Overview

overview

7

Static

static

3

VantaFN.exe

windows7-x64

7

VantaFN.exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/app-64.7z

windows7-x64

3

$PLUGINSDIR/app-64.7z

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

5

VantaFN.exe

windows7-x64

1

VantaFN.exe

windows10-2004-x64

7

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

3

resources/elevate.exe

windows10-2004-x64

3

vk_swiftshader.dll

windows7-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows7-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

Resubmissions

06-09-2024 01:53

240906-cbf6bszgpa 7

06-09-2024 01:47

240906-b7snkazerh 7

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VantaFN.exe

  • Size

    154.6MB

  • MD5

    49e8b5caabe4a3476c08cf43cc5cf89c

  • SHA1

    bf39951f4c519465cf0f4bf2f5d91ae8776adf38

  • SHA256

    1685eced879c67bfe210f57a094dec5cc5f464c147ed81eb4d45cea36e11ecc5

  • SHA512

    0ae3227a57928959aa36aa53b578c9f8561b23d6e979be4a3980b0ea27adf954f06f1dbdf299fbf42cc30532839fba97ba59ba40f376f402a9aefd2bcd381631

  • SSDEEP

    1572864:ACquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:aDAgZi

Score
7/10
discoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 2 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VantaFN.exe
    "C:\Users\Admin\AppData\Local\Temp\VantaFN.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "WMIC csproduct get UUID"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC csproduct get UUID
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:864
    • C:\Users\Admin\AppData\Local\Temp\VantaFN.exe
      "C:\Users\Admin\AppData\Local\Temp\VantaFN.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\VantaFN" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1916,i,13644574829489801655,3906554315047305999,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:4880
      • C:\Users\Admin\AppData\Local\Temp\VantaFN.exe
        "C:\Users\Admin\AppData\Local\Temp\VantaFN.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\VantaFN" --mojo-platform-channel-handle=2136 --field-trial-handle=1916,i,13644574829489801655,3906554315047305999,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:2092
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4872
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3140
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\system32\tasklist.exe
            tasklist
            3⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1480
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,254,33,137,177,235,50,182,20,81,71,143,26,227,205,89,196,240,80,196,222,21,156,80,97,105,113,161,9,98,115,51,158,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,8,25,245,219,66,165,39,134,60,176,136,236,243,209,73,137,143,250,180,241,246,190,236,128,2,126,40,240,229,10,145,48,0,0,0,156,243,29,117,250,184,13,93,102,181,9,212,190,202,73,37,247,246,190,19,121,110,7,4,155,70,87,154,232,235,107,223,181,174,244,140,209,239,140,6,5,187,215,220,105,18,21,103,64,0,0,0,4,74,51,195,112,34,198,233,219,135,56,111,144,11,66,229,181,196,164,135,1,247,222,63,169,213,206,118,61,188,8,69,213,132,2,178,108,186,120,244,105,96,50,170,73,23,190,214,136,13,64,247,198,47,14,253,143,253,117,42,80,1,6,248), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,254,33,137,177,235,50,182,20,81,71,143,26,227,205,89,196,240,80,196,222,21,156,80,97,105,113,161,9,98,115,51,158,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,43,8,25,245,219,66,165,39,134,60,176,136,236,243,209,73,137,143,250,180,241,246,190,236,128,2,126,40,240,229,10,145,48,0,0,0,156,243,29,117,250,184,13,93,102,181,9,212,190,202,73,37,247,246,190,19,121,110,7,4,155,70,87,154,232,235,107,223,181,174,244,140,209,239,140,6,5,187,215,220,105,18,21,103,64,0,0,0,4,74,51,195,112,34,198,233,219,135,56,111,144,11,66,229,181,196,164,135,1,247,222,63,169,213,206,118,61,188,8,69,213,132,2,178,108,186,120,244,105,96,50,170,73,23,190,214,136,13,64,247,198,47,14,253,143,253,117,42,80,1,6,248), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3868
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,189,235,105,13,230,226,179,234,164,7,77,240,115,231,147,216,38,56,133,37,36,206,37,38,201,19,140,48,232,238,106,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,118,170,236,162,75,92,79,39,145,94,82,140,167,251,65,199,8,143,133,113,29,80,221,31,248,166,34,62,97,129,50,100,48,0,0,0,46,137,80,237,156,67,148,47,73,90,97,33,70,249,185,197,89,27,227,86,185,150,42,24,240,243,166,244,41,217,138,208,204,27,38,38,110,64,50,108,188,191,119,211,255,232,40,188,64,0,0,0,41,143,84,6,127,25,219,124,207,140,89,129,98,187,233,102,232,113,181,71,95,6,121,220,0,124,241,59,121,6,17,73,184,105,105,153,107,23,51,31,29,92,33,56,43,160,205,172,173,161,221,201,12,38,71,198,248,147,146,131,103,213,208,194), $null, 'CurrentUser')"
          2⤵
          • An obfuscated cmd.exe command-line is typically used to evade detection.
          • Suspicious use of WriteProcessMemory
          PID:4008
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,57,87,11,87,254,65,110,77,188,204,169,16,188,62,171,189,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,189,235,105,13,230,226,179,234,164,7,77,240,115,231,147,216,38,56,133,37,36,206,37,38,201,19,140,48,232,238,106,184,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,118,170,236,162,75,92,79,39,145,94,82,140,167,251,65,199,8,143,133,113,29,80,221,31,248,166,34,62,97,129,50,100,48,0,0,0,46,137,80,237,156,67,148,47,73,90,97,33,70,249,185,197,89,27,227,86,185,150,42,24,240,243,166,244,41,217,138,208,204,27,38,38,110,64,50,108,188,191,119,211,255,232,40,188,64,0,0,0,41,143,84,6,127,25,219,124,207,140,89,129,98,187,233,102,232,113,181,71,95,6,121,220,0,124,241,59,121,6,17,73,184,105,105,153,107,23,51,31,29,92,33,56,43,160,205,172,173,161,221,201,12,38,71,198,248,147,146,131,103,213,208,194), $null, 'CurrentUser')
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4592
        • C:\Users\Admin\AppData\Local\Temp\VantaFN.exe
          "C:\Users\Admin\AppData\Local\Temp\VantaFN.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\VantaFN" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1916,i,13644574829489801655,3906554315047305999,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3228
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4528
        • C:\Windows\regedit.exe
          "C:\Windows\regedit.exe"
          1⤵
          • Event Triggered Execution: Netsh Helper DLL
          • Runs regedit.exe
          • Suspicious behavior: GetForegroundWindowSpam
          PID:4984
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6c89a026h036eh40d9h9f18hebd61f6172f6
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:968
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8dbdc46f8,0x7ff8dbdc4708,0x7ff8dbdc4718
            2⤵
              PID:3892
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,5751500446508745994,17278979882384989456,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
              2⤵
                PID:2072
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,5751500446508745994,17278979882384989456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3160
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,5751500446508745994,17278979882384989456,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1964 /prefetch:8
                2⤵
                  PID:4984
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:4980
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4112
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
                    1⤵
                      PID:2512

