell.exe
Token: SeIncBasePriorityPrivilege	4156	powershell.exe
Token: SeCreatePagefilePrivilege	4156	powershell.exe
Token: SeBackupPrivilege	4156	powershell.exe
Token: SeRestorePrivilege	4156	powershell.exe
Token: SeShutdownPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeSystemEnvironmentPrivilege	4156	powershell.exe
Token: SeRemoteShutdownPrivilege	4156	powershell.exe
Token: SeUndockPrivilege	4156	powershell.exe
Token: SeManageVolumePrivilege	4156	powershell.exe
Token: 33	4156	powershell.exe
Token: 34	4156	powershell.exe
Token: 35	4156	powershell.exe
Token: 36	4156	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeIncreaseQuotaPrivilege	3576	powershell.exe
Token: SeSecurityPrivilege	3576	powershell.exe
Token: SeTakeOwnershipPrivilege	3576	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 204 wrote to memory of 380	204	Voruse.exe	75
PID 204 wrote to memory of 380	204	Voruse.exe	75
PID 380 wrote to memory of 2528	380	ms-content.com	77
PID 380 wrote to memory of 2528	380	ms-content.com	77
PID 204 wrote to memory of 3864	204	Voruse.exe	79
PID 204 wrote to memory of 3864	204	Voruse.exe	79
PID 3864 wrote to memory of 3388	3864	ms-content.com	81
PID 3864 wrote to memory of 3388	3864	ms-content.com	81
PID 3388 wrote to memory of 3700	3388	ms-content.com	83
PID 3388 wrote to memory of 3700	3388	ms-content.com	83
PID 3388 wrote to memory of 2060	3388	ms-content.com	89
PID 3388 wrote to memory of 2060	3388	ms-content.com	89
PID 3388 wrote to memory of 4156	3388	ms-content.com	92
PID 3388 wrote to memory of 4156	3388	ms-content.com	92
PID 3388 wrote to memory of 3912	3388	ms-content.com	94
PID 3388 wrote to memory of 3912	3388	ms-content.com	94
PID 3388 wrote to memory of 3576	3388	ms-content.com	96
PID 3388 wrote to memory of 3576	3388	ms-content.com	96
PID 3388 wrote to memory of 4644	3388	ms-content.com	98
PID 3388 wrote to memory of 4644	3388	ms-content.com	98
PID 3388 wrote to memory of 4688	3388	ms-content.com	100
PID 3388 wrote to memory of 4688	3388	ms-content.com	100
PID 3388 wrote to memory of 4764	3388	ms-content.com	102
PID 3388 wrote to memory of 4764	3388	ms-content.com	102
PID 3388 wrote to memory of 2452	3388	ms-content.com	104
PID 3388 wrote to memory of 2452	3388	ms-content.com	104
PID 3388 wrote to memory of 4852	3388	ms-content.com	106
PID 3388 wrote to memory of 4852	3388	ms-content.com	106
PID 3388 wrote to memory of 3724	3388	ms-content.com	108
PID 3388 wrote to memory of 3724	3388	ms-content.com	108
PID 3388 wrote to memory of 1728	3388	ms-content.com	110
PID 3388 wrote to memory of 1728	3388	ms-content.com	110
PID 3388 wrote to memory of 3196	3388	ms-content.com	112
PID 3388 wrote to memory of 3196	3388	ms-content.com	112
PID 3388 wrote to memory of 592	3388	ms-content.com	114
PID 3388 wrote to memory of 592	3388	ms-content.com	114

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	ms-content.com

C:\Users\Admin\AppData\Local\Temp\Voruse.exe
"C:\Users\Admin\AppData\Local\Temp\Voruse.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204
- C:\Users\Admin\AppData\Roaming\ms-content.com
  "C:\Users\Admin\AppData\Roaming\ms-content.com"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Roaming\ms-content.com
    "C:\Users\Admin\AppData\Roaming\ms-content.com" i
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Users\Admin\AppData\Roaming\ms-content.com
  "C:\Users\Admin\AppData\Roaming\ms-content.com"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Roaming\ms-content.com
    "C:\Users\Admin\AppData\Roaming\ms-content.com" i
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3388
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /pid 2528 /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4764
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:592

