4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Files/Apps/ps7.bat
Size

1KB
MD5

b83b3e4786261c97aceb379ab170e81d
SHA1

96d92ee43eac3e67ad6959b6f66012dcc51fd992
SHA256

5741408cf05b802d5a67eab4ed0ec9cdf965b0fa718187eb3d72376b47dadb1c
SHA512

d8bcab23933d4fdbd67089349861a5c95ff4ed2a823c647e647d5c8dc853d44e5a9d48d339937d11a3dcc3d5233f2b88fc2144733d1467eb528c6b63b85dcf63

Score

10^/10

dropper execution

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://chocolatey.org/install.ps1

Signatures

Blocklisted process makes network request 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow	pid	process
13	2460	powershell.exe
14	2460	powershell.exe
20	2744	powershell.exe
21	2744	powershell.exe
27	552	powershell.exe
28	552	powershell.exe
34	1772	powershell.exe
35	1772	powershell.exe
41	632	powershell.exe
42	632	powershell.exe
48	1388	powershell.exe
49	1388	powershell.exe
55	1900	powershell.exe
56	1900	powershell.exe
62	2760	powershell.exe
63	2760	powershell.exe
69	1152	powershell.exe
70	1152	powershell.exe
76	780	powershell.exe
77	780	powershell.exe
83	2324	powershell.exe
84	2324	powershell.exe

Download via BitsAdmin 1 TTPs 23 IoCs

dropper

BITS Jobs

T1197

Processes:

bitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exebitsadmin.exe

pid	process
2840	bitsadmin.exe
2700	bitsadmin.exe
2580	bitsadmin.exe
2072	bitsadmin.exe
1704	bitsadmin.exe
748	bitsadmin.exe
2836	bitsadmin.exe
2544	bitsadmin.exe
1780	bitsadmin.exe
344	bitsadmin.exe
1076	bitsadmin.exe
2308	bitsadmin.exe
1064	bitsadmin.exe
3068	bitsadmin.exe
1280	bitsadmin.exe
2136	bitsadmin.exe
1268	bitsadmin.exe
2316	bitsadmin.exe
2796	bitsadmin.exe
2964	bitsadmin.exe
3032	bitsadmin.exe
2676	bitsadmin.exe
1324	bitsadmin.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2460	powershell.exe
552	powershell.exe
1388	powershell.exe
2324	powershell.exe
2744	powershell.exe
1772	powershell.exe
632	powershell.exe
1900	powershell.exe
2760	powershell.exe
1152	powershell.exe
780	powershell.exe
2860	powershell.exe
1804	powershell.exe
2208	powershell.exe
992	powershell.exe
2024	powershell.exe
1720	powershell.exe
1044	powershell.exe
580	powershell.exe
2260	powershell.exe
1892	powershell.exe
1332	powershell.exe

Drops file in Windows directory 33 IoCs

Processes:

wusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exewusa.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 11 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2208	timeout.exe
1056	timeout.exe
1088	timeout.exe
1516	timeout.exe
2512	timeout.exe
2912	timeout.exe
1300	timeout.exe
944	timeout.exe
1056	timeout.exe
2452	timeout.exe
552	timeout.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

