4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6

Analysis

max time kernel
120s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 20:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Size

257KB
MD5

cd61032ae7bcdd087a60824958f966a0
SHA1

144aa2d9732ccd1c3a71833dbc30cd975e84c6d6
SHA256

4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6
SHA512

211318757eff85e63cde3cde723b790abce8af1e8b8712acc5569281f925aeca04b3076ada55a0287b1655d68a5ef1c511978be824ba54a148c645d7500df38d
SSDEEP

3072:Og9OBT3Be2Q6khQiCCuefXxzk6iGcbPChEdGZFR2obD4CTvek5WNQp0qYutgxbaA:UeC4EwZFoobUk8qp0qpgqOZ

Score

10^/10

evasion execution trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ph1i2pjd.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ph1i2pjd.bat
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ph1i2pjd.bat

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ph1i2pjd.bat

Executes dropped EXE 1 IoCs

pid	Process
1964	ph1i2pjd.bat

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	ph1i2pjd.bat

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	api.ipify.org
22	api.ipify.org

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1880	sc.exe
1376	sc.exe
4720	sc.exe
2552	sc.exe
2508	sc.exe
3280	sc.exe
1760	sc.exe
1276	sc.exe
1452	sc.exe
3680	sc.exe
4364	sc.exe
4060	sc.exe
4156	sc.exe
3204	sc.exe
4612	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1164	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat
1964	ph1i2pjd.bat

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
Token: SeDebugPrivilege	1964	ph1i2pjd.bat
Token: SeSecurityPrivilege	4920	wevtutil.exe
Token: SeBackupPrivilege	4920	wevtutil.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4364	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	83
PID 4528 wrote to memory of 4364	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	83
PID 4528 wrote to memory of 3280	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	84
PID 4528 wrote to memory of 3280	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	84
PID 4528 wrote to memory of 740	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	90
PID 4528 wrote to memory of 740	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	90
PID 4528 wrote to memory of 1964	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	92
PID 4528 wrote to memory of 1964	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	92
PID 4528 wrote to memory of 4864	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	93
PID 4528 wrote to memory of 4864	4528	4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe	93
PID 740 wrote to memory of 1880	740	cmd.exe	95
PID 740 wrote to memory of 1880	740	cmd.exe	95
PID 4864 wrote to memory of 1452	4864	cmd.exe	96
PID 4864 wrote to memory of 1452	4864	cmd.exe	96
PID 1964 wrote to memory of 1376	1964	ph1i2pjd.bat	97
PID 1964 wrote to memory of 1376	1964	ph1i2pjd.bat	97
PID 1964 wrote to memory of 4060	1964	ph1i2pjd.bat	98
PID 1964 wrote to memory of 4060	1964	ph1i2pjd.bat	98
PID 4864 wrote to memory of 624	4864	cmd.exe	101
PID 4864 wrote to memory of 624	4864	cmd.exe	101
PID 4864 wrote to memory of 1164	4864	cmd.exe	102
PID 4864 wrote to memory of 1164	4864	cmd.exe	102
PID 1964 wrote to memory of 2028	1964	ph1i2pjd.bat	104
PID 1964 wrote to memory of 2028	1964	ph1i2pjd.bat	104
PID 1964 wrote to memory of 4156	1964	ph1i2pjd.bat	106
PID 1964 wrote to memory of 4156	1964	ph1i2pjd.bat	106
PID 2028 wrote to memory of 4720	2028	cmd.exe	108
PID 2028 wrote to memory of 4720	2028	cmd.exe	108
PID 1964 wrote to memory of 1212	1964	ph1i2pjd.bat	109
PID 1964 wrote to memory of 1212	1964	ph1i2pjd.bat	109
PID 1964 wrote to memory of 1276	1964	ph1i2pjd.bat	111
PID 1964 wrote to memory of 1276	1964	ph1i2pjd.bat	111
PID 1964 wrote to memory of 2532	1964	ph1i2pjd.bat	112
PID 1964 wrote to memory of 2532	1964	ph1i2pjd.bat	112
PID 1964 wrote to memory of 3204	1964	ph1i2pjd.bat	115
PID 1964 wrote to memory of 3204	1964	ph1i2pjd.bat	115
PID 4864 wrote to memory of 4968	4864	cmd.exe	117
PID 4864 wrote to memory of 4968	4864	cmd.exe	117
PID 1212 wrote to memory of 4612	1212	cmd.exe	118
PID 1212 wrote to memory of 4612	1212	cmd.exe	118
PID 2532 wrote to memory of 2552	2532	cmd.exe	119
PID 2532 wrote to memory of 2552	2532	cmd.exe	119
PID 4864 wrote to memory of 4920	4864	cmd.exe	120
PID 4864 wrote to memory of 4920	4864	cmd.exe	120
PID 1964 wrote to memory of 2384	1964	ph1i2pjd.bat	121
PID 1964 wrote to memory of 2384	1964	ph1i2pjd.bat	121
PID 2384 wrote to memory of 2508	2384	cmd.exe	123
PID 2384 wrote to memory of 2508	2384	cmd.exe	123
PID 1964 wrote to memory of 704	1964	ph1i2pjd.bat	124
PID 1964 wrote to memory of 704	1964	ph1i2pjd.bat	124
PID 704 wrote to memory of 1760	704	cmd.exe	126
PID 704 wrote to memory of 1760	704	cmd.exe	126
PID 1964 wrote to memory of 2912	1964	ph1i2pjd.bat	127
PID 1964 wrote to memory of 2912	1964	ph1i2pjd.bat	127
PID 4864 wrote to memory of 4496	4864	cmd.exe	129
PID 4864 wrote to memory of 4496	4864	cmd.exe	129
PID 1964 wrote to memory of 2160	1964	ph1i2pjd.bat	130
PID 1964 wrote to memory of 2160	1964	ph1i2pjd.bat	130
PID 1964 wrote to memory of 3016	1964	ph1i2pjd.bat	132
PID 1964 wrote to memory of 3016	1964	ph1i2pjd.bat	132
PID 1964 wrote to memory of 1588	1964	ph1i2pjd.bat	134
PID 1964 wrote to memory of 1588	1964	ph1i2pjd.bat	134
PID 3016 wrote to memory of 1452	3016	cmd.exe	136
PID 3016 wrote to memory of 1452	3016	cmd.exe	136

