c862578f76c396997aec18d367b6f0ce81a6e15b6e50e27858e0f3dea7a98d95

Resubmissions

07-10-2024 05:31

241007-f76bwasdpf 8

07-10-2024 03:45

241007-ebh12axgna 8

07-10-2024 03:41

241007-d88ghsxflg 8

07-10-2024 03:38

241007-d7bfdstbkm 8

Analysis

max time kernel
148s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-ja
resource tags

arch:x64arch:x86image:win10-20240404-jalocale:ja-jpos:windows10-1703-x64systemwindows
submitted
07-10-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vTHGfiwMDeoOH5a.exe
Size

785KB
MD5

3aa5992e9a518e4d1a7042a16b10e31d
SHA1

5bce77192abbf2a71a2b19d6b00f08685f569b64
SHA256

cfad352d8c9e907269c76b22b73f7a9fa47c3782c99ec48598a310a35d3bdaac
SHA512

518b38137a320e3853e28496485c04c933b68ef34f4ef9b4da363711555ea70c11325d4e05d761d5a4aaa199e684e0da084e0226f319cfe3a29dc00d120fed95
SSDEEP

24576:A0ixK9bqAGf89ojqUk6fT6xuBgptr6svn6v:9ixKp5NX6BBStr6svnu

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3852 powershell.exe
4100 powershell.exe
1172 powershell.exe
1052 powershell.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\taskschd.msc mmc.exe

pid	process
3852	powershell.exe
4100	powershell.exe
1172	powershell.exe
1052	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

vTHGfiwMDeoOH5a.exevTHGfiwMDeoOH5a.exevTHGfiwMDeoOH5a.exe

description	pid	process	target process
PID 968 set thread context of 2000	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 1404 set thread context of 4256	1404	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 3000 set thread context of 2112	3000	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4124 968 WerFault.exe vTHGfiwMDeoOH5a.exe

pid	pid_target	process	target process
4124	968	WerFault.exe	vTHGfiwMDeoOH5a.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exevTHGfiwMDeoOH5a.exepowershell.exevTHGfiwMDeoOH5a.exepowershell.exevTHGfiwMDeoOH5a.exevTHGfiwMDeoOH5a.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vTHGfiwMDeoOH5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vTHGfiwMDeoOH5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vTHGfiwMDeoOH5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vTHGfiwMDeoOH5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

vTHGfiwMDeoOH5a.exepowershell.exevTHGfiwMDeoOH5a.exepowershell.exevTHGfiwMDeoOH5a.exepowershell.exevTHGfiwMDeoOH5a.exevTHGfiwMDeoOH5a.exe

pid	process
968	vTHGfiwMDeoOH5a.exe
968	vTHGfiwMDeoOH5a.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
2000	vTHGfiwMDeoOH5a.exe
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
4256	vTHGfiwMDeoOH5a.exe
1172	powershell.exe
1172	powershell.exe
1172	powershell.exe
2112	vTHGfiwMDeoOH5a.exe
2112	vTHGfiwMDeoOH5a.exe
2112	vTHGfiwMDeoOH5a.exe
2112	vTHGfiwMDeoOH5a.exe
2112	vTHGfiwMDeoOH5a.exe
2112	vTHGfiwMDeoOH5a.exe
4632	vTHGfiwMDeoOH5a.exe
4632	vTHGfiwMDeoOH5a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

1240 mmc.exe

pid	process
1240	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vTHGfiwMDeoOH5a.exepowershell.exemmc.exe

description	pid	process
Token: SeDebugPrivilege	968	vTHGfiwMDeoOH5a.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe
Token: 33	1240	mmc.exe
Token: SeIncBasePriorityPrivilege	1240	mmc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

mmc.exe

pid process

1240 mmc.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mmc.exe

pid process

1240 mmc.exe
1240 mmc.exe

pid	process
1240	mmc.exe

pid	process
1240	mmc.exe
1240	mmc.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

