agenttesla | 619dc41d3f7ae8bb6d21d7b74f546848368a9b21daffd22464a48c3e887a560e

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inquiry#22056.vbe
Size

13KB
MD5

6560447c600eed33cb28e9d21f1c9c14
SHA1

b1b1a13aa8034140493c6fe64b4961747e02daa5
SHA256

619dc41d3f7ae8bb6d21d7b74f546848368a9b21daffd22464a48c3e887a560e
SHA512

4e690493807437b8d0cfe7c6e216108492e50d9b96c867d540b30fad0446809db3f503e9388312b8ab1147f2e6bd713fd29630ba6963cd891e34ed2a96fdd1f7
SSDEEP

192:bPJ5uz3LBGJzp5PGTzASKFCM1w938tB4E6rAYxNvbEWJ/G4ciT5e/r18vDmFTHyK:DODcTxYzAf80edtP/jZFer18ATX

Score

10^/10

agenttesla remcos keylogger rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2388	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 1048	1984	powershell.exe	99
PID 4944 set thread context of 4268	4944	powershell.exe	112
PID 2080 set thread context of 2516	2080	powershell.exe	117
PID 2008 set thread context of 4428	2008	powershell.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3832	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1984	powershell.exe
1984	powershell.exe
1984	powershell.exe
4944	powershell.exe
4944	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4944	powershell.exe
4944	powershell.exe
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
2008	powershell.exe
2008	powershell.exe
2772	powershell.exe
2772	powershell.exe
2008	powershell.exe
464	powershell.exe
464	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE
3832	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 1984	3824	WScript.exe	96
PID 3824 wrote to memory of 1984	3824	WScript.exe	96
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 1048	1984	powershell.exe	99
PID 1984 wrote to memory of 4152	1984	powershell.exe	100
PID 1984 wrote to memory of 4152	1984	powershell.exe	100
PID 3824 wrote to memory of 4944	3824	WScript.exe	103
PID 3824 wrote to memory of 4944	3824	WScript.exe	103
PID 3824 wrote to memory of 4572	3824	WScript.exe	110
PID 3824 wrote to memory of 4572	3824	WScript.exe	110
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4944 wrote to memory of 4268	4944	powershell.exe	112
PID 4572 wrote to memory of 1984	4572	powershell.exe	113
PID 4572 wrote to memory of 1984	4572	powershell.exe	113
PID 4944 wrote to memory of 1048	4944	powershell.exe	114
PID 4944 wrote to memory of 1048	4944	powershell.exe	114
PID 3824 wrote to memory of 2080	3824	WScript.exe	115
PID 3824 wrote to memory of 2080	3824	WScript.exe	115
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 2516	2080	powershell.exe	117
PID 2080 wrote to memory of 5116	2080	powershell.exe	118
PID 2080 wrote to memory of 5116	2080	powershell.exe	118
PID 3824 wrote to memory of 2008	3824	WScript.exe	119
PID 3824 wrote to memory of 2008	3824	WScript.exe	119
PID 3824 wrote to memory of 2772	3824	WScript.exe	121
PID 3824 wrote to memory of 2772	3824	WScript.exe	121
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 4428	2008	powershell.exe	123
PID 2008 wrote to memory of 2032	2008	powershell.exe	124
PID 2008 wrote to memory of 2032	2008	powershell.exe	124
PID 2772 wrote to memory of 4820	2772	powershell.exe	125
PID 2772 wrote to memory of 4820	2772	powershell.exe	125
PID 3824 wrote to memory of 464	3824	WScript.exe	126
PID 3824 wrote to memory of 464	3824	WScript.exe	126
PID 3824 wrote to memory of 2524	3824	WScript.exe	128
PID 3824 wrote to memory of 2524	3824	WScript.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inquiry#22056.vbe"
1⤵
- Blocklisted process makes network request
PID:2388

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\tLwvFKmIIPNFRAC.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:1048
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1984" "2768" "2700" "2772" "0" "0" "2776" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4152
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4268
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4944" "2740" "2664" "2744" "0" "0" "2748" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1048
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4572" "2704" "2632" "2708" "0" "0" "2712" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1984
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2516
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2080" "2756" "2648" "2760" "0" "0" "2764" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5116
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:4428
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2008" "2720" "2664" "2724" "0" "0" "2728" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2032
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2772" "2684" "2616" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4820
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  PID:2524