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1452	attrib.exe
4968	attrib.exe
4496	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe
"C:\Users\Admin\AppData\Local\Temp\4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Windows security modification
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config wdfilter start=disabled
  2⤵
  - Launches sc.exe
  PID:4364
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" config WerSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\sc.exe
    sc stop wdfilter
    3⤵
    - Launches sc.exe
    PID:1880
- C:\Users\Admin\AppData\Local\Temp\ph1i2pjd.bat
  "C:\Users\Admin\AppData\Local\Temp\ph1i2pjd.bat" ok
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WerSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1376
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config wdfilter start=disabled
    3⤵
    - Launches sc.exe
    PID:4060
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:4720
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WinDefend start=disabled
    3⤵
    - Launches sc.exe
    PID:4156
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WerSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\system32\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:4612
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config WdNisSvc start=disabled
    3⤵
    - Launches sc.exe
    PID:1276
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2552
- - C:\Windows\System32\sc.exe
    "C:\Windows\System32\sc.exe" config XblGameSave start=disabled
    3⤵
    - Launches sc.exe
    PID:3204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WdNisSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\system32\sc.exe
      sc stop WdNisSvc
      4⤵
      Launches sc.exe
      PID:2508
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop XblGameSave
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\system32\sc.exe
      sc stop XblGameSave
      4⤵
      Launches sc.exe
      PID:1760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "XXXXX" -AppPathNameMatchCondition "C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-NetQosPolicy -Name "YYYYY" -AppPathNameMatchCondition "C:\Program Files (x86)\Common Files\BattlEye\BEService.exe" -ThrottleRateActionBitsPerSecond 8
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop wdfilter
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\system32\sc.exe
      sc stop wdfilter
      4⤵
      Launches sc.exe
      PID:1452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop faceit
    3⤵
    PID:1588
  - - C:\Windows\system32\sc.exe
      sc stop faceit
      4⤵
      Launches sc.exe
      PID:3680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0c2c50c6-f673-4878-87f7-bd5b96edffbd.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe"
    3⤵
    - Views/modifies file attributes
    PID:1452
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "HiberbootEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:624
- - C:\Windows\system32\timeout.exe
    timeout /T 1
    3⤵
    - Delays execution with timeout.exe
    PID:1164
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\4f0ba9092f3cb4cdd6dce1063c63be405148f5b9713a00a450cee684258f71c6N.exe"
    3⤵
    - Views/modifies file attributes
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil el
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\0c2c50c6-f673-4878-87f7-bd5b96edffbd.bat"
    3⤵
    - Views/modifies file attributes
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
083782a87bd50ffc86d70cbc6f04e275

SHA1
0c11bc2b2c2cf33b17fff5e441881131ac1bee31

SHA256
7a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f

SHA512
a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c2c50c6-f673-4878-87f7-bd5b96edffbd.bat

Filesize
780B

MD5
17453e405fccbb8f049460ece83923c9

SHA1
3584411cc63c76756a4c471eba89d9ba69b9b554

SHA256
3dd93c13a7ec499b3ede9df3984f4cd0bc2b8711e6148691033b5c99e7a07df0

SHA512
e24aa14a4790c644fcec9cad55619c5bc8c84300efec978027e56fb303549dc2d893d8620c96febd0962a69486acce2e85ce7bc0d9b07873256a507186a8b23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lojmb2a2.4tk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ph1i2pjd.bat

Filesize
257KB

MD5
a99ac111a191af92851a01b6d84c4be2

SHA1
698b138cb5644ebcc57ea0153f41da0dbe2affd4

SHA256
ea6ee0c47c3988b6499cbdbbe120fc92a380060191dc19bd60a6c75a74cd113e

SHA512
bced3d626d44d724c1516ed7f15024d76ded7c9a87bcbbdd915c9de159de3cd9f2db1fbf1b667d699e7cf6ab61159d2b106e3fddf096fb9a70fa984d0da4d581

Download Submit
C:\Users\Admin\AppData\Roaming\spf\unknown.log

Filesize
271B

MD5
ac2b03e81d7c48d6f76c23c2d020e0a1

SHA1
c47cf566959316dfd2ebafbfc8be02de68f7a9b8

SHA256
4ba74543cb7f64b5e937c26330d907d66e897ddaf61e8e3c9de27f1106868358

SHA512
5522d262de4cf79e8fe4ca2b6a9f6fa8f9d9822ae4ef0e676ad27e8487ca3f280ede2c72ab59dc4c5ab3b29ab963f4e04ae04deaa84cd8d6b83d30944ca41db4

Download Submit
memory/1964-16-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/1964-50-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/2912-29-0x0000018345820000-0x0000018345842000-memory.dmp

Filesize
136KB

Download
memory/4528-17-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/4528-0-0x00007FFA38393000-0x00007FFA38395000-memory.dmp

Filesize
8KB

Download
memory/4528-2-0x00007FFA38390000-0x00007FFA38E51000-memory.dmp

Filesize
10.8MB

Download
memory/4528-1-0x000001F36A150000-0x000001F36A18E000-memory.dmp

Filesize
248KB

Download