c684df9ab4958fd7ffc618076d6351ed825aa7573c7ecbad1fed739db2d91714

Analysis

max time kernel
23s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
25/08/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDM_6.4x_Crack_v19.7.exe
Size

59KB
MD5

27016937b5781c4f84b6b3432170f4d0
SHA1

bc812a8c4d44a3503ffd6a46e4fdab925c622344
SHA256

fc1a02b509b8f351ac45bd45efd4e7296b365545a48ffd6a14e8e07bc7189155
SHA512

24a726276cc53c5a0d075d1bf930e24b3a1891e0754b17c28a5a35b5677fd792d9adb55e5e0a7fe18f056febb8af4a49a5a0fac33389205d1f4dcc0060422be7
SSDEEP

1536:5ilGC+HMax3AZ5GiavgfreZCRIr71mazhAN5TAS:5igLV3SIareERU5mazh3S

Score

8^/10

discovery evasion execution

Malware Config

Signatures

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "0"	IDM_6.4x_Crack_v19.7.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	IDM_6.4x_Crack_v19.7.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	IDM_6.4x_Crack_v19.7.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
4820	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM_6.4x_Crack_v19.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Wow6432Node\CLSID\IAS_TEST	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\IAS_TEST\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\IAS_TEST	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
4892	reg.exe
4508	reg.exe
5112	reg.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
920	IDM_6.4x_Crack_v19.7.exe
920	IDM_6.4x_Crack_v19.7.exe
920	IDM_6.4x_Crack_v19.7.exe
920	IDM_6.4x_Crack_v19.7.exe
920	IDM_6.4x_Crack_v19.7.exe
920	IDM_6.4x_Crack_v19.7.exe
2768	powershell.exe
2768	powershell.exe
2768	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
2724	powershell.exe
2724	powershell.exe
2724	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 196	920	IDM_6.4x_Crack_v19.7.exe	73
PID 920 wrote to memory of 196	920	IDM_6.4x_Crack_v19.7.exe	73
PID 920 wrote to memory of 196	920	IDM_6.4x_Crack_v19.7.exe	73
PID 920 wrote to memory of 2784	920	IDM_6.4x_Crack_v19.7.exe	75
PID 920 wrote to memory of 2784	920	IDM_6.4x_Crack_v19.7.exe	75
PID 920 wrote to memory of 2784	920	IDM_6.4x_Crack_v19.7.exe	75
PID 2784 wrote to memory of 1652	2784	cmd.exe	77
PID 2784 wrote to memory of 1652	2784	cmd.exe	77
PID 2784 wrote to memory of 1652	2784	cmd.exe	77
PID 2784 wrote to memory of 1684	2784	cmd.exe	78
PID 2784 wrote to memory of 1684	2784	cmd.exe	78
PID 2784 wrote to memory of 608	2784	cmd.exe	79
PID 2784 wrote to memory of 608	2784	cmd.exe	79
PID 2784 wrote to memory of 3888	2784	cmd.exe	80
PID 2784 wrote to memory of 3888	2784	cmd.exe	80
PID 2784 wrote to memory of 3888	2784	cmd.exe	80
PID 3888 wrote to memory of 2152	3888	cmd.exe	81
PID 3888 wrote to memory of 2152	3888	cmd.exe	81
PID 3888 wrote to memory of 2152	3888	cmd.exe	81
PID 3888 wrote to memory of 1120	3888	cmd.exe	82
PID 3888 wrote to memory of 1120	3888	cmd.exe	82
PID 2784 wrote to memory of 2272	2784	cmd.exe	83
PID 2784 wrote to memory of 2272	2784	cmd.exe	83
PID 2784 wrote to memory of 2272	2784	cmd.exe	83
PID 2784 wrote to memory of 4396	2784	cmd.exe	84
PID 2784 wrote to memory of 4396	2784	cmd.exe	84
PID 2784 wrote to memory of 2768	2784	cmd.exe	85
PID 2784 wrote to memory of 2768	2784	cmd.exe	85
PID 2784 wrote to memory of 1556	2784	cmd.exe	86
PID 2784 wrote to memory of 1556	2784	cmd.exe	86
PID 2784 wrote to memory of 1136	2784	cmd.exe	87
PID 2784 wrote to memory of 1136	2784	cmd.exe	87
PID 2784 wrote to memory of 820	2784	cmd.exe	88
PID 2784 wrote to memory of 820	2784	cmd.exe	88
PID 2784 wrote to memory of 4732	2784	cmd.exe	90
PID 2784 wrote to memory of 4732	2784	cmd.exe	90
PID 2784 wrote to memory of 4732	2784	cmd.exe	90
PID 4732 wrote to memory of 2936	4732	cmd.exe	91
PID 4732 wrote to memory of 2936	4732	cmd.exe	91
PID 2784 wrote to memory of 4156	2784	cmd.exe	92
PID 2784 wrote to memory of 4156	2784	cmd.exe	92
PID 2784 wrote to memory of 700	2784	cmd.exe	93
PID 2784 wrote to memory of 700	2784	cmd.exe	93
PID 2784 wrote to memory of 700	2784	cmd.exe	93
PID 700 wrote to memory of 4204	700	cmd.exe	94
PID 700 wrote to memory of 4204	700	cmd.exe	94
PID 2784 wrote to memory of 1216	2784	cmd.exe	95
PID 2784 wrote to memory of 1216	2784	cmd.exe	95
PID 2784 wrote to memory of 4892	2784	cmd.exe	96
PID 2784 wrote to memory of 4892	2784	cmd.exe	96
PID 2784 wrote to memory of 4376	2784	cmd.exe	97
PID 2784 wrote to memory of 4376	2784	cmd.exe	97
PID 2784 wrote to memory of 4508	2784	cmd.exe	98
PID 2784 wrote to memory of 4508	2784	cmd.exe	98
PID 2784 wrote to memory of 2688	2784	cmd.exe	99
PID 2784 wrote to memory of 2688	2784	cmd.exe	99
PID 2784 wrote to memory of 5112	2784	cmd.exe	100
PID 2784 wrote to memory of 5112	2784	cmd.exe	100
PID 2784 wrote to memory of 4164	2784	cmd.exe	101
PID 2784 wrote to memory of 4164	2784	cmd.exe	101
PID 2784 wrote to memory of 2020	2784	cmd.exe	102
PID 2784 wrote to memory of 2020	2784	cmd.exe	102
PID 2784 wrote to memory of 2020	2784	cmd.exe	102
PID 2020 wrote to memory of 4908	2020	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\IDM_6.4x_Crack_v19.7.exe
