7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Activation.exe
Size

703KB
MD5

8c1d40db6464fd098716a317486db961
SHA1

4b4d82e0a91f11e1348488b9e9edd43697d9db67
SHA256

7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5
SHA512

16c868e227c4928dfcc116ba6e9d93c22418936cad625cd48645abb96229d31ee1329105097d2e7f36f6382e214dfd54e1eb92842bcc45edd978f64da6c4c6dd
SSDEEP

6144:5UPAUV624Zk+nC+f8Z7DgMvVXYNlV8F/2/6utZeiXhOy8oMmkCOutH5BysohXWwm:5mV620nN8ZoAutZeiXhOBuOaBToo4ZY

Score

8^/10

discovery execution exploit

Malware Config

Signatures

Possible privilege escalation attempt 3 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exe

pid	Process
868	takeown.exe
3500	icacls.exe
5224	icacls.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exetakeown.exeicacls.exe

pid	Process
5224	icacls.exe
868	takeown.exe
3500	icacls.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
408	powershell.exe
4988	powershell.exe
1412	powershell.exe
228	powershell.exe
2796	powershell.exe
1464	powershell.exe

Drops file in Windows directory 3 IoCs

Processes:

Activation.exe

description	ioc	Process
File created	C:\Windows\IME\activator.bat	Activation.exe
File created	C:\Windows\IME\permissions.bat	Activation.exe
File created	C:\Windows\IME\reset.bat	Activation.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
224	timeout.exe

Modifies registry class 4 IoCs

Processes:

BackgroundTransferHost.execmd.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	cmd.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1412	powershell.exe
1412	powershell.exe
228	powershell.exe
228	powershell.exe
2796	powershell.exe
2796	powershell.exe
1464	powershell.exe
1464	powershell.exe
408	powershell.exe
408	powershell.exe
4988	powershell.exe
4988	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

