1d0b5129b49db9b7305574582cb3aba310f2724f665fb5885aea5d05622f1feb

Analysis

max time kernel
1800s
max time network
1152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AJProxy.exe
Size

154.6MB
MD5

ba4bd8c91477e8bf23e94972e311d5c6
SHA1

3666d390e63bed0165c7fc6266dd9a9673c2b1ba
SHA256

768b71f0803005172af06d9b76ae9d6b58b2c1b2af6c5e5a3000fc6b37f47e14
SHA512

a70bab7291661fb8b062f8ea8bc99237eed1379e1b9d0f7f0e2445a46b75ad9163a434b5630e40106a51c46dd0c0939a654f3d8888e768210dc8ed068947e658
SSDEEP

1572864:QCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:qDAgZi

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	AJProxy.exe

Loads dropped DLL 2 IoCs

pid	Process
3956	AJProxy.exe
3956	AJProxy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
25	raw.githubusercontent.com

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
4136	cmd.exe
4968	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2672	tasklist.exe
2508	tasklist.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	AJProxy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	AJProxy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AJProxy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AJProxy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AJProxy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	AJProxy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	AJProxy.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
1452	powershell.exe
1452	powershell.exe
1452	powershell.exe
2396	AJProxy.exe
2396	AJProxy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 35	2000	WMIC.exe
Token: 36	2000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2000	WMIC.exe
Token: SeSecurityPrivilege	2000	WMIC.exe
Token: SeTakeOwnershipPrivilege	2000	WMIC.exe
Token: SeLoadDriverPrivilege	2000	WMIC.exe
Token: SeSystemProfilePrivilege	2000	WMIC.exe
Token: SeSystemtimePrivilege	2000	WMIC.exe
Token: SeProfSingleProcessPrivilege	2000	WMIC.exe
Token: SeIncBasePriorityPrivilege	2000	WMIC.exe
Token: SeCreatePagefilePrivilege	2000	WMIC.exe
Token: SeBackupPrivilege	2000	WMIC.exe
Token: SeRestorePrivilege	2000	WMIC.exe
Token: SeShutdownPrivilege	2000	WMIC.exe
Token: SeDebugPrivilege	2000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2000	WMIC.exe
Token: SeRemoteShutdownPrivilege	2000	WMIC.exe
Token: SeUndockPrivilege	2000	WMIC.exe
Token: SeManageVolumePrivilege	2000	WMIC.exe
Token: 33	2000	WMIC.exe
Token: 34	2000	WMIC.exe
Token: 35	2000	WMIC.exe
Token: 36	2000	WMIC.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe
Token: SeDebugPrivilege	2508	tasklist.exe
Token: SeDebugPrivilege	2672	tasklist.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe
Token: SeShutdownPrivilege	3956	AJProxy.exe
Token: SeCreatePagefilePrivilege	3956	AJProxy.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 4276	3956	AJProxy.exe	88
PID 3956 wrote to memory of 4276	3956	AJProxy.exe	88
PID 4276 wrote to memory of 2000	4276	cmd.exe	90
PID 4276 wrote to memory of 2000	4276	cmd.exe	90
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 2212	3956	AJProxy.exe	93
PID 3956 wrote to memory of 1808	3956	AJProxy.exe	94
PID 3956 wrote to memory of 1808	3956	AJProxy.exe	94
PID 3956 wrote to memory of 3920	3956	AJProxy.exe	95
PID 3956 wrote to memory of 3920	3956	AJProxy.exe	95
PID 3956 wrote to memory of 2568	3956	AJProxy.exe	97
PID 3956 wrote to memory of 2568	3956	AJProxy.exe	97
PID 3920 wrote to memory of 2508	3920	cmd.exe	99
PID 3920 wrote to memory of 2508	3920	cmd.exe	99
PID 2568 wrote to memory of 2672	2568	cmd.exe	100
PID 2568 wrote to memory of 2672	2568	cmd.exe	100
PID 3956 wrote to memory of 4136	3956	AJProxy.exe	102
PID 3956 wrote to memory of 4136	3956	AJProxy.exe	102
PID 4136 wrote to memory of 3868	4136	cmd.exe	104
PID 4136 wrote to memory of 3868	4136	cmd.exe	104
PID 3956 wrote to memory of 4968	3956	AJProxy.exe	105
PID 3956 wrote to memory of 4968	3956	AJProxy.exe	105
PID 4968 wrote to memory of 1452	4968	cmd.exe	107
PID 4968 wrote to memory of 1452	4968	cmd.exe	107
PID 3956 wrote to memory of 2396	3956	AJProxy.exe	122
PID 3956 wrote to memory of 2396	3956	AJProxy.exe	122