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ms-content.com.log

Filesize
636B

MD5
d22c33a3f9224a584d6c3308c0d0b828

SHA1
255ff30b4c7d923eac88e67f4465674f2541a083

SHA256
af6e56255d593837a4239f8595722408d94bb725273689c4f2641b2173e9369c

SHA512
6a3e0d8c958d735c8ed90ecb05f005d2112da2116814fed5662e3fe9613b39f908b9f7a6f5d5b1c5025830934ef94072a25d7ea5f9b7ad01afd9b5d324dc6ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10523537ee1bd451ed21552b371a59d5

SHA1
7f1b74832acbc11c34a964bfc834e31a2180150e

SHA256
e823b6ccfbe6161ad5e243d62acb98c69ee2fa808e9d3d3fcb7a9fc5f141ac52

SHA512
bd6cc27820d893e7ac63f0e416b0811f5a3c7e2a6043e198bd19fbe1f6a1f2ac37902dc6877b37519892995ddd5aaabb5dbdcc1fd25d3959acf7593db61e2125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10b173a779265fd545c2477e427015d8

SHA1
dc9df7afffc9b837fc8f1c3bd0fd69291bac5bdc

SHA256
94bfc3e45442048b97f2b03162a9fc5cb14c1af9d988eaa8799e556ecb882d2a

SHA512
035d0ef2e92e414f74b97f8bcd4fd240da6dfbd5b4f0364049c0adcef986d260a0a819c8ed31152d51114361e63d02ecaa73a00816fa3f8a749471fe0c6e5db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2b91dcc39072d4a9c2fa290a5c19cc46

SHA1
2cf1a74abd366f6902ae39d4a86c17d2784eb9d4

SHA256
6fee109442cac508f74701a746245132bb90873b4abf6c312367729ce7e7f6c9

SHA512
4530a20de7059902e1871a338a0a0a4db0907a06613315673ac58b683cc369b15dfd37d8f298b29d22e308bf78b2332f9634685d06a63287f3e4c16a62b01732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08b491e52cfa500bd6592cb47b64e18f

SHA1
2b2525f9f5f4d3a26f6aa7593eb4bdf9315ace03

SHA256
3ba6eaa3af75e2bd05b9667a6a3bb962a72af6d631cf16af0a9da0a11dc3c3b0

SHA512
4bcf6b42411520ce5d10a20b65ebbb0958acf5870b51c4cd8f2d6d691fbdcb0fd756a1473a9c20d0ca0d0602dcdf4f2165fe568a9fe14eeb8dd8b7177b35e8e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
591ab3b1220f6445954d6fb078ce8baf

SHA1
6ae033e8435e453a0a765a5fd101217154b14f0a

SHA256
ee4d92741d30a1becc671cba1ad03e6b47b394b2265b730ce732ea9ddc82229d

SHA512
aa54ac1dbbd0efda0212e8046e5d613e40d1cbc68400d4d3b4c6f7a13ff91d5f941aa9a82f4d726ffbeae329dc128207eab5c6eccb1299e35b36d570c066b5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0987f2700f9b9a6b9659078d3cdf583f

SHA1
c5edcf82f393afd3ff9a7702bb33a94615075547

SHA256
e06f8bd03a2746b2c22d660c29b8832713abdbeb0b288502d69d8d97e303aaad

SHA512
597dd8a369de544a60eefe9aba1d9e2aba50565f94679b716ddc8df23a7550a24db6f25834d543adad9a03756f959d756be00be06f77691b17db25f742b2f2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1decb4c25ed1ee90cd4ec1ff3479a293

SHA1
b9455b12b5bf0d29327606a50ddae82a8ac73380

SHA256
ea1fa01f821d24c1ad9675253462ab4267b1557e9dba34afb67c9d81aa007ddb

SHA512
1576c458c808431833afd276bbec4032fd7c5f530ff67480114c23cb9eaf97d9965248cd2ce922a65d77f1bb802a24c1e448bcc05400099e99b16da573ff790e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64483aa2aa7379645b56f0535f75f810

SHA1
8a4a9ebac83f25a132f5251d3947a265528798bd

SHA256
246df732bf5dd11108d7111d19853fdd9fbf6ca89004445c6eeb794724d1d6fa

SHA512
427cb008fd8bd8402ab4c9989643d4cfb477e57ad0c690d4a2d2bf6f15fa3bd92d28f5806b09cfa4f59997aea2bf69ff54f69b905c0985a289633400ae989e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd1e4c38c66c743b5c46a655824c9ce5