pid	process
2460	powershell.exe
1720	powershell.exe
1720	powershell.exe
1720	powershell.exe
2744	powershell.exe
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
552	powershell.exe
1332	powershell.exe
1332	powershell.exe
1332	powershell.exe
1772	powershell.exe
1044	powershell.exe
1044	powershell.exe
1044	powershell.exe
632	powershell.exe
580	powershell.exe
580	powershell.exe
580	powershell.exe
1388	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
1900	powershell.exe
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe
2760	powershell.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
1152	powershell.exe
2208	powershell.exe
2208	powershell.exe
2208	powershell.exe
780	powershell.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
2324	powershell.exe
2024	powershell.exe
2024	powershell.exe
2024	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 2980 wrote to memory of 2816	2980	cmd.exe	cmd.exe
PID 2980 wrote to memory of 2816	2980	cmd.exe	cmd.exe
PID 2980 wrote to memory of 2816	2980	cmd.exe	cmd.exe
PID 2980 wrote to memory of 2136	2980	cmd.exe	bitsadmin.exe
PID 2980 wrote to memory of 2136	2980	cmd.exe	bitsadmin.exe
PID 2980 wrote to memory of 2136	2980	cmd.exe	bitsadmin.exe
PID 2980 wrote to memory of 2840	2980	cmd.exe	bitsadmin.exe
PID 2980 wrote to memory of 2840	2980	cmd.exe	bitsadmin.exe
PID 2980 wrote to memory of 2840	2980	cmd.exe	bitsadmin.exe
PID 2980 wrote to memory of 1708	2980	cmd.exe	wusa.exe
PID 2980 wrote to memory of 1708	2980	cmd.exe	wusa.exe
PID 2980 wrote to memory of 1708	2980	cmd.exe	wusa.exe
PID 2980 wrote to memory of 2460	2980	cmd.exe	powershell.exe
PID 2980 wrote to memory of 2460	2980	cmd.exe	powershell.exe
PID 2980 wrote to memory of 2460	2980	cmd.exe	powershell.exe
PID 2980 wrote to memory of 2912	2980	cmd.exe	timeout.exe
PID 2980 wrote to memory of 2912	2980	cmd.exe	timeout.exe
PID 2980 wrote to memory of 2912	2980	cmd.exe	timeout.exe
PID 2980 wrote to memory of 1720	2980	cmd.exe	powershell.exe
PID 2980 wrote to memory of 1720	2980	cmd.exe	powershell.exe
PID 2980 wrote to memory of 1720	2980	cmd.exe	powershell.exe
PID 1720 wrote to memory of 2124	1720	powershell.exe	cmd.exe
PID 1720 wrote to memory of 2124	1720	powershell.exe	cmd.exe
PID 1720 wrote to memory of 2124	1720	powershell.exe	cmd.exe
PID 2124 wrote to memory of 1888	2124	cmd.exe	cmd.exe
PID 2124 wrote to memory of 1888	2124	cmd.exe	cmd.exe
PID 2124 wrote to memory of 1888	2124	cmd.exe	cmd.exe
PID 2124 wrote to memory of 1780	2124	cmd.exe	bitsadmin.exe
PID 2124 wrote to memory of 1780	2124	cmd.exe	bitsadmin.exe
PID 2124 wrote to memory of 1780	2124	cmd.exe	bitsadmin.exe
PID 2124 wrote to memory of 1268	2124	cmd.exe	bitsadmin.exe
PID 2124 wrote to memory of 1268	2124	cmd.exe	bitsadmin.exe
PID 2124 wrote to memory of 1268	2124	cmd.exe	bitsadmin.exe
PID 2124 wrote to memory of 3048	2124	cmd.exe	wusa.exe
PID 2124 wrote to memory of 3048	2124	cmd.exe	wusa.exe
PID 2124 wrote to memory of 3048	2124	cmd.exe	wusa.exe
PID 2124 wrote to memory of 2744	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 2744	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 2744	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 1300	2124	cmd.exe	timeout.exe
PID 2124 wrote to memory of 1300	2124	cmd.exe	timeout.exe
PID 2124 wrote to memory of 1300	2124	cmd.exe	timeout.exe
PID 2124 wrote to memory of 2860	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 2860	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 2860	2124	cmd.exe	powershell.exe
PID 2860 wrote to memory of 2428	2860	powershell.exe	cmd.exe
PID 2860 wrote to memory of 2428	2860	powershell.exe	cmd.exe
PID 2860 wrote to memory of 2428	2860	powershell.exe	cmd.exe
PID 2428 wrote to memory of 2216	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2216	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2216	2428	cmd.exe	cmd.exe
PID 2428 wrote to memory of 2316	2428	cmd.exe	bitsadmin.exe
PID 2428 wrote to memory of 2316	2428	cmd.exe	bitsadmin.exe
PID 2428 wrote to memory of 2316	2428	cmd.exe	bitsadmin.exe
PID 2428 wrote to memory of 344	2428	cmd.exe	bitsadmin.exe
PID 2428 wrote to memory of 344	2428	cmd.exe	bitsadmin.exe
PID 2428 wrote to memory of 344	2428	cmd.exe	bitsadmin.exe
PID 2428 wrote to memory of 1140	2428	cmd.exe	wusa.exe
PID 2428 wrote to memory of 1140	2428	cmd.exe	wusa.exe
PID 2428 wrote to memory of 1140	2428	cmd.exe	wusa.exe
PID 2428 wrote to memory of 552	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 552	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 552	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 944	2428	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ver
  2⤵
  PID:2816
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
  2⤵
  - Download via BitsAdmin
  PID:2136
- C:\Windows\system32\bitsadmin.exe
  bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
  2⤵
  - Download via BitsAdmin
  PID:2840
- C:\Windows\system32\wusa.exe
  wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
  2⤵
  - Drops file in Windows directory
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ver
      4⤵
      PID:1888
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
      4⤵
      Download via BitsAdmin
      PID:1780
  - - C:\Windows\system32\bitsadmin.exe
      bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
      4⤵
      Download via BitsAdmin
      PID:1268
  - - C:\Windows\system32\wusa.exe
      wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:3048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2744
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1300
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        6⤵
        