C:\Users\Admin\AppData\Local\Temp\AJProxy.exe
"C:\Users\Admin\AppData\Local\Temp\AJProxy.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "WMIC csproduct get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- C:\Users\Admin\AppData\Local\Temp\AJProxy.exe
  "C:\Users\Admin\AppData\Local\Temp\AJProxy.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\AJProxy" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1900,i,6154344581152329210,16281266754128022186,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\AJProxy.exe
  "C:\Users\Admin\AppData\Local\Temp\AJProxy.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\AJProxy" --mojo-platform-channel-handle=2136 --field-trial-handle=1900,i,6154344581152329210,16281266754128022186,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,63,148,94,215,45,68,211,72,154,201,163,107,233,226,232,177,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,115,20,54,168,32,97,244,143,97,151,19,223,167,94,142,66,73,244,230,96,5,28,15,20,90,128,144,95,76,6,125,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,148,103,240,241,227,169,217,71,9,67,167,211,200,24,135,245,245,95,48,41,160,5,233,196,158,246,201,239,202,98,76,100,48,0,0,0,89,242,20,207,13,106,252,33,186,45,233,248,70,147,68,8,113,234,241,130,57,87,26,113,5,182,239,174,179,249,36,146,163,253,186,168,230,8,135,144,59,214,176,74,74,118,150,41,64,0,0,0,30,10,198,142,173,238,114,204,14,209,198,2,217,106,107,78,79,45,57,201,214,186,231,24,88,36,198,47,161,208,122,254,223,240,86,96,116,50,48,232,111,132,248,94,173,24,72,48,48,229,146,231,120,98,200,29,108,59,84,241,108,236,134,71), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,63,148,94,215,45,68,211,72,154,201,163,107,233,226,232,177,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,143,115,20,54,168,32,97,244,143,97,151,19,223,167,94,142,66,73,244,230,96,5,28,15,20,90,128,144,95,76,6,125,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,148,103,240,241,227,169,217,71,9,67,167,211,200,24,135,245,245,95,48,41,160,5,233,196,158,246,201,239,202,98,76,100,48,0,0,0,89,242,20,207,13,106,252,33,186,45,233,248,70,147,68,8,113,234,241,130,57,87,26,113,5,182,239,174,179,249,36,146,163,253,186,168,230,8,135,144,59,214,176,74,74,118,150,41,64,0,0,0,30,10,198,142,173,238,114,204,14,209,198,2,217,106,107,78,79,45,57,201,214,186,231,24,88,36,198,47,161,208,122,254,223,240,86,96,116,50,48,232,111,132,248,94,173,24,72,48,48,229,146,231,120,98,200,29,108,59,84,241,108,236,134,71), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,63,148,94,215,45,68,211,72,154,201,163,107,233,226,232,177,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,21,216,147,164,40,111,6,51,101,6,76,4,183,182,149,224,165,96,1,41,112,199,29,85,222,173,67,42,45,119,189,236,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,61,86,48,108,112,207,26,228,192,84,211,42,22,181,228,46,248,89,125,115,247,207,63,151,199,6,104,208,162,8,134,41,48,0,0,0,99,134,28,42,100,118,189,166,9,27,60,214,174,32,138,10,144,123,149,51,41,151,10,249,31,55,192,57,250,28,165,210,76,123,98,207,186,250,209,107,54,148,77,203,106,0,106,146,64,0,0,0,244,176,98,129,224,53,136,231,161,102,120,147,43,99,157,107,27,44,34,54,41,35,158,182,86,208,148,105,231,251,2,252,206,40,119,17,98,2,57,147,69,51,17,106,59,125,60,227,214,179,221,102,48,104,179,201,166,22,153,201,63,92,17,174), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,63,148,94,215,45,68,211,72,154,201,163,107,233,226,232,177,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,21,216,147,164,40,111,6,51,101,6,76,4,183,182,149,224,165,96,1,41,112,199,29,85,222,173,67,42,45,119,189,236,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,61,86,48,108,112,207,26,228,192,84,211,42,22,181,228,46,248,89,125,115,247,207,63,151,199,6,104,208,162,8,134,41,48,0,0,0,99,134,28,42,100,118,189,166,9,27,60,214,174,32,138,10,144,123,149,51,41,151,10,249,31,55,192,57,250,28,165,210,76,123,98,207,186,250,209,107,54,148,77,203,106,0,106,146,64,0,0,0,244,176,98,129,224,53,136,231,161,102,120,147,43,99,157,107,27,44,34,54,41,35,158,182,86,208,148,105,231,251,2,252,206,40,119,17,98,2,57,147,69,51,17,106,59,125,60,227,214,179,221,102,48,104,179,201,166,22,153,201,63,92,17,174), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- C:\Users\Admin\AppData\Local\Temp\AJProxy.exe
  "C:\Users\Admin\AppData\Local\Temp\AJProxy.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\AJProxy" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=892 --field-trial-handle=1900,i,6154344581152329210,16281266754128022186,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b0e3f53981de4024598d155ed522cad

SHA1
7ac4e8a1b4b89c455b90c887cd778b66b2ca818f

SHA256
049b105bc3c6af55d6310a5041a367a31cddeb6dbbc67bdccb275ca7d17c8411

SHA512
4f3a22482852a68d5aea984d9bac9fce6cc159b1b6a874e7a75c5b8415ec723c3da7503257bf7888af49d486afb032bb1e7c9337bed23d8a1f46e53d3ff3cb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\633e6e5c-4d0e-40cc-bd25-d401f0910dc1.tmp.node

Filesize
1.6MB

MD5
f6cb0913b4c0601a92466760ae36d476

SHA1
78a55617964aa1c4dd2fd6ae6edd0fb0bd0cb75a

SHA256
6518266e9b729b39fb132beb78eca28b25f1719e8f1be16e66936cad9a9c7884

SHA512
14772917b0a06220a0d66618445fb19296a9f4067518bcf64f39fce3db4e19eb1ac553519e861ae9689c2b8e4b0e066de5a0ea28809c2046a91348cd6121f6b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b157ef0-6ccc-4aac-8cd6-24ac5cd38db9.tmp.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxphx2v3.mrk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2396-58-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-46-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-47-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-48-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-52-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-54-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-57-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-56-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-55-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/2396-53-0x0000027B7A3D0000-0x0000027B7A3D1000-memory.dmp

Filesize
4KB

Download
memory/3868-25-0x0000028827B00000-0x0000028827B50000-memory.dmp

Filesize
320KB

Download
memory/3868-24-0x000002880F430000-0x000002880F452000-memory.dmp

Filesize
136KB

Download