SHA1
407e64a4af0ad092a71b10ec4b57f094fb43465d

SHA256
636f9b56529bc623b26d8d668c761a194abf8edd0eef9ba62669559d904c825b

SHA512
9f2a9fca7bc774f6bb011a50d80fbc33014ef9479fadf7fcedf1b5bab5b316f36082e7571b22dfa357a318c52be425e82b82f97549ecb471d5ec6ab9e24ea19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ekvynox.gm0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Sodium.dll

Filesize
59KB

MD5
fa95d735f88e819edc0cef02d3ee4781

SHA1
9e3c03ee4b0efeedf59edaca15ea304d2ec4cec7

SHA256
bf5b02ac516e9b62086649f43a29287c7872bbdb87512e9d5ec1be681c77a94a

SHA512
554cf8906c7e4bc15653685e70e96995bfdf0803fb30ca196d8bc34f9bfb888a7a1de64e8441415155889893ac7769bb643aa87913f5176c80588b1e3a38348b

Download Submit
C:\Users\Admin\AppData\Roaming\ms-content.com

Filesize
2.6MB

MD5
7d35413d43883467a377e9d92f3b61cb

SHA1
486daafbe84da67d84cdd51d38850ef12608654d

SHA256
d2f127ef53ef33f1ae85ce4cac3743d88dff6fbf9ddc45e47a57470208071bd0

SHA512
b691834c0fbb6a34f75817bb4c3c2b480de19e802cd5988a0e4291c84c7bf69435d49b914a865094799d566e3229a09f5f893dbf8d8a6599ae6515abc148454d

Download Submit
memory/204-18-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/204-2-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/204-1-0x00007FFA9F7A3000-0x00007FFA9F7A4000-memory.dmp

Filesize
4KB

Download
memory/204-0-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/380-14-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/380-11-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/380-9-0x000002B781910000-0x000002B78191A000-memory.dmp

Filesize
40KB

Download
memory/380-10-0x00007FFA9F7A0000-0x00007FFAA018C000-memory.dmp

Filesize
9.9MB

Download
memory/380-8-0x000002B7FF790000-0x000002B7FFA26000-memory.dmp

Filesize
2.6MB

Download
memory/2060-44-0x0000015FC5AD0000-0x0000015FC5B46000-memory.dmp

Filesize
472KB

Download
memory/2528-26-0x0000017E6CF50000-0x0000017E6CF92000-memory.dmp

Filesize
264KB

Download
memory/2528-24-0x0000017E6C310000-0x0000017E6C31A000-memory.dmp

Filesize
40KB

Download
memory/2528-19-0x0000017E6C1D0000-0x0000017E6C282000-memory.dmp

Filesize
712KB

Download
memory/2528-20-0x0000017E6CC50000-0x0000017E6CD2E000-memory.dmp

Filesize
888KB

Download
memory/2528-30-0x0000017E6CFD0000-0x0000017E6CFD8000-memory.dmp

Filesize
32KB

Download
memory/2528-23-0x0000017E6C300000-0x0000017E6C30A000-memory.dmp

Filesize
40KB

Download
memory/2528-21-0x0000017E6CD30000-0x0000017E6CE82000-memory.dmp

Filesize
1.3MB

Download
memory/2528-29-0x0000017E6CFA0000-0x0000017E6CFBC000-memory.dmp

Filesize
112KB

Download
memory/2528-27-0x0000017E6C320000-0x0000017E6C346000-memory.dmp

Filesize
152KB

Download
memory/2528-33-0x0000017E6D020000-0x0000017E6D042000-memory.dmp

Filesize
136KB

Download
memory/2528-28-0x0000017E6CF90000-0x0000017E6CFA4000-memory.dmp

Filesize
80KB

Download
memory/2528-22-0x0000017E6CE80000-0x0000017E6CF50000-memory.dmp

Filesize
832KB

Download
memory/3388-36-0x0000023254570000-0x000002325457C000-memory.dmp

Filesize
48KB

Download
memory/3388-32-0x0000023253EA0000-0x0000023253EB4000-memory.dmp

Filesize
80KB

Download
memory/3388-37-0x0000023254860000-0x00000232548A2000-memory.dmp

Filesize
264KB

Download