        PID:2216
      - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        6⤵
        Download via BitsAdmin
        
        PID:2316
      - C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        6⤵
        Download via BitsAdmin
        
        PID:344
      - C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:1140
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
      - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        6⤵
        Delays execution with timeout.exe
        
        PID:944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        7⤵
        
        PID:1344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        8⤵
        
        PID:1992
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        8⤵
        Download via BitsAdmin
        
        PID:1076
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        8⤵
        Download via BitsAdmin
        
        PID:1704
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        8⤵
        Drops file in Windows directory
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        8⤵
        Delays execution with timeout.exe
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        9⤵
        
        PID:1544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        10⤵
        
        PID:2996
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        10⤵
        Download via BitsAdmin
        
        PID:2700
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        10⤵
        Download via BitsAdmin
        
        PID:2796
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        10⤵
        Drops file in Windows directory
        
        PID:1944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        10⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        10⤵
        Delays execution with timeout.exe
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        11⤵
        
        PID:2812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        12⤵
        
        PID:3068
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        12⤵
        Download via BitsAdmin
        
        PID:2964
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        12⤵
        Download via BitsAdmin
        
        PID:3032
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        12⤵
        Drops file in Windows directory
        
        PID:1320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        12⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        12⤵
        Delays execution with timeout.exe
        
        PID:2452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        13⤵
        
        PID:1184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        14⤵
        
        PID:2248
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        14⤵
        Download via BitsAdmin
        
        PID:2308
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        14⤵
        Download via BitsAdmin
        
        PID:1064
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        14⤵
        Drops file in Windows directory
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        14⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        14⤵
        Delays execution with timeout.exe
        
        PID:552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        15⤵
        
        PID:1492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        16⤵
        
        PID:1724
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        16⤵
        Download via BitsAdmin
        
        PID:748
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        16⤵
        Download via BitsAdmin
        
        PID:2580
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        16⤵
        Drops file in Windows directory
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        16⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        16⤵
        Delays execution with timeout.exe
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        17⤵
        
        PID:2996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        18⤵
        
        PID:2752
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        18⤵
        Download via BitsAdmin
        
        PID:2836
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        18⤵
        Download via BitsAdmin
        
        PID:2676
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        18⤵
        Drops file in Windows directory
        
        PID:2568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        18⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        18⤵
        Delays execution with timeout.exe
        
        PID:1088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        19⤵
        
        PID:2356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        20⤵
        
        PID:2824
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        20⤵
        Download via BitsAdmin
        
        PID:3068
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        20⤵
        Download via BitsAdmin
        
        PID:2544
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        20⤵
        Drops file in Windows directory
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        20⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        20⤵
        Delays execution with timeout.exe
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        21⤵
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        22⤵
        
        PID:2828
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        22⤵
        Download via BitsAdmin
        
        PID:1280
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer wmf51 https://download.microsoft.com/download/1/C/C/1CC238B2-91F2-40EF-AB03-A0D973326712/Win7AndW2K8R2-KB3191566-x64.msu C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu
        22⤵
        Download via BitsAdmin
        
        PID:2072
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\Win7AndW2K8R2-KB3191566-x64.msu /quiet /norestart
        22⤵
        Drops file in Windows directory
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
        22⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 3
        22⤵
        Delays execution with timeout.exe
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Files\Apps\ps7.bat" "
        23⤵
        
        PID:2152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ver
        24⤵
        
        PID:1332
        
        C:\Windows\system32\bitsadmin.exe
        
        bitsadmin /transfer netframework https://download.visualstudio.microsoft.com/download/pr/10461429/AC101D64-D9E4-4894-85D2-79ED020E6B7C/NDP462-KB3151800-x86-x64-AllOS-ENU.exe C:\Users\Admin\AppData\Local\Temp\NDP462-KB3151800-x86-x64-AllOS-ENU.exe
        24⤵
        Download via BitsAdmin
        
        PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5061269f6dc9e32d1567074cfa2f8243

SHA1
8ffaaa43bdd3f9cb94e93a26f4a2d67562d7ae9f

SHA256
67a4fe9f53bf9d7ef1213426d8eaeb2acbb2742111a77bfdc842cc90a482a930

SHA512
9299106dfb93686adb0da9dc6b2174817cb70b8a45172c83b925d864cd04cca977fe35eb3158588e693c20278230823e740babbdc37584dc798db236e00b5e52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
64094ff1b192ca5d3ff5bbced65c8b1b