"C:\Users\Admin\AppData\Local\Temp\IDM_6.4x_Crack_v19.7.exe"
1⤵
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\reg.exe
  reg.exe import C:\Users\Admin\AppData\Local\Temp\IDMRegClean.reg
  2⤵
  - System Location Discovery: System Language Discovery
  PID:196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c call "C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1652
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Console" /v ForceV2
    3⤵
    PID:1684
- - C:\Windows\System32\find.exe
    find /i "0x0"
    3⤵
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2152
  - - C:\Windows\System32\cmd.exe
      cmd
      4⤵
      PID:1120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\System32\find.exe
    find /i "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:4396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat') -split ':PowerShellTest:\s*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\System32\find.exe
    find /i "FullLanguage"
    3⤵
    PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\find.exe
    find /i "computersystem"
    3⤵
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2936
- - C:\Windows\System32\reg.exe
    reg query HKU\\Software
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4204
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-21-160447019-1232603106-4168707212-1000\Software
    3⤵
    PID:1216
- - C:\Windows\System32\reg.exe
    reg delete HKCU\IAS_TEST /f
    3⤵
    - Modifies registry key
    PID:4892
- - C:\Windows\System32\reg.exe
    reg delete HKU\S-1-5-21-160447019-1232603106-4168707212-1000\IAS_TEST /f
    3⤵
    PID:4376
- - C:\Windows\System32\reg.exe
    reg add HKCU\IAS_TEST
    3⤵
    - Modifies registry key
    PID:4508
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-21-160447019-1232603106-4168707212-1000\IAS_TEST
    3⤵
    PID:2688
- - C:\Windows\System32\reg.exe
    reg delete HKCU\IAS_TEST /f
    3⤵
    - Modifies registry key
    PID:5112
- - C:\Windows\System32\reg.exe
    reg delete HKU\S-1-5-21-160447019-1232603106-4168707212-1000\IAS_TEST /f
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\System32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
      4⤵
      PID:4908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-160447019-1232603106-4168707212-1000\Software\DownloadManager" /v ExePath 2>nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
  - - C:\Windows\System32\reg.exe
      reg query "HKU\S-1-5-21-160447019-1232603106-4168707212-1000\Software\DownloadManager" /v ExePath
      4⤵
      PID:1808
- - C:\Windows\System32\reg.exe
    reg add HKU\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
    3⤵
    - Modifies registry class
    PID:2632
- - C:\Windows\System32\reg.exe
    reg query HKU\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
    3⤵
    PID:2752
- - C:\Windows\System32\reg.exe
    reg delete HKU\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f
    3⤵
    - Modifies registry class
    PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2724
- - C:\Windows\System32\reg.exe
    reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240825-074650219.reg"
    3⤵
    PID:1404
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" "/v" "Email"
    3⤵
    PID:868
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" "/v" "Serial"
    3⤵
    PID:1412
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" "/v" "scansk"
    3⤵
    PID:3700
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
    3⤵
    PID:4608
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
    3⤵
    PID:3668
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
    3⤵
    PID:1424
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
    3⤵
    PID:2284
- - C:\Windows\System32\reg.exe
    reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
    3⤵
    PID:220
- - C:\Windows\System32\reg.exe
    reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
    3⤵
    PID:1824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe "$sid = 'S-1-5-21-160447019-1232603106-4168707212-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat') -split ':regscan\:.*';iex ($f[1])"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Windows\System32\chcp.com
    chcp 65001
    3⤵
    PID:820
- - C:\Windows\System32\reg.exe
    REG ADD "HKLM\Software\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
    3⤵
    PID:1504
- - C:\Windows\System32\reg.exe
    REG ADD "HKLM\Software\WOW6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
    3⤵
    PID:1460
- - C:\Windows\System32\reg.exe
    REG ADD "HKCU\Software\DownloadManager" /v "nLst" /t REG_DWORD /d "1" /f
    3⤵
    PID:1276
- - C:\Windows\System32\reg.exe
    REG ADD "HKCU\Software\DownloadManager" /v "LName" /t REG_SZ /d " " /f
    3⤵
    PID:4800
- - C:\Windows\System32\reg.exe
    REG ADD "HKCU\Software\DownloadManager" /v "FName" /t REG_SZ /d "Admin" /f
    3⤵
    PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
871a84394fd883fb845ae56a4b4d0220

