27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Size

1.9MB
MD5

00db28e5a7412cf4a6f87f8589244cd1
SHA1

49a8344dac9b27ebe4962f4fce5c7e2ef9c023f7
SHA256

27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c
SHA512

3c860c48ae7f37b023299455830310390c14ad69fa1e241e9f94041b9797ca415841c4b541b105b6ac84327015a97b1664aa098d3f2f4d918341e2dca65d60ba
SSDEEP

24576:mX7tyazXp4qrSJZHJTEyMkbjla5TA3fmpKuUJBU8uQgyfg29H4EG7FhfESrpBrmi:mqR1a5T+fvmr0p4BDfzjmIADb

Score

10^/10

credential_access execution persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sysmon.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sysmon.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe\", \"C:\\Users\\Admin\\sysmon.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sysmon.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe\", \"C:\\Users\\Admin\\sysmon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\dllhost.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\TextInputHost.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\dllhost.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\en-US\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sysmon.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4960	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4960	schtasks.exe	82

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3156	powershell.exe
3644	powershell.exe
3964	powershell.exe
1052	powershell.exe
4088	powershell.exe
4144	powershell.exe
4944	powershell.exe
4964	powershell.exe
2752	powershell.exe
3956	powershell.exe
1228	powershell.exe
4504	powershell.exe
1620	powershell.exe
4376	powershell.exe
5076	powershell.exe
2508	powershell.exe
4492	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	dllhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\sysmon.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\twain_32\\dllhost.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\TextInputHost.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Multimedia Platform\\sysmon.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Admin\\sysmon.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\twain_32\\dllhost.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows NT\\Accessories\\en-US\\TextInputHost.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Windows Multimedia Platform\\sysmon.exe\""	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB6D65DAA60CC46CFA3DA2AC9DFA37C5F.TMP	csc.exe
File created	\??\c:\Windows\System32\gvmh1g.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\121e5b5079f7c0	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\22eafd247d37c3	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\e183991c84e437	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
File created	C:\Program Files\Windows Multimedia Platform\sysmon.exe	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\dllhost.exe	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
File created	C:\Windows\twain_32\5940a34987c991	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4016	schtasks.exe
2092	schtasks.exe
5044	schtasks.exe
4524	schtasks.exe
3464	schtasks.exe
1904	schtasks.exe
4008	schtasks.exe
3040	schtasks.exe
4852	schtasks.exe
4848	schtasks.exe
1612	schtasks.exe
1272	schtasks.exe
3164	schtasks.exe
560	schtasks.exe
2920	schtasks.exe
4160	schtasks.exe
1960	schtasks.exe
4400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	1960	dllhost.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3488	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	86
PID 5060 wrote to memory of 3488	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	86
PID 3488 wrote to memory of 220	3488	csc.exe	88
PID 3488 wrote to memory of 220	3488	csc.exe	88
PID 5060 wrote to memory of 5076	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	104
PID 5060 wrote to memory of 5076	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	104
PID 5060 wrote to memory of 1052	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	105
PID 5060 wrote to memory of 1052	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	105
PID 5060 wrote to memory of 4376	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	106
PID 5060 wrote to memory of 4376	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	106
PID 5060 wrote to memory of 4964	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	109
PID 5060 wrote to memory of 4964	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	109
PID 5060 wrote to memory of 1620	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	110
PID 5060 wrote to memory of 1620	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	110
PID 5060 wrote to memory of 3644	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	111
PID 5060 wrote to memory of 3644	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	111
PID 5060 wrote to memory of 4944	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	112
PID 5060 wrote to memory of 4944	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	112
PID 5060 wrote to memory of 4144	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	113
PID 5060 wrote to memory of 4144	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	113
PID 5060 wrote to memory of 3964	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	114
PID 5060 wrote to memory of 3964	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	114
PID 5060 wrote to memory of 4088	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	115
PID 5060 wrote to memory of 4088	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	115
PID 5060 wrote to memory of 3956	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	116
PID 5060 wrote to memory of 3956	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	116
PID 5060 wrote to memory of 4504	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	117
PID 5060 wrote to memory of 4504	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	117
PID 5060 wrote to memory of 2752	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	118
PID 5060 wrote to memory of 2752	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	118
PID 5060 wrote to memory of 1228	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	119
PID 5060 wrote to memory of 1228	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	119
PID 5060 wrote to memory of 3156	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	120
PID 5060 wrote to memory of 3156	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	120
PID 5060 wrote to memory of 4492	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	121
PID 5060 wrote to memory of 4492	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	121
PID 5060 wrote to memory of 2508	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	122
PID 5060 wrote to memory of 2508	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	122
PID 5060 wrote to memory of 1796	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	138
PID 5060 wrote to memory of 1796	5060	27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe	138
PID 1796 wrote to memory of 4016	1796	cmd.exe	140
PID 1796 wrote to memory of 4016	1796	cmd.exe	140
PID 1796 wrote to memory of 980	1796	cmd.exe	141
PID 1796 wrote to memory of 980	1796	cmd.exe	141
PID 1796 wrote to memory of 1960	1796	cmd.exe	145
PID 1796 wrote to memory of 1960	1796	cmd.exe	145