SHA1
6a0357289b9a8dac4a447d1560e6cd3be272f3b4

SHA256
21a1c8a514474a91aa73722939cb1b8926eafd24ce840a3bd3191399fea266d9

SHA512
5cf2f69d7d1e0cf4b6b9c4af01b26418a1289ff8a3a11691caf185d1f7fb5aacc34d4ed29364525145377097f41b62b7b7c0082b8e23a94c8ed66c6ee8d31dbe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
404818b2a1accc806a5bf922490411c1

SHA1
2152b2a9d586d0b75fcb34eef27333fea0c95367

SHA256
4c7fe500975fef0b29dc41ab5b19300d16a368381a658473cff8971d4cd95baa

SHA512
54ab1964b5d1a4719b92d27703becaec4dc57b265f1d56e70191cd139a42d3de9cfa6c6ba7dee2a50d3df0272e02e2ef24a978cc1c1f2488a2041af8ccebfa2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4da839c9d898b5fb93d386e5a0a1f0e9

SHA1
02b831af12d8f788b08919d32e3068c026335325

SHA256
b2874f53d3b13ba22a66d097b576f18b84aafb80cc404bf0c1b3e0a25b289170

SHA512
bc6c856ee4e62afe067db3ea0eb316b98c316c4e4a637980e3e2395047bea6f11fb095c89d861bec22656f2a5131634b5560d71ba589566a13e0a24b964ebc08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2d169772df257472e01a77f9f992872b

SHA1
9e998b5281b4cdf3010b9afcb19679d185faf83a

SHA256
12b7655f0275a8e3ad602405a8d30783378fdbd9eb2652c7fd0e4a331bdd6d61

SHA512
282944ab06115661412952af90261688c7c7b03e206646165368e275760ce0a30f25ff2a9a32db90f92b9aa633b04249753b2b893602559f240144bd4a079679

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b218580ed6e52e4d73b1bf05c7aaba11

SHA1
8121ef61cd1da71ebbafb27590c002afacf0b0ca

SHA256
74278e30c8059eddf394759e68ad6d0bb16f4e524832cb061c8a3a93b7e05742

SHA512
266ebf40b929ecd1b0ab9863ea7190c370693f3976029294857e7ac7b062eb63444c18b5b21ea7aa93d2375b4a1249049fd248b7b9180c03e299438775e5dd03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c1920c84fe1865f993cf3dd554247b68

SHA1
b7b4287a0a94f8aa65b0de5661c6bb009e577d41

SHA256
8f4049b91951032676d4aa2da5ad2780eea5c18da18f87b5100c022f0b1177b4

SHA512
d1a0049f8533f0d6409cb873ee50a2eee7a746aec8bca27c6aa8c5a09e917c6384e65db7b37003a40e91ee815bce251997127d0b765d6c4a93bf30c3c603aa2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6446a9955d407806b79f62e97638b915

SHA1
925e2d3885b8d9491ae086548bb703571c1fd3ee

SHA256
2041147a3ce03e291e9e711a879104c240da5de76389da2f10e1b782a54c7c98

SHA512
7cfffd76652f0c9a9e05be93c6150dbea8f107df570f1696df3156751efbcc43ab95ba2b12c23cb357d7478f741f9f87636ca556d85c884c1cadd29a9e8bd219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b854673ab1fdfb90b5418408aa98c4aa

SHA1
07940616e15d5ab557b5d981804ec4c05fc94a55

SHA256
3528931c96dce87915e88786dfa244b2eba7f7d5d8fbd16c5eabd56ea039bfa9

SHA512
a0ec442d048f07277d2f7e4d6456e1e60bb22b35240e3706c3ddfdce8d53ec9586ff630a799a75b9fb3e24cc1d1e73998972b2929a62e9c3dc190c4fe6c0437c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
718d04e3ba949ba6d55d22b4a72eb253

SHA1
a01a9b7e7c4937e8a6b3d965fa2b23a58fbf5615

SHA256
01f4b5eb9df77fb450cec6c4837f468258d7d09e47cbb1c2f697c4f022b6eee0

SHA512
33cee3e6d6a34b83629a0796e8c8b464d34b6203bb283483d4856db70284edffcba822f518a96f5123133bf4439c75d115bd2261e0a2d6be7b845137e4e04d44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3d4dda1f42d787de029ab16178f559a6