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SearchDebug.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5829.tmp.xml

Filesize
4KB

MD5
bba8585ce08e980d2a567324a8211b72

SHA1
c4fc319889ce9a9ad61a2a65b979c2e299dfdea2

SHA256
5caef40a666e0677a76cbe9c7827df9e90f609473da3657cf9907b35242ee331

SHA512
995d944e15998fccc921a439df43d1e4a24857116681c26b010e0996f7ad66705ca0b9aeb026b0ab1164a4622a46066fc52cf241533284bd65510ad2c269cb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9461a7cfb20ff5381df28f51b80c5ef1

SHA1
c86c53fca1dcbe307dafbefbb366abf52c9f5eca

SHA256
d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028

SHA512
da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
959a571947226e2e22b8c2029697c7e9

SHA1
3c12de6f2cac69782d993200c745d02cc97ab932

SHA256
59e7734f92b996ac6a221bdc7f21ea9275e5e94533ba4f49a27fc670a39b7cee

SHA512
0f3c8a8a8c0ac648c7e3e4944108c9f40ce322ba58484b641e167a1b9deb310fc33401ac58bb5342f53d5052d3f47e493811b2d005eda07b13c339cbd8090537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
885c9f006c9498e11232138320324c19

SHA1
6a9f8dcea32ff31f222277e214e5398eb0915a7f

SHA256
63a42c38ed40da1e48353ab77ba7dd2fdb05a8a506ca1f8b211cff6bb68b41b8

SHA512
1344683d8d82fdc27f348d9bdb44a5d81a9a5ea2efa52be1e06ee49aeb94732850faa783f652c39d48850b342d010c0cb015255f1fa248949518e6a135216a35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
a87a534a50de44e1dbf3a7b00bfee30b

SHA1
3fd86c28a908c19494dcbb02e96419172e1a3958

SHA256
4f6fc21e7f914d53a86c9cc84abe5caae3d9c352f77dba6366ba6b52b035cb2d

SHA512
7a1cc6a01485f769e6e456e6141927f255ff14f371be06fc9fba6af06544f790dbd441b106608757b770a94f164dd86366af31b2899f9246f066bc8308d8be75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
984B

MD5
aea5ce2bdbb4c87d9596530f28a454da

SHA1
ad21a08a19fed1a19568dfe27b7d7311f7fb846f

SHA256
8c7088f042536c64f8bf7bf150f1f14da5184131cb095b9e34734eb7f7710a79

SHA512
396ba4b0a5d87035e2dec28633cbf9402597adb0215ca5ee5a0c060779fd031c9861c2fb06e5908e6748f20ae7d60615f42d0679eea42f23409a9a65e7c8c4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
39cd25e866f4438a8375b0b83d9530ab

SHA1
901746206dadfcf3e8715ff077e190150cc9fa1b

SHA256
ac9b99a543950cbaf9f179cd7b0a70806f75008e30f1d5479cb4730dadd82bb3

SHA512
ab71f868bf38035bdc2d94fd08db8120fd3e80edf0713051eb8520a82332da61cd2332cefd612fff7b09799d033de4c2866fc5c85c3258ce367e830b0e3d23ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
0fa890bcc24627b309591f8d2a692028

SHA1
edba7cfb6fee6860c862d4b384a03cdebe535ee4

SHA256
48b7a3f9b77f9ca8c6e20c9a35dfc8068ad8006f43e6e94c2c46fdb9c35c15c5

SHA512
a34380e2422782a3bab9842424dc41005e4878f735b2aa5d9aa80cbb1a6d4901c50f4022a70fe5232e5e6e9c35f11d6df62908a1b2d1e6a9aa531510430260ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxexv2rr.5lb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
292B

MD5
c335e7fbe33a91e3c78c89307dd10ba3

SHA1
f6016f144d5f602748ec8b8df51bb88e1f1c42a0

SHA256
c61fa3de3a62800572310079a0a2d7a3501b748bcd83fcbb29474b07762867f1

SHA512
febb675403217e9da1c6cdf63cbddea644c40cf1fbe6d78fe21002ac865fa1e229aebdc999ae28e53a07e8e0f3b62de248a0e1920a570178cc653424719d08af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
504B

