Overview

overview

10

Static

static

10

Samples - ...24.zip

windows11-21h2-x64

1

Samples - ...a1.exe

windows11-21h2-x64

10

Samples - ...8b.exe

windows11-21h2-x64

10

Samples - ...c2.dll

windows11-21h2-x64

1

Samples - ...b5.exe

windows11-21h2-x64

10

Samples - ...56.exe

windows11-21h2-x64

10

Samples - ...57.exe

windows11-21h2-x64

1

Samples - ...cb.exe

windows11-21h2-x64

10

Samples - ...69.exe

windows11-21h2-x64

10

Samples - ...0c.exe

windows11-21h2-x64

10

Samples - ...9b.exe

windows11-21h2-x64

1

Samples - ...64.exe

windows11-21h2-x64

1

Samples - ...48.exe

windows11-21h2-x64

1

Samples - ...d4.exe

windows11-21h2-x64

1

Samples - ...3f.exe

windows11-21h2-x64

10

Samples - ...dd.exe

windows11-21h2-x64

10

Samples - ...3d.exe

windows11-21h2-x64

10

Samples - ...fd.exe

windows11-21h2-x64

10

Samples - ...a1.exe

windows11-21h2-x64

10

Samples - ...cc.exe

windows11-21h2-x64

10

Samples - ...51.exe

windows11-21h2-x64

10

Samples - ...8b.exe

windows11-21h2-x64

10

Samples - ...39.exe

windows11-21h2-x64

10

Samples - ...d0.exe

windows11-21h2-x64

5

Samples - ...75.exe

windows11-21h2-x64

3

Samples - ...c7.exe

windows11-21h2-x64

5

Samples - ...76.exe

windows11-21h2-x64

10

Samples - ...bc.exe

windows11-21h2-x64

10

Samples - ...b9.exe

windows11-21h2-x64

3

Samples - ...f7.exe

windows11-21h2-x64

3

Samples - ...2b.exe

windows11-21h2-x64

3

Samples - ...22.exe

windows11-21h2-x64

10

Resubmissions

10-10-2024 02:19

241010-crx4sazhnm 10

Analysis

  • max time kernel
    114s
  • max time network
    139s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-10-2024 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Samples - 10-09-2024/4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351.exe

  • Size

    1.9MB

  • MD5

    b8aa70ed9243f5aa9c8dd45e8b6c01e7

  • SHA1

    8d871a1d93cc069413563d42dad3f098f4ac5e5d

  • SHA256

    4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351

  • SHA512

    d2db111500ba7bc55f0913f888a38ba7b3986c2439fc0abd0ccd7feb4d4ac0d7863edb28c903ccb78c1f59e8eb29cbc4132ab2977560c2a5c21f089bb5ca72a7

  • SSDEEP

    49152:dbmZsvFi8eKtbbrI5E6OmK0ETDZns1X/A4kAK:dbmZs9btb3IS6OBZs1vA4p

Score
10/10
discoveryexecutionpersistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351.exe
    "C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pqn5t0by\pqn5t0by.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3740
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6F7.tmp" "c:\Windows\System32\CSC7F02A13B3A0F446E9015BEFB0C3DC10.TMP"
        3⤵
          PID:1712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1848
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3148
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4292
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4776
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:852
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\Registry.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4548
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1912
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\dllhost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1356
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\backgroundTaskHost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ImlUvO6sQ2.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:5416
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5776
          • C:\Recovery\WindowsRE\sppsvc.exe
            "C:\Recovery\WindowsRE\sppsvc.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:6064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3292
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1500
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4928
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\Registry.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Libraries\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\Registry.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:564
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4296
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:988
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2588
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\backgroundTaskHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c623514" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c623514" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3916

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Query Registry

      1
      T1012

      Remote System Discovery

      1
      T1018

      System Information Discovery

      1
      T1082

      System Network Configuration Discovery

      1
      T1016

      Internet Connection Discovery

      1
      T1016.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Recovery\WindowsRE\unsecapp.exe
        Filesize

        1.9MB

        MD5

        b8aa70ed9243f5aa9c8dd45e8b6c01e7

        SHA1

        8d871a1d93cc069413563d42dad3f098f4ac5e5d

        SHA256

        4ceb69afc05b1475459075f2cd5688f6aa8fe6a9ff6cae0a25d742b650c62351

        SHA512

        d2db111500ba7bc55f0913f888a38ba7b3986c2439fc0abd0ccd7feb4d4ac0d7863edb28c903ccb78c1f59e8eb29cbc4132ab2977560c2a5c21f089bb5ca72a7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        1a9fa92a4f2e2ec9e244d43a6a4f8fb9

        SHA1

        9910190edfaccece1dfcc1d92e357772f5dae8f7

        SHA256

        0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

        SHA512

        5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        aa4f31835d07347297d35862c9045f4a

        SHA1

        83e728008935d30f98e5480fba4fbccf10cefb05

        SHA256

        99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

        SHA512

        ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        7d760ca2472bcb9fe9310090d91318ce

