7c9e308edff467528d167d0e4dfb7e17e61ba96ad413041b66c243869ef18721

Analysis

max time kernel
139s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-12-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpyNote v7.0‌‌/SpyNote v7.0‌‌.exe
Size

2.6MB
MD5

a8ebac97b36b859428d6eb96f1b39ab9
SHA1

bfa65f35f19d3cfdab70a9f7d2e2c017d60c5b44
SHA256

cb7d211955a21b258aef51606c6d7e8a73031a415e5beaf7dac761952abc1850
SHA512

513a7ec21e320e07b7c4448cea91e0191a44f7c057433ae4ff3fa0bf919bfe02c751c444465517fc793f010d48610323dc9dbe84b76845fb1268ac4a714457c2
SSDEEP

49152:APqEhMfuAA1c/0r+EqQT6ruzg34SqY7yPyOWp1lk+136PSb1dKKuT0A:0hMWT60r+FxVqY2PynC1rT0A

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
8984	powershell.exe
3148	powershell.exe
6952	powershell.exe
5456	powershell.exe
9016	powershell.exe

.NET Reactor proctector 39 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral23/memory/1076-54-0x0000000005500000-0x000000000557E000-memory.dmp	net_reactor
behavioral23/memory/1144-55-0x0000000005500000-0x0000000005588000-memory.dmp	net_reactor
behavioral23/memory/3624-56-0x00000000057B0000-0x0000000005BAA000-memory.dmp	net_reactor
behavioral23/memory/1144-58-0x0000000005B40000-0x0000000005BC6000-memory.dmp	net_reactor
behavioral23/memory/1076-59-0x0000000005B40000-0x0000000005BBC000-memory.dmp	net_reactor
behavioral23/memory/3624-60-0x00000000052A0000-0x0000000005698000-memory.dmp	net_reactor
behavioral23/memory/3624-101-0x00000000052A0000-0x0000000005693000-memory.dmp	net_reactor
behavioral23/memory/1076-125-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-122-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-120-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-118-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-116-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-114-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-111-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-109-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-107-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-105-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-103-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-100-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/3624-92-0x00000000052A0000-0x0000000005693000-memory.dmp	net_reactor
behavioral23/memory/1076-96-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-94-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-91-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-90-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-87-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-85-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-83-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-81-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-79-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-77-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-75-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-73-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-71-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-69-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-65-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-64-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-98-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-67-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor
behavioral23/memory/1076-62-0x0000000005B40000-0x0000000005BB7000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	SpyNote v7.0‌‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.exe.lnk	RuntimeBroker.exe