MD5
bee9ca255a020c87ea55c79078b3e79a

SHA1
99b362de0533321ec87771cc7ecea4a0791ee82c

SHA256
910d4cd031b8c39580108b632ac823304d0aa5e0e5009d8f093fcd8560206331

SHA512
470e87f2f61639e25b2d35502d73806979784bc87fd8e5b915cf71b4a0aee6d550af17b56e3609f6a166c1009f66ad500cb1020463636a0f2cc900c65990d6ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
756B

MD5
b2c256b64a53b26bd5066f7118310a81

SHA1
5a3289d6096a130446e78f213af001b31d68138c

SHA256
8a90cc8a866f86d6fd2812c4ea7f84a18a3ddb40bc2d252c8a1023ffd58e1b59

SHA512
3a4d011e6cb94a622758211306ff6752f638c3decb40cdb3ac2f8b03a50c7bcb6443512c4e19a4b2c254e0a5b2c928249ed91cbb559505d4805cc89e90aa01a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
1008B

MD5
7452079b7591f2cff6e7e8b78c357b07

SHA1
55694e8b86735ac53a462da10830d6babd1f36b0

SHA256
b7e5b0b46b3afef9e8e8908cee2402f5881d52ae12a84e512d146e9d7a268ed2

SHA512
0228feb7c26b1e1b504737e066584612dd56af6daf8c4003d300ec0fa0245fa03c9631e90423185d339a67790dec348647e0c51e02329ae74e6e881e3dd1a24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
252B

MD5
4fbd29a6d1e6dae0a883e3ecc3d15982

SHA1
bfbd9e3c9290da5f97367442750746d86c66d022

SHA256
c11d663a3ca71d671406fa98982d869003cbea697b31d2f9be3c5e1db194da8d

SHA512
4576ba3a19a1e5e01a5db9e58ee0631a4b0b14c6e5d178cbd88ff515fddfb49683cca11132694c50accb6db534f3ffc9e650e067ec501c9f796538a4f8a02e8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
1af88ee436af8faec5f4f16e47e49ef8

SHA1
ec848d2f9aa9232bc3ba6f2738b36022593a811a

SHA256
7f2ea69e86ba534ceb295d9b66f3fa79f71c3f08df10f681c0af6afe6460bdf1

SHA512
f4b8231e18c3c78030aae3407a792d4b17fdaab69fd8bd233dcfa4e01b66fa7a1bc7e8446baa9761b6670c98d56dbebcd67eb455ebd73e2cbbc9a3d460f38a00

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2d53fb08420ccd06fa3d51589ba229e0

SHA1
c90bfef33ba560e42c91d7d22e3f66a236a2a702

SHA256
5fc175edd0aeace9a7b264cbf6a132e63efe2c01917a03af0ed96587ba686181

SHA512
1917fbf59ac7b563579fdc162eea5d9bbf7181b40bd0fe117fe36c2300ec7f21d4637632d3c74b16360a0fb0b17201057c689e4f6263e361d4ee094e8428fbe7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
119f97fa189440400ba0dd847134cf1d

SHA1
695268f4d7e0090c8b37920ee281b7ddc7c38ca7

SHA256
a3e3194f39977b350a4206f34bc628d02bbb52004eaf1a9124f35cd144777bd4

SHA512
ed01166019134ade0c75def77c610dde954b80ff43c54786563afe2d65c2b698c842a8c5d5321d46d93697ad0a2b20d1d5e09ac34c47cd475b7fe38732f81002

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c05d5eddd478c6aa893695d7936a72e8

SHA1
0b4f10ef21d38029a4aa63c197e272589042cfa1

SHA256
0a480656a797b9d96ed1c4b3e58be7252d41a4ada58cf8c941e2da8ba05a7940

SHA512
9122f3862eaa0b5365bf26b52e3293a1c21df6e954ece059c484061bd972f8f2189c67609eeadf508db0b99b317d786808b4be81b37c4d2dc7775b789fb14866

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8ef084925f603ed659a46bac9bab626b

SHA1
73c7044d7118ed6d764f68f683ae3e2b350a6c6c

SHA256
7ea7e10359507083123f3bf4e5ffcdd233dd02c5c07a54fb8a8c2c84bb834a27

SHA512
c5169f32850f43e2e5c41e269b04ebae281575ff693226c48403cae956baf1e46451dfc7ae0bc42aec0d62ef50b408b1e6b78f8bd19303b87a3f54e5d8f185da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6cc4b7302be25a401f4a84cb4b0493e7