        SHA1

        cb316b8560b38ea16a17626e685d5a501cd31c4a

        SHA256

        5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

        SHA512

        141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6903d57eed54e89b68ebb957928d1b99

        SHA1

        fade011fbf2e4bc044d41e380cf70bd6a9f73212

        SHA256

        36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

        SHA512

        c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3284cb698efa6fb773dc0eebd30a3214

        SHA1

        a1093d44f025e5ba9609e99a3fc5fce3723fd7f3

        SHA256

        22f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa

        SHA512

        af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        dc4dd6766dd68388d8733f1b729f87e9

        SHA1

        7b883d87afec5be3eff2088409cd1f57f877c756

        SHA256

        3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

        SHA512

        3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\ImlUvO6sQ2.bat
        Filesize

        160B

        MD5

        fe29d58c5ae1ee6c97455307b27171f0

        SHA1

        a447132bda347b7af873c36d02bdd28e9eddc7a2

        SHA256

        d582f6222bdd78dea12249e37ef19f42a0882b21e8f33b67c52c4e43ba2d6c12

        SHA512

        0f47a08ef77336ae0bd65edf85f4319f83ce7c7d1a6485079b68175408200b5892dc00bdda93049e1196279ab17c795c59ad00458632b59a3f9cff503b45bcf7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESD6F7.tmp
        Filesize

        1KB

        MD5

        5970f3b0ec4e800cbbccaf712b7fd452

        SHA1

        ebb35a960de606455168fcad093f4b33acc46815

        SHA256

        6b0b164ec934b117b4065b8907b66c20816ec93d098b9f3155faf3d1fce7ce66

        SHA512

        c259314ad3e1fcde85299a7f03865accbd38bce02d8c8962c4ff0862ecc45d59ecf29d85f14a04df963a0451f73fdb29b7dc1f4968ab3ca9c8e59ae59050be8b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wc2ogqub.sut.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\pqn5t0by\pqn5t0by.0.cs
        Filesize

        366B

        MD5

        9d2b7397c8845f7e266685892c590265

        SHA1

        e378432b00b272edc29701b2f2585e18d127f861

        SHA256

        61bc72f6575b78d932bdfd2f15eb601e8eee23073e318515a11f58bcf7178635

        SHA512

        99a7605468094f870ea4ad1c044fb682c50c5f80b35d45560b17e08d04916e568c4a4dbebd168d4eca9ed533d2bd0a35d2df6b9d2af226e193b123e23a219666

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\pqn5t0by\pqn5t0by.cmdline
        Filesize

        235B

        MD5

        2445a3a2139457073c57de1b0a57bc81

        SHA1

        11765ee1fa81850e7b9558f78363480fc80a491c

        SHA256

        ff783c45315c85199a6eaa828ac5837d167ae9541bf199252a8ef6e3b1b6a6f9

        SHA512

        dc4a40b62b7b3c00f8cc90dc62982989fb0f4bad03d87878470a4d21beac3529a55fb61469fcf158470207bc32a06679aaaf8448865eaa39d3b7e54870a8ce1e

        Download Submit

      • \??\c:\Windows\System32\CSC7F02A13B3A0F446E9015BEFB0C3DC10.TMP
        Filesize

        1KB

        MD5

        acfb6faeec3eb6e047a5a2e7fc46f7c4

        SHA1

        bd7ca4bf6c574dec440c891d55a541a4cc20c376

        SHA256

        003e0aa24c6b8e2110a735f67fbd04e8669846591a5b4e21fe065ccc61fd92b8

        SHA512

        8084ffb6db54d21d869eb4f3d24f5081e0c177bffc703f1717e30b71dbf4898cccef8ef405d634556ef0370ecf67c1715151ae3d47277dea9cf612f73fc1e767

        Download Submit

      • memory/1120-37-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-11-0x000000001BCC0000-0x000000001BD10000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1120-23-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-21-0x0000000003280000-0x000000000328C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1120-0-0x00007FF905B93000-0x00007FF905B95000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1120-39-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-19-0x0000000003260000-0x0000000003268000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1120-13-0x0000000003240000-0x0000000003258000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1120-42-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-17-0x0000000003210000-0x000000000321C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1120-15-0x0000000003200000-0x000000000320E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1120-22-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-63-0x000000001CD30000-0x000000001CE06000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1120-64-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-1-0x0000000000D70000-0x0000000000F62000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1120-10-0x0000000003220000-0x000000000323C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/1120-8-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-7-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-6-0x00000000031F0000-0x00000000031FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1120-4-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-3-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1120-2-0x00007FF905B90000-0x00007FF906652000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4776-78-0x0000015B9F100000-0x0000015B9F122000-memory.dmp

        Filesize

        136KB

        Download

      • memory/6064-240-0x000000001CB40000-0x000000001CC16000-memory.dmp

        Filesize

        856KB

        Download