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe
"C:\Users\Admin\AppData\Local\Temp\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2sg1spmz\2sg1spmz.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD09.tmp" "c:\Windows\System32\CSCB6D65DAA60CC46CFA3DA2AC9DFA37C5F.TMP"
    3⤵
    PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tQoTsKBbRY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4016
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:980
- - C:\Windows\twain_32\dllhost.exe
    "C:\Windows\twain_32\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c2" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c2" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c2" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c2" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a64a77a242e41a2ca97992e6dea4207e

SHA1
bdf234b92cc3ba51c0c02806f2f58dc43f86742c

SHA256
785c38e9090d2e12acce5763705104f80bf5e5be8a516e1b24989e7c2d3af281

SHA512
c2b31fe0f4f9f4cebd48be375c4dc360aeb34f90fec0761503c1fe7d842ec94b3270e5364a54a9037141c59bce9bc5f4e336df609176a337fae893fb1e83767a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
291B

MD5
be5718946411eae81660b8d9e5cf53b5

SHA1
564d1f6171b20cda214f7d77ae298cff12686079

SHA256
745bf0fd9880fb6632f4889dbc0810f6ea336e6fc7a67608e7490ebf20a25ef5

SHA512
2ce39013854485554a3b4fb49640fdfc364c709489c2f56c2720f388e549f88983811cb833f2d9aae2f801caa392af9ef1fb17f2875c9dbd55a7934971736820

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAD09.tmp

Filesize
1KB

MD5
9c638f642adab8d111a91011e8cf2ae4

SHA1
2fadc476162101bf876c2a055f91f3c1c1b67104

SHA256
c9b3e4962fe2cfd6821070ab820bd929cc1c1b94ff0362f450f2d27c2cec7950

SHA512
7cc6e0f3fc49a795cfbbdb7f086da5fe7b38338d9947f2f1459b8b24027bfe502116d7172efb372bc6b142ac13822d3ad39ffa9430bf2aa2f3754321e7554e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2fxysyw.4du.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tQoTsKBbRY.bat

Filesize
207B

MD5
575b1757d5bc13135b23b1a682de7dfd

SHA1
d4b048b978e0cf487f72f873a636b424efd1f80f

SHA256
361ee6db240d9bec7c2e28b2f8e2dd77258b302509371a9896b9567293cc069e

SHA512
fc984979f686de21677ebe6dcf1814e65d17eda58f3b37764174872daaf5b3ed6320f612438372449bbdbf556a0cf06f46db0bfe81e1bae08e5d5f9648047c4a