SHA1
6433fc449d11fd606ec5ef3436cfeb01730255fd

SHA256
f0f1ba51428051dcd44809c715ed2c039040707294229aec7392c5b02a545fa8

SHA512
4d248792cee388b25833dbe0dcf00d966fa28a7b336636f578b3d075beaa019c34e4f1066afb91bb5576e364e78125f3a013a70085690f5513b9f2db0e16c3ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
191e9373dc84e37b05d46d9bb5d5dc9e

SHA1
d61d57475857143b3515324ffd0642b3fa9d6009

SHA256
8d2e43a23234c42d8ba4727f6b0ddb1d788d4791f7605e2d2ad798aed50798e1

SHA512
88cfb5ef13c09fe54e7f33c8ff7f644e7c268b92b919f72f61530889815e7f8516993db9d16b0c0045898c08b63ad99f20270969ad54ae7a61a5d1c1fba4fe4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f9a55ab191fa38fe44677df9d15d4572

SHA1
21d49e20f02bf714378f2fc8fdee7084c9d70cab

SHA256
75a0238d1d43d69c1203b64014ca2cf1f2f9099aa76a08ead45bffbe02ab0323

SHA512
a36c576dfc855e81310fd615608b9952e36acfe67773119f0b34d1054e5e8107f987191772293767f1857c1f949eefaced489be93af492cac88ffa1d089f308a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
f1e3d6c39ab31983e9854fff64054544

SHA1
bfdc5519e0fde5489fdec536c8f5a64c1d30de55

SHA256
1288b9fb5f263b644017fcf7334bb4b0e96e9605bda1aff2b5a81f3127ed49a7

SHA512
21fe56105c0d116c1caecb88d5d8f27458f7e07a3d4e1f440702d53187060347edc7d9c8336e890dfc624fbcbdc5bb42838eb313db1939a05b7f19e4a62551b0

Download Submit
C:\Users\Admin\AppData\Roaming\tLwvFKmIIPNFRAC.vbs

Filesize
2KB

MD5
19d4f90212545936f6b7641d8dca2e18

SHA1
e7f0542b075cc8370b75e5a6f2aca520aa5e74cb

SHA256
554cf2184fad906301ffc74c13c1f96fa6cf90223b091d817b7c2b0c5b2765a4

SHA512
35b23382effa75a4b451815654182f657818656ba639883d4450415cb1b3609b5339e813ee868ea239af0e7aca0b921f211fc232bf053654838814bbdfa20dc4

Download Submit
memory/1048-19-0x0000000000D20000-0x0000000000DD5000-memory.dmp

Filesize
724KB

Download
memory/1984-13-0x00000138F4CB0000-0x00000138F4CD2000-memory.dmp

Filesize
136KB

Download
memory/1984-14-0x00000138F5070000-0x00000138F50B4000-memory.dmp

Filesize
272KB

Download
memory/1984-15-0x00000138F5140000-0x00000138F51B6000-memory.dmp

Filesize
472KB

Download
memory/1984-17-0x00000138F2500000-0x00000138F2508000-memory.dmp

Filesize
32KB

Download
memory/1984-18-0x00000138F2510000-0x00000138F251A000-memory.dmp

Filesize
40KB

Download
memory/3832-50-0x00007FFDE4850000-0x00007FFDE4860000-memory.dmp

Filesize
64KB

Download
memory/3832-46-0x00007FFDE4850000-0x00007FFDE4860000-memory.dmp

Filesize
64KB

Download
memory/3832-48-0x00007FFDE4850000-0x00007FFDE4860000-memory.dmp

Filesize
64KB

Download
memory/3832-47-0x00007FFDE4850000-0x00007FFDE4860000-memory.dmp

Filesize
64KB

Download
memory/3832-49-0x00007FFDE4850000-0x00007FFDE4860000-memory.dmp

Filesize
64KB

Download
memory/3832-51-0x00007FFDE25F0000-0x00007FFDE2600000-memory.dmp

Filesize
64KB

Download
memory/3832-52-0x00007FFDE25F0000-0x00007FFDE2600000-memory.dmp

Filesize
64KB

Download