Executes dropped EXE 4 IoCs

pid	Process
3624	SpyNote v7.0.exe
1144	svchost.exe
1076	RuntimeBroker.exe
7648	RuntimeBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9100	3624	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpyNote v7.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4524	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5812	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
7648	RuntimeBroker.exe
1144	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
8984	powershell.exe
8984	powershell.exe
3148	powershell.exe
3148	powershell.exe
8984	powershell.exe
3148	powershell.exe
6952	powershell.exe
6952	powershell.exe
5456	powershell.exe
5456	powershell.exe
9016	powershell.exe
9016	powershell.exe
1144	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	SpyNote v7.0.exe
Token: SeDebugPrivilege	1076	RuntimeBroker.exe
Token: SeDebugPrivilege	1144	svchost.exe
Token: SeDebugPrivilege	7648	RuntimeBroker.exe
Token: SeDebugPrivilege	8984	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeIncreaseQuotaPrivilege	8984	powershell.exe
Token: SeSecurityPrivilege	8984	powershell.exe
Token: SeTakeOwnershipPrivilege	8984	powershell.exe
Token: SeLoadDriverPrivilege	8984	powershell.exe
Token: SeSystemProfilePrivilege	8984	powershell.exe
Token: SeSystemtimePrivilege	8984	powershell.exe
Token: SeProfSingleProcessPrivilege	8984	powershell.exe
Token: SeIncBasePriorityPrivilege	8984	powershell.exe
Token: SeCreatePagefilePrivilege	8984	powershell.exe
Token: SeBackupPrivilege	8984	powershell.exe
Token: SeRestorePrivilege	8984	powershell.exe
Token: SeShutdownPrivilege	8984	powershell.exe
Token: SeDebugPrivilege	8984	powershell.exe
Token: SeSystemEnvironmentPrivilege	8984	powershell.exe
Token: SeRemoteShutdownPrivilege	8984	powershell.exe
Token: SeUndockPrivilege	8984	powershell.exe
Token: SeManageVolumePrivilege	8984	powershell.exe
Token: 33	8984	powershell.exe
Token: 34	8984	powershell.exe
Token: 35	8984	powershell.exe
Token: 36	8984	powershell.exe
Token: SeIncreaseQuotaPrivilege	3148	powershell.exe
Token: SeSecurityPrivilege	3148	powershell.exe
Token: SeTakeOwnershipPrivilege	3148	powershell.exe
Token: SeLoadDriverPrivilege	3148	powershell.exe
Token: SeSystemProfilePrivilege	3148	powershell.exe
Token: SeSystemtimePrivilege	3148	powershell.exe
Token: SeProfSingleProcessPrivilege	3148	powershell.exe
Token: SeIncBasePriorityPrivilege	3148	powershell.exe
Token: SeCreatePagefilePrivilege	3148	powershell.exe
Token: SeBackupPrivilege	3148	powershell.exe
Token: SeRestorePrivilege	3148	powershell.exe
Token: SeShutdownPrivilege	3148	powershell.exe
Token: SeDebugPrivilege	3148	powershell.exe
Token: SeSystemEnvironmentPrivilege	3148	powershell.exe
Token: SeRemoteShutdownPrivilege	3148	powershell.exe
Token: SeUndockPrivilege	3148	powershell.exe
Token: SeManageVolumePrivilege	3148	powershell.exe
Token: 33	3148	powershell.exe
Token: 34	3148	powershell.exe
Token: 35	3148	powershell.exe
Token: 36	3148	powershell.exe
Token: SeDebugPrivilege	6952	powershell.exe
Token: SeIncreaseQuotaPrivilege	6952	powershell.exe
Token: SeSecurityPrivilege	6952	powershell.exe
Token: SeTakeOwnershipPrivilege	6952	powershell.exe
Token: SeLoadDriverPrivilege	6952	powershell.exe
Token: SeSystemProfilePrivilege	6952	powershell.exe
Token: SeSystemtimePrivilege	6952	powershell.exe
Token: SeProfSingleProcessPrivilege	6952	powershell.exe
Token: SeIncBasePriorityPrivilege	6952	powershell.exe
Token: SeCreatePagefilePrivilege	6952	powershell.exe
Token: SeBackupPrivilege	6952	powershell.exe
Token: SeRestorePrivilege	6952	powershell.exe
Token: SeShutdownPrivilege	6952	powershell.exe
Token: SeDebugPrivilege	6952	powershell.exe
Token: SeSystemEnvironmentPrivilege	6952	powershell.exe
Token: SeRemoteShutdownPrivilege	6952	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1144	svchost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3624	2876	SpyNote v7.0‌‌.exe	81
PID 2876 wrote to memory of 3624	2876	SpyNote v7.0‌‌.exe	81
PID 2876 wrote to memory of 3624	2876	SpyNote v7.0‌‌.exe	81
PID 2876 wrote to memory of 1144	2876	SpyNote v7.0‌‌.exe	82
PID 2876 wrote to memory of 1144	2876	SpyNote v7.0‌‌.exe	82
PID 2876 wrote to memory of 1144	2876	SpyNote v7.0‌‌.exe	82
PID 2876 wrote to memory of 1076	2876	SpyNote v7.0‌‌.exe	83
PID 2876 wrote to memory of 1076	2876	SpyNote v7.0‌‌.exe	83
PID 2876 wrote to memory of 1076	2876	SpyNote v7.0‌‌.exe	83
PID 1076 wrote to memory of 8984	1076	RuntimeBroker.exe	87
PID 1076 wrote to memory of 8984	1076	RuntimeBroker.exe	87
PID 1076 wrote to memory of 8984	1076	RuntimeBroker.exe	87
PID 1076 wrote to memory of 5812	1076	RuntimeBroker.exe	89
PID 1076 wrote to memory of 5812	1076	RuntimeBroker.exe	89
PID 1076 wrote to memory of 5812	1076	RuntimeBroker.exe	89
PID 1144 wrote to memory of 3148	1144	svchost.exe	92
PID 1144 wrote to memory of 3148	1144	svchost.exe	92
PID 1144 wrote to memory of 3148	1144	svchost.exe	92
PID 1076 wrote to memory of 7648	1076	RuntimeBroker.exe	93
PID 1076 wrote to memory of 7648	1076	RuntimeBroker.exe	93
PID 1076 wrote to memory of 7648	1076	RuntimeBroker.exe	93
PID 1076 wrote to memory of 7600	1076	RuntimeBroker.exe	94
PID 1076 wrote to memory of 7600	1076	RuntimeBroker.exe	94
PID 1076 wrote to memory of 7600	1076	RuntimeBroker.exe	94
PID 7600 wrote to memory of 4524	7600	cmd.exe	100
PID 7600 wrote to memory of 4524	7600	cmd.exe	100
PID 7600 wrote to memory of 4524	7600	cmd.exe	100
PID 1144 wrote to memory of 6952	1144	svchost.exe	103
PID 1144 wrote to memory of 6952	1144	svchost.exe	103
PID 1144 wrote to memory of 6952	1144	svchost.exe	103
PID 1144 wrote to memory of 5456	1144	svchost.exe	105
PID 1144 wrote to memory of 5456	1144	svchost.exe	105
PID 1144 wrote to memory of 5456	1144	svchost.exe	105
PID 1144 wrote to memory of 9016	1144	svchost.exe	107
PID 1144 wrote to memory of 9016	1144	svchost.exe	107
PID 1144 wrote to memory of 9016	1144	svchost.exe	107