vTHGfiwMDeoOH5a.exevTHGfiwMDeoOH5a.exevTHGfiwMDeoOH5a.exevTHGfiwMDeoOH5a.exe

description	pid	process	target process
PID 968 wrote to memory of 3852	968	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 968 wrote to memory of 3852	968	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 968 wrote to memory of 3852	968	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 968 wrote to memory of 3884	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 968 wrote to memory of 3884	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 968 wrote to memory of 3884	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 968 wrote to memory of 2000	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 968 wrote to memory of 2000	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 968 wrote to memory of 2000	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 968 wrote to memory of 2000	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 968 wrote to memory of 2000	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 968 wrote to memory of 2000	968	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 1404 wrote to memory of 4100	1404	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 1404 wrote to memory of 4100	1404	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 1404 wrote to memory of 4100	1404	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 1404 wrote to memory of 4256	1404	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 1404 wrote to memory of 4256	1404	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 1404 wrote to memory of 4256	1404	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 1404 wrote to memory of 4256	1404	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 1404 wrote to memory of 4256	1404	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 1404 wrote to memory of 4256	1404	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 3000 wrote to memory of 1172	3000	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 3000 wrote to memory of 1172	3000	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 3000 wrote to memory of 1172	3000	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 3000 wrote to memory of 2112	3000	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 3000 wrote to memory of 2112	3000	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 3000 wrote to memory of 2112	3000	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 3000 wrote to memory of 2112	3000	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 3000 wrote to memory of 2112	3000	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 3000 wrote to memory of 2112	3000	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 4632 wrote to memory of 1052	4632	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 4632 wrote to memory of 1052	4632	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 4632 wrote to memory of 1052	4632	vTHGfiwMDeoOH5a.exe	powershell.exe
PID 4632 wrote to memory of 1040	4632	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 4632 wrote to memory of 1040	4632	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 4632 wrote to memory of 1040	4632	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 4632 wrote to memory of 4512	4632	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 4632 wrote to memory of 4512	4632	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe
PID 4632 wrote to memory of 4512	4632	vTHGfiwMDeoOH5a.exe	vTHGfiwMDeoOH5a.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1724
2⤵
- Program crash
PID:4124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4920

C:\Windows\System32\IME\SHARED\imebroker.exe
C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
1⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4100

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:1052

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe
"C:\Users\Admin\AppData\Local\Temp\vTHGfiwMDeoOH5a.exe"
2⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vTHGfiwMDeoOH5a.exe.log

Filesize
2KB

MD5
c308175553db5f89d710dbea7527d365

SHA1
e5bc03f4aa2ebfaf61bcb506cd1ea212422b54e9

SHA256
1d0adbfebb59b1b9d8350db3a4c977b133cc8f433c52467e6ddb9aefb4fb64fb

SHA512
e98899f56c69a29143eb89bba887c439d6e04dd7710c9b2f0f68b747483e2a8a6ff4b10af350f7fde09c113af46970884d985287bc371f9cc571d4182ddcaf53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
23c5d474b11976f4f80abb1510f9270a

SHA1
c1cc46441882b6ae4f796ba48fe96dc8f0ac1aeb

SHA256
3c486a8c82d21b14b6d487a7b51fb5b8b6a529bd2dfd3ff3d066a9231b89a86b

SHA512
4c4f11760efb36999a507fdf03d0210d7983350ba69869436ea7a8e69ecfe66787e89d91e92cdd6fe676a684816d5e5608116935d72c2b08033187f136f0278e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d5c231e924dd74d15945eb09dfb2a882

SHA1
4c5000a6b8f65827849d31735df241f0c6b2cbd0

SHA256
78a1a82bb0cb7ee1d865de9f04d87d45240106cd75b9936b1d192650b9ab6c5f

SHA512
b4607e33efe6bedba23e1c59ee2ddb3f08a525b5eaa290f02e2a11b832c04b5af8b0e330fb387b13da424854e08f3d9bd7225161d8b1485c28010918e5102f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
12a8167ed2df148434b9020b985ceae2

SHA1
add094af9e3de06d718770805ba16c1b2c97bef9

SHA256
442018d0e7e0f27e9bea58592300be65fcf05b39c1417693710db45182c5174c

SHA512
9b25074c478d1202abb3d71a1df8a4a86ffbef0ccc6f54205b2fdee36b05853e03b0e4593779e7eded42ad6ae6706013489ad79029c26424cb9eae92a2871604

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2y1zbc2v.qck.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/968-10-0x0000000009B00000-0x0000000009B0A000-memory.dmp

Filesize
40KB

Download
memory/968-5-0x00000000053B0000-0x00000000053C8000-memory.dmp

Filesize
96KB

Download
memory/968-8-0x0000000006900000-0x000000000698E000-memory.dmp

Filesize
568KB

Download
memory/968-9-0x00000000090C0000-0x000000000915C000-memory.dmp

Filesize
624KB

Download
memory/968-6-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

Filesize
4KB

Download
memory/968-274-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/968-16-0x0000000006830000-0x0000000006842000-memory.dmp

Filesize
72KB

Download
memory/968-7-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/968-4-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/968-0-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