SHA1
f13b3fc6c5490c6b30ad372b1c052e0e4758c537

SHA256
22204c9821ecd23e1b8533169a05a7b53366a4daf830b8ccbd09b1678411ee37

SHA512
f92b6417569993ead7248cbdb5495680899fe9da75b99b05ed89db7829b39cf4f5178d41d32cf31e1e4dffa0abfc4b94ac31ee9ea41c6c7b243518be6b65de27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
618f91f89e9d9306b265fcaeb94955f1

SHA1
f55c8ba2d1d1868e49413747550ce82427e57238

SHA256
53a1f1194ebafb8dfb814b6563aebf16f25c81967ab0213349357ab0ee61dc85

SHA512
8fb974e17609db89a76e3ea7f6078a0ca5df057278f76ec57e96f55de2da61f2c1a6ad45d6b2b9becb080ecaacd44d4fda40bc749665c9e3adeeca644a963202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f3ce3bc10761395d313472c7996b8135

SHA1
ab9ed929b85beaa3d2bf36e12645d8d10c90bdbc

SHA256
5678bf912088221375b19ba968e606bd1f56e447cfebe8597845f8d4b0e9997d

SHA512
2e3b8bd389e7ea98d9388d1d5d1d5ff01902b7cee8eee241be04186beb733f7547258c63f168859a42a1ba0b4502bbb97decf104326aac2acdd3caad4fab1dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
323970885b899426988fcb6106803567

SHA1
c9e1686d131fe4c1bc20a4eff8773f13645494aa

SHA256
ba1e31dfd52a64b2938fa8eeeb4b153ed8c01e3f7a06f04787aee4bbd9f52769

SHA512
ff41fb0b8a3f35bfe16f4f744166b2d8ae24d314be13757b668a521c7e29a8caa8f19e252023bfb9f31b1948e73160fcbe2a03e2078c66a65fe4eaba6839918b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00c3f55f08afc5cb19b7c8b086f7c996

SHA1
1d60b4a02af3e765ce8277d65be0759a34a33580

SHA256
ff550f6ba7051811f60cb6a089fa5ecedc218ce91744f74fbff52c77d9dfdffa

SHA512
277cf99206728f5df002d534e4e2d71bc77c08d17f846b84f93460032775ccfa9833a5fe894e56a1db9f7aa3849150a3cb6a4a57fde4f3200ed96a9468e72a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat

Filesize
19KB

MD5
9fe22c4ad624881f8f0977cc7614346f

SHA1
9716758c55c57c354fd3e7ba14a40ae03d9db7d0

SHA256
12b47c1949cc555c2f68f9fd4677ed5266f25c4da4630bec36e303629b133225

SHA512
5e54cbdabf2c84a9df1128aade9a4743e8bf26140675a43f00255e45af28862660b2d45b7138fa2b7a80c8e409bdc5a13500068aa587440cb8fa7df65d171354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDMRegClean.reg

Filesize
5KB

MD5
45dc895cb92093f466aca0e3fe5c09b7

SHA1
5d815d6dde9a40a822f6144c0f7e9f31f8c6936a

SHA256
4c0e2396b9fca1bbeb36e9ebb27f27e63cd2662abf8b18f042d872322e1363eb

SHA512
e5fb3d67149c373cbb6050d3b783fe521e22a518e2bac0450d8ca2d21d9fd7686d4da631be1ae0c448da000b07f0ce205508241639712e812768c2bcab7a0ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\REG9172.tmp

Filesize
28KB

MD5
4b2f1783857c8f6a168d3d2b77d9ce1f

SHA1
77c01ea32bce06224a9c4639fb384e19146d4496

SHA256
e17bd0e926d515f43ce15051ca5a5618690897bbabb7986998dfb704cb521b9e

SHA512
2be229ce18f8257dc00bfa6c5cfe50a94b1bc1edb5dbc58ee42b84cd602a6dae08aa8a9c065c03561642c0e8cb389de50fff0dbc948bacf3b60df71fe26edbaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0z3dlzj.5xb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/920-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/920-218-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/920-219-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/920-220-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/920-221-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2768-12-0x0000024CCAC60000-0x0000024CCACD6000-memory.dmp

Filesize
472KB

Download
memory/2768-9-0x0000024CCA990000-0x0000024CCA9B2000-memory.dmp

Filesize
136KB

Download