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      3KB

                      MD5

                      f48896adf9a23882050cdff97f610a7f

                      SHA1

                      4c5a610df62834d43f470cae7e851946530e3086

                      SHA256

                      3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

                      SHA512

                      16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      4dd2754d1bea40445984d65abee82b21

                      SHA1

                      4b6a5658bae9a784a370a115fbb4a12e92bd3390

                      SHA256

                      183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

                      SHA512

                      92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      4389779cc61ceefa7413b2301f610c6c

                      SHA1

                      85d9538fbb22d115ddffb94f88bcdaeae705790a

                      SHA256

                      1d0cbf5337463bf7bef1ceb2ef0e3024291ff206748820097ccf7d2a2936f210

                      SHA512

                      73d86a4fd94717584d03eebf97cd6d2d24f243053c73cbb51a8429f888e1f99fa8fa09c921c407a700af3d72a8e4767a717e5aaacc6471278529e7d19dad7e5f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                      Filesize

                      8KB

                      MD5

                      661c84dd24aeb35dc6eb11621ba93137

                      SHA1

                      7ad8104fbaf86f78c23c13efcfbca15703b0fd08

                      SHA256

                      2e9e9aa27851906767112ccfbb559b995a2314b75d8ab1758b378c1e8107dfb0

                      SHA512

                      1dc39c71579c8cfc5b88950a45e130ed7cec20753022e572363a0fcd20cc404f54564ef83a13cd631b23f774e7503b08bd1f4d05f561dee1ce8d8ade74d76465

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      46d6c89b6a449ce91c1a3691c516e10e

                      SHA1

                      dedf2c05d83a8fc311e39fa86af575866f9f7ece

                      SHA256

                      f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f

                      SHA512

                      bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\344b74f1-9eb9-45a3-a8e1-deeab01a33b2.tmp.node
                      Filesize

                      137KB

                      MD5

                      04bfbfec8db966420fe4c7b85ebb506a

                      SHA1

                      939bb742a354a92e1dcd3661a62d69e48030a335

                      SHA256

                      da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

                      SHA512

                      4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\48e5802b-fa72-410a-9fae-f1a223ffb0b5.tmp.node
                      Filesize

                      1.6MB

                      MD5

                      20de786f34496656726c9807e5ebfe01

                      SHA1

                      c29529551fd4059cd0360796dfdc6a2be070fedf

                      SHA256

                      dc26c7107eb629e709d697e68efc716a615f6f183fd8b138cd66cb043797f64e

                      SHA512

                      676575ef15102e048c01c625d0de20cc5fd61eee60d541c4ab29b111d7adc4eadad41e50c5f43fdedba1d0e6a768f0a5bcb894513908351de0e3f6699f9a2259

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bvg0ko4u.k0d.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • memory/3228-95-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-97-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-96-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-101-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-103-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-107-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-106-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-105-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-104-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3228-102-0x0000025E408B0000-0x0000025E408B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3868-25-0x000002486FEC0000-0x000002486FF10000-memory.dmp

                      Filesize

                      320KB

                      Download

                    • memory/3868-15-0x000002486F990000-0x000002486F9B2000-memory.dmp

                      Filesize

                      136KB

                      Download