C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0‌‌\SpyNote v7.0‌‌.exe
"C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0‌‌\SpyNote v7.0‌‌.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0‌‌\SpyNote v7.0.exe
  "C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0‌‌\SpyNote v7.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 3028
    3⤵
    - Program crash
    PID:9100
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:9016
- C:\ProgramData\RuntimeBroker.exe
  "C:\ProgramData\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8984
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /tn RuntimeBroker.exe /tr "C:\ProgramData\Windows\RuntimeBroker.exe" /st 13:48 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5812
- - C:\ProgramData\Windows\RuntimeBroker.exe
    "C:\ProgramData\Windows\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:7648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp25C.tmp.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:7600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 6
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3624 -ip 3624
1⤵
PID:7416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RuntimeBroker.exe

Filesize
363KB

MD5
4176d661566bec63a8375faa54729c0c

SHA1
6951cdaf28d99acc2627f4c9030ab67c30b610fe

SHA256
06ca6410380234120df1e71863648235f5ba0acde658deebc89ac6d9fcbc8791

SHA512
a1d42c6c6d1313d02414793aacc525cf984aad93069c85367955589ed3015740e32fb7721c7c32333692a5f653ee46d2e9aa4756e8f074444079d3d5bad403d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
410B

MD5
e5f7f742c8556fb04438af7cc96ac384

SHA1
aacf3dc921970079e9e2dee47123474b5a486242

SHA256
532f056ecc417d837c28f58d14c5b44c9edb39087b7f42e6b63938cc9d0ca149

SHA512
192e1088220007d3b4ad2a42ed3ff64f87b0714c8d9203567545287fa845a98da05b9015cd3f8a34430e910f72d61d7681f36beb3719792e3c5bc94e9fe68990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f811272c20ff6decbbd16ff364334427