SHA1
d3ccb827e0667eb201604426f030f6eac9e4d9c4

SHA256
b5d186e0470ea11b0e1d7746147b4222ab97d1e5faecda389616e99ba45a2c22

SHA512
fd7a6ec1aebb6468b03636e0925cabf1a11ed3cfc527036d429873727bc711614b0786abe4e4b4c1d7aafa273c0cb719878098f7b246177361d9a3454953d931

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
11KB

MD5
81c3353edf7349a649a66a7fb35b1aff

SHA1
640fbdea119a5b036c451bd6ab1bc2639b31e076

SHA256
db8af806865a7f624e3429e42d1953b24354bd3b741fca43941b30a2d59492ec

SHA512
65e8dc4133382f59d90b717eb372eece05f81c9b4d9c8d914bc278b1fa887023cbfbf38c330c47cb291f7c38b562c5b3e2422dc22de75ddd2aa04473e05f0e06

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
12KB

MD5
e61bdfaa58a9f0de405edfb1ad1ac010

SHA1
647825fd6a3331b44374cbb0662acc6947a94c37

SHA256
0a03982105b909ff8087795223aa0758abd8d8eadb6660ceed886eb23b79b506

SHA512
d0fb18821b84ee19b9252c7a83ba65ff7b4e94b652cd0344013132d338513ea758314782b3c4764867b3a47ade4f7fcd5f1e4edd2ab534fca99ed16b3681a3b6

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
13KB

MD5
0013111912af5b38e46ffa835ccaa8d3

SHA1
7a746f3d7a8a91fd5360b1ed6cf6cc6641fa2473

SHA256
40cb2f3062d28abe260c9c47e73a3d1b87f5b3d9b5f29f2167e6ebe748957a2a

SHA512
6d7c70e8c9253e78449e124fc5405fbd9fdd185fe674dddedf109d65e27b47edff5b570fc6bf8037ee4c45533e79f2b3e255e32476ea8f50b9cd8ba369294893

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
6KB

MD5
5ed52fb65bdd7937032f976c38169a7e

SHA1
23342ad173dd78d5ef4c74f8725fd5aed7feb708

SHA256
16844b79a763c7af774adf05893204addf3bffaf95f400bda1cf18581cddb23b

SHA512
c80e5eb534390a7dce5efc150cdc917dcf2d57ca146dce5d32e4df71a96f3a13b1ca1bdf2f72ae4ccbed6d881602d9c710d907374785dea20680555485c4894f

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
8KB

MD5
262594ebdc0640e7b03d34e787673fd7

SHA1
27e0ec6ea0c698f467d6b96aa3315f1e3ff5dd4c

SHA256
4ce1d7948c7e4d50dcc0c207d92f899c41b132683eb327c94d05d9daafa6ee52

SHA512
18ac071869f1fa20522652dd17d5126f60de6a9cfb9c327ddd293e2cf5386855c667259f8872ebc8d4cf0ae7a0e8035f1b91ea7d1b377e9b18cc7f3061a65d96

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
8KB

MD5
2464b21318c71e0b8ec724c5f3642255

SHA1
0123526e4b9ec7e8b66602d8a143747095b07ab6

SHA256
40dac5f29b3e0d560000cc9b1b586a858408c74eb1c84330fc89ab2b30358040

SHA512
3ce4b7c43c84b070254e4cdeb7f3e51171001c40d18d271ba9f909c8fe613c5570b63ac5c24444543e562a9f98b692b24f844ab63125a2bd388fce82a34cd286

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
10KB

MD5
111372894b3971785f369afa0d4dcc59

SHA1
ac7a54699277babd04cb98ce5f978ebd21122b90

SHA256
8d53c5aac29ea8a024754bd0bfd4c64984c5057640d41272c3d215283a0035e7

SHA512
a4185912cf216d5fad763ff560daffc245a6c0a36e80e34d5abf2180b775bedf5572c877b155c20d40412d057e58c34ac46794a2f288dbf1ac96d797612db386

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
11KB

MD5
4a8e61263e4f680093a53616db70dc26

SHA1
ea5d2052ed555850d34d344f9fac80be6e85d236

SHA256
8eb0b2ec1c2e342e48dee1e82c34f1d0f9bc2025e65bae3fc5141a727d96de53

SHA512
26e5015f3d7916e27a9e0cbec656669af2f28c710f401643266e0f80e410551b39cf665c61bbcb5b8f042debfa57ba49b0e6dccf4bea4ae1c480b3b9970baba9

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1720-13-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1720-12-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2460-5-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2460-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download