takeown.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	868	takeown.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeBackupPrivilege	408	powershell.exe
Token: SeBackupPrivilege	408	powershell.exe
Token: SeRestorePrivilege	408	powershell.exe
Token: SeSecurityPrivilege	408	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeBackupPrivilege	4988	powershell.exe
Token: SeBackupPrivilege	4988	powershell.exe
Token: SeRestorePrivilege	4988	powershell.exe
Token: SeSecurityPrivilege	4988	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Activation.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 5944 wrote to memory of 1040	5944	Activation.exe	80
PID 5944 wrote to memory of 1040	5944	Activation.exe	80
PID 5944 wrote to memory of 5816	5944	Activation.exe	81
PID 5944 wrote to memory of 5816	5944	Activation.exe	81
PID 5944 wrote to memory of 6108	5944	Activation.exe	82
PID 5944 wrote to memory of 6108	5944	Activation.exe	82
PID 5944 wrote to memory of 3564	5944	Activation.exe	83
PID 5944 wrote to memory of 3564	5944	Activation.exe	83
PID 5944 wrote to memory of 4912	5944	Activation.exe	84
PID 5944 wrote to memory of 4912	5944	Activation.exe	84
PID 5944 wrote to memory of 4952	5944	Activation.exe	85
PID 5944 wrote to memory of 4952	5944	Activation.exe	85
PID 5944 wrote to memory of 2496	5944	Activation.exe	86
PID 5944 wrote to memory of 2496	5944	Activation.exe	86
PID 5944 wrote to memory of 4584	5944	Activation.exe	87
PID 5944 wrote to memory of 4584	5944	Activation.exe	87
PID 5944 wrote to memory of 5052	5944	Activation.exe	88
PID 5944 wrote to memory of 5052	5944	Activation.exe	88
PID 5944 wrote to memory of 236	5944	Activation.exe	89
PID 5944 wrote to memory of 236	5944	Activation.exe	89
PID 5944 wrote to memory of 232	5944	Activation.exe	90
PID 5944 wrote to memory of 232	5944	Activation.exe	90
PID 5944 wrote to memory of 3444	5944	Activation.exe	91
PID 5944 wrote to memory of 3444	5944	Activation.exe	91
PID 5944 wrote to memory of 3364	5944	Activation.exe	93
PID 5944 wrote to memory of 3364	5944	Activation.exe	93
PID 5944 wrote to memory of 5524	5944	Activation.exe	94
PID 5944 wrote to memory of 5524	5944	Activation.exe	94
PID 5944 wrote to memory of 1744	5944	Activation.exe	95
PID 5944 wrote to memory of 1744	5944	Activation.exe	95
PID 5944 wrote to memory of 1124	5944	Activation.exe	96
PID 5944 wrote to memory of 1124	5944	Activation.exe	96
PID 1124 wrote to memory of 868	1124	cmd.exe	97
PID 1124 wrote to memory of 868	1124	cmd.exe	97
PID 1124 wrote to memory of 3500	1124	cmd.exe	98
PID 1124 wrote to memory of 3500	1124	cmd.exe	98
PID 1124 wrote to memory of 5224	1124	cmd.exe	99
PID 1124 wrote to memory of 5224	1124	cmd.exe	99
PID 5944 wrote to memory of 2204	5944	Activation.exe	100
PID 5944 wrote to memory of 2204	5944	Activation.exe	100
PID 5944 wrote to memory of 1552	5944	Activation.exe	101
PID 5944 wrote to memory of 1552	5944	Activation.exe	101
PID 5944 wrote to memory of 1140	5944	Activation.exe	102
PID 5944 wrote to memory of 1140	5944	Activation.exe	102
PID 1140 wrote to memory of 1412	1140	cmd.exe	103
PID 1140 wrote to memory of 1412	1140	cmd.exe	103
PID 5944 wrote to memory of 2892	5944	Activation.exe	104
PID 5944 wrote to memory of 2892	5944	Activation.exe	104
PID 2892 wrote to memory of 228	2892	cmd.exe	105
PID 2892 wrote to memory of 228	2892	cmd.exe	105
PID 5944 wrote to memory of 2828	5944	Activation.exe	106
PID 5944 wrote to memory of 2828	5944	Activation.exe	106
PID 2828 wrote to memory of 2796	2828	cmd.exe	107
PID 2828 wrote to memory of 2796	2828	cmd.exe	107
PID 5944 wrote to memory of 2992	5944	Activation.exe	108
PID 5944 wrote to memory of 2992	5944	Activation.exe	108
PID 2992 wrote to memory of 1464	2992	cmd.exe	109
PID 2992 wrote to memory of 1464	2992	cmd.exe	109
PID 5944 wrote to memory of 568	5944	Activation.exe	110
PID 5944 wrote to memory of 568	5944	Activation.exe	110
PID 568 wrote to memory of 408	568	cmd.exe	111
PID 568 wrote to memory of 408	568	cmd.exe	111
PID 5944 wrote to memory of 3980	5944	Activation.exe	112
PID 5944 wrote to memory of 3980	5944	Activation.exe	112

C:\Users\Admin\AppData\Local\Temp\Activation.exe
"C:\Users\Admin\AppData\Local\Temp\Activation.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title Windows Activation Fix
  2⤵
  PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 0b
  2⤵
  PID:5816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
  2⤵
  PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
  2⤵
  PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:5052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:3444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Starting...
  2⤵
  PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\sppsvc.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3500
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\spp /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Applying permissions...
  2⤵
  PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
  2⤵
  PID:3980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:6044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
  2⤵
  PID:6052
- - C:\Windows\system32\net.exe
    net stop sppsvc
    3⤵
    PID:4840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc
      4⤵
      PID:2464
- - C:\Windows\system32\net.exe
    net start sppsvc
    3⤵
    PID:4824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start sppsvc
      4⤵
      PID:1020
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Windows\System32\slmgr.vbs /rilc
    3⤵
    PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat
  2⤵
  - Modifies registry class
  PID:2336
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" //B /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q99
    3⤵
    PID:3444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" //B /skms kms8.msguides.com
    3⤵
    PID:1044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" //B /ato
    3⤵
    PID:5976
- - C:\Windows\system32\timeout.exe
    timeout /T 3 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:224

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e0582e586720ebf3e8fd1ce37baae7e6