Filesize
4KB

Download
memory/968-18-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/968-3-0x00000000058E0000-0x0000000005DDE000-memory.dmp

Filesize
5.0MB

Download
memory/968-2-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/968-1-0x0000000000820000-0x00000000008EA000-memory.dmp

Filesize
808KB

Download
memory/968-703-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/1052-947-0x0000000008A40000-0x0000000008A8B000-memory.dmp

Filesize
300KB

Download
memory/1052-964-0x0000000070A80000-0x0000000070ACB000-memory.dmp

Filesize
300KB

Download
memory/1052-945-0x00000000081F0000-0x0000000008540000-memory.dmp

Filesize
3.3MB

Download
memory/1052-969-0x0000000009E90000-0x0000000009F35000-memory.dmp

Filesize
660KB

Download
memory/1172-709-0x0000000007C00000-0x0000000007C4B000-memory.dmp

Filesize
300KB

Download
memory/1172-731-0x0000000009040000-0x00000000090E5000-memory.dmp

Filesize
660KB

Download
memory/1172-707-0x0000000007610000-0x0000000007960000-memory.dmp

Filesize
3.3MB

Download
memory/1172-726-0x000000006DB70000-0x000000006DBBB000-memory.dmp

Filesize
300KB

Download
memory/1240-292-0x000000001D6B0000-0x000000001D7BE000-memory.dmp

Filesize
1.1MB

Download
memory/1240-325-0x000000001DAE0000-0x000000001DB02000-memory.dmp

Filesize
136KB

Download
memory/1240-320-0x000000001DC40000-0x000000001DDE6000-memory.dmp

Filesize
1.6MB

Download
memory/1240-307-0x000000001D500000-0x000000001D50E000-memory.dmp

Filesize
56KB

Download
memory/1240-470-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2000-11-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2000-273-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2000-275-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2000-17-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3852-19-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

Filesize
4KB

Download
memory/3852-27-0x0000000007840000-0x0000000007B90000-memory.dmp

Filesize
3.3MB

Download
memory/3852-256-0x00000000092D0000-0x00000000092D8000-memory.dmp

Filesize
32KB

Download
memory/3852-251-0x0000000009330000-0x000000000934A000-memory.dmp

Filesize
104KB

Download
memory/3852-58-0x00000000093D0000-0x0000000009464000-memory.dmp

Filesize
592KB

Download
memory/3852-57-0x00000000092E0000-0x0000000009330000-memory.dmp

Filesize
320KB

Download
memory/3852-56-0x0000000009170000-0x0000000009215000-memory.dmp

Filesize
660KB

Download
memory/3852-51-0x0000000009060000-0x000000000907E000-memory.dmp

Filesize
120KB

Download
memory/3852-49-0x00000000090A0000-0x00000000090D3000-memory.dmp

Filesize
204KB

Download
memory/3852-50-0x000000006C0E0000-0x000000006C12B000-memory.dmp

Filesize
300KB

Download
memory/3852-32-0x0000000007FD0000-0x0000000008046000-memory.dmp

Filesize
472KB

Download
memory/3852-15-0x0000000000E50000-0x0000000000E86000-memory.dmp

Filesize
216KB

Download
memory/3852-31-0x0000000007BD0000-0x0000000007C1B000-memory.dmp

Filesize
300KB

Download
memory/3852-20-0x0000000007000000-0x0000000007628000-memory.dmp

Filesize
6.2MB

Download
memory/3852-30-0x0000000006FC0000-0x0000000006FDC000-memory.dmp

Filesize
112KB

Download
memory/3852-21-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/3852-22-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/3852-29-0x0000000007CA0000-0x0000000007DAE000-memory.dmp

Filesize
1.1MB

Download
memory/3852-28-0x0000000006E20000-0x0000000006E30000-memory.dmp

Filesize
64KB

Download
memory/3852-272-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/3852-26-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/3852-25-0x0000000006E40000-0x0000000006EA6000-memory.dmp

Filesize
408KB

Download
memory/3852-24-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/3852-23-0x0000000006B40000-0x0000000006BD2000-memory.dmp

Filesize
584KB

Download
memory/4100-492-0x00000000099F0000-0x0000000009A95000-memory.dmp

Filesize
660KB

Download
memory/4100-487-0x000000006C930000-0x000000006C97B000-memory.dmp

Filesize
300KB

Download
memory/4100-445-0x0000000008530000-0x000000000857B000-memory.dmp

Filesize
300KB

Download
memory/4100-443-0x0000000007D50000-0x00000000080A0000-memory.dmp

Filesize
3.3MB

Download