Download Submit
C:\Windows\twain_32\dllhost.exe

Filesize
1.9MB

MD5
00db28e5a7412cf4a6f87f8589244cd1

SHA1
49a8344dac9b27ebe4962f4fce5c7e2ef9c023f7

SHA256
27c0d07c25ec07af447a4b9b785261e448f73267d9ae9bad231b7273029ee84c

SHA512
3c860c48ae7f37b023299455830310390c14ad69fa1e241e9f94041b9797ca415841c4b541b105b6ac84327015a97b1664aa098d3f2f4d918341e2dca65d60ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2sg1spmz\2sg1spmz.0.cs

Filesize
363B

MD5
424c6c09d5542ee5f8e1fe1441e187c2

SHA1
f2c71bf56eb0fcbbf362ee031c1962b326e94761

SHA256
509385a5b3a7b83b1a5dc786bcd5d08bbd11ab9a3ff9e09e6c102dc9d2ebd017

SHA512
1a5ba70f272892de84abe53e9d41fe22bb56c65d90045f1e0ae555447764b8275e532f921f5d5ea12d036c43688a3dbfdf8d7edf5fd8ef26bbfaad5f004d639e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2sg1spmz\2sg1spmz.cmdline

Filesize
235B

MD5
5702517d36e0e5b5201bc1cb9afe5331

SHA1
d9a76edce71bbef71d4262d791a33caec95b2949

SHA256
4fbc84b0eeed1b2b4b050d0b7337ad7208e83c32eef48749d7a8d4433e93b6c1

SHA512
b733f9030b9ec9ffb85f9c0c90ff91209e42e97a730637e1b3f2a76959dbf6afe6052ea80762959a4914a151e8187ae86d88c81c5e25a94d62f522363dab0058

Download Submit
\??\c:\Windows\System32\CSCB6D65DAA60CC46CFA3DA2AC9DFA37C5F.TMP

Filesize
1KB

MD5
0f37e03cd32ff163eb3c300b5d572049

SHA1
e3f2b27901d597e93d54a501a5177f0a4c7c79e8

SHA256
7f334ea7247b02eaa85b4ab1e9ce73fa4dc153c0c58ad370a76613d086d979d9

SHA512
f24a0555965787dccb418350e1281af4181ea3c698375c0ce9c741cc0cdd4281f24c959cae526a44889f3186305a3f35fc0cb9895cc41715c14f528358a71bd1

Download Submit
memory/5060-36-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-55-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-26-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-0-0x00007FF8FA4A3000-0x00007FF8FA4A5000-memory.dmp

Filesize
8KB

Download
memory/5060-37-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-23-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-22-0x0000000002BA0000-0x0000000002BAC000-memory.dmp

Filesize
48KB

Download
memory/5060-20-0x0000000002B90000-0x0000000002B9E000-memory.dmp

Filesize
56KB

Download
memory/5060-16-0x00000000029E0000-0x00000000029EE000-memory.dmp

Filesize
56KB

Download
memory/5060-18-0x00000000029F0000-0x00000000029FC000-memory.dmp

Filesize
48KB

Download
memory/5060-53-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-14-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-57-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-1-0x0000000000810000-0x0000000000A0A000-memory.dmp

Filesize
2.0MB

Download
memory/5060-13-0x0000000002B70000-0x0000000002B88000-memory.dmp

Filesize
96KB

Download
memory/5060-10-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-11-0x000000001B6B0000-0x000000001B700000-memory.dmp

Filesize
320KB

Download
memory/5060-9-0x0000000002B50000-0x0000000002B6C000-memory.dmp

Filesize
112KB

Download
memory/5060-7-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-6-0x00000000029D0000-0x00000000029DE000-memory.dmp

Filesize
56KB

Download
memory/5060-4-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-3-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5060-2-0x00007FF8FA4A0000-0x00007FF8FAF61000-memory.dmp

Filesize
10.8MB

Download
memory/5076-63-0x000001E640910000-0x000001E640932000-memory.dmp

Filesize
136KB

Download