SHA1
114bffde3349af96079a119a3f6627338d65194e

SHA256
5a21a0a8306223f05809ab9827014ac3535466360db22768da796c6c3537bee5

SHA512
5555436273be3ddc20bdb74fbf433efbff97e972ed9c10647bf399b60d8370e06a583b30bc6376d26cea717a3d0ac00056595f56fe55eb44274420e0f59072c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59716ac642b5ce22f107c1b13810c8ae

SHA1
b17517c1d098492b112de45d00aba08cbedd1c9e

SHA256
4b7bc9fbbeebb34566b10a5dad97cf8a3897231430f8b0977017151a90c563f4

SHA512
47704023b3343b83c12ba9bf382db8b6d0741e61a2967e8bccd469ce463801ecd480db1717ba9181b6eec8a657ee657394bbc49455e27ca88fa79c789b4762a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2318123423f98b82acbcb9411261b70f

SHA1
f4cc8d33b5d66bd791c7941747392dacc7c99edd

SHA256
24cc8a6746a402f18aa6aa7e6dfc4a5c9b65d941941a84b45b4bf070aff742b6

SHA512
1c17aa1e9cad71b54592dd32c3c2d24d3e92bebd90f2317141331b0531f340d2867985ca1ac4c90cab9eed7c6e18e965efce2afbfab3dc5a7f0edacbc3aa29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99c4872b2c20d9fb1a9c48d742eeefbe

SHA1
7a97d5126fa5c150f51e4388a8435512e5f84183

SHA256
5ee4e106f562ab484da1c78185568b198459fe55dfcaa07024ae17f0b1d78eeb

SHA512
47e60701d8e41411e74c0edbad4742c5c3cc9970e5e7ea0ac6ca4a992e487d1506342ce970b338d32b16b3d7456d3ec4117dcf012494fcce9533065d89481d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b85fae6ad5a40652bbc29aca87cbc129

SHA1
f850636d3b27247e98f8972c6f78e95186fb1865

SHA256
f3f1fcc14e301d58fb2595801901d5f27082112b286b9515c7986d6aeb5d0907

SHA512
78f657fd402f6adde347926c39f3e2eced00914fc70b2b642dc377d2718d8fd77de02807fde280b5a3b5738421b2a6d4d1f083fddbf9249dd34503db29dfbb57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c23993520297f4626914e0e194ba83c

SHA1
212833d06bfdb7bd5947a1a56f79ac507fe86437

SHA256
1cc1042011d5edb1150a0be73b72733b36fd03c93f7f849c9a989c3dfc8fa641

SHA512
dad6289e2fda888e0b3329de9e76e07a53f5c285d4bb68a08d7b8e26cbb71c2292a3b517e39c659ae3b1775a0d0e3824d9dcd8393dc1efaa3269ee6e9aa86795

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxp2jmuv.yld.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\IME\activator.bat

Filesize
3KB

MD5
365b88395524dec0af52387ed73317ce

SHA1
66a6e96fb198e8749c9086e35b2b2f85aa21c63c

SHA256
99ada36422b17257eba9d9cc5d123907589f638aa9564bc8fb000261cc9c1c10

SHA512
46efce6af2a90ace25842fd0d85212463c3b6ba2a6f8e089ee29381d960a745a278b86b49bf3330d686b140e3fc66c9cc8ac70df7f05d8e0ecac694dc542cff5

Download Submit
C:\Windows\IME\permissions.bat

Filesize
162B

MD5
4be7ca8b30ea192628228857b5005655

SHA1
588a60df54f8ff2924b2fd569dfc39ce5ae17cfd

SHA256
5e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853

SHA512
169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4

Download Submit
C:\Windows\IME\reset.bat

Filesize
325B

MD5
939378e1c9e25f424c618a379e61fc48

SHA1
45822124d56b6e6efcfbaab246feff695b7098d4

SHA256
fd805584b817ad0b320c85653a5bd7342650359feae60e5a3e722d5571542146

SHA512
3833f14692f5cdfea285654f91ac814a89bf189a4db99b0fc1e817905d9929f6f4b184db5a51269f9b82170a14af2c5e0510150201cea03177cab04fb26494fb

Download Submit
memory/1412-4-0x0000028E9D140000-0x0000028E9D162000-memory.dmp

Filesize
136KB

Download