SHA1
cb31be66c972daa61d45920fa2fa824c1dfb194d

SHA256
730aff8c9e430a9f9e5e44f1c376e57f42fa5adc744824df2f69855009473592

SHA512
5c68bf3a41c3607cad5abe94f2bb3816f3e69426fa7d43bf7c9787c4e9ce6660b1843a2e505a22a93d7008b76fc564078513fe9ef47051e5b6fc344ab9d0a528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
e26b0a00135a1d45cd62988f2500aa39

SHA1
6a5eb922d2e3f49b5e605605d8db312892a06471

SHA256
9f83f6c08f6e1924e7c871a693c3e387620b8352f800e6edd40be43a4c4ba5b8

SHA512
b75cbfe11ed6852894d4d8c09ebe03cf8ed999e87e2566e414861e208672497f9703b663c72c3e2a2010ac2fc6addafb592c561ef2415f5bd2c0f4404a079ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
5dbf59db3104c8a1fc13722cb938a4e7

SHA1
8f565dfdf6a732b475b548957906b27dbdfec350

SHA256
b947a57163817954cb151fb57efafc5dd8b2af99de2df9c6d791e290be83b37a

SHA512
ac67189dd9f459de9900072c4a85a87b6056edce04c9be1221c8a1857125246707bacfc5b997aa248e5b0219b722c057a0014abebdbec6b22769b6f8095a52f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
d932ffb757041876b137f257f51921b6

SHA1
2d34053793b3850a50be5f78c8721c4c98207fda

SHA256
a2fc490e5ecf8bf4a5b7e2029aad49dbc81ab7db7774921d2143f6846527bdad

SHA512
3dabc0ea063669101d7417bf64c990ad8017bbbe36773434cb8b842c651a69e1ab7cf84bdd332d4f82f66eb65e5392782fa3b07b74e712905b6f6e9f56f62add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
f3d0bfb58e52702e1896ba49010a0ebd

SHA1
026311d17a825f6ff498f5c75e7448426f39fbbe

SHA256
e1080e083f5f91b2f4568d1eb65ebf2083f7e313246c4ddf8a0706eb0691ae9d

SHA512
42fe7d7a3f747cdaf1d22e045ab5d1089b3373c1963ec182f724377c92742beafb8952a2fb9728acdae0bb0b51516c43ca0b9652356aec74a049cfcec356ecf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpyNote v7.0‌‌\SpyNote v7.0.exe

Filesize
2.0MB

MD5
afe92735dc4dc4563b17e78cc741cabc

SHA1
0d73cc4d07b6d576d77203b8b54a975cd3255e56

SHA256
53c22781dcbe31847b99acd7ef24088ab5793246b8c55b23585c1069b387c83c

SHA512
7ca7037167cc00a0f0b2eed7afbd34805350a632e0ffead3c785149ccbceaf0f3e436b7aee2df61f8f98b8180e0f8e946cd9686f044504489abb128709ed839e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1frfeki.2bd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25C.tmp.cmd

Filesize
145B

MD5
0b4c70e7aa0a841771cd8c401a3aad64

SHA1
b809ece3ab5c2ee6b240e87fca169a977a009edd

SHA256
1356a5d6f6f4db1102b03d1a2da6fe9e417057663c6cabae0d441c5e2d8bdc5c

SHA512
c65fea0a5d6bb4bc0a03e48646ce2e351f71e0f5ade4253088fb0b5f4e56e833dd92b33c4b70d9297ee4e1736e53f358ab405f35155136ed710bc507d2bb476f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
351KB

MD5
c8a63c858009f4611474c71b40dd4ded

SHA1
29fb9205a79790102ca28ac31c88e51008a852cd

SHA256
9fc20a59382e6eb19e83d0febc845b017ada8968d329a6698a1db09fb844871f

SHA512
52d92a18b1898d6f22f7e9eb334c369294683cb2a54a80c0791cd2457f5e9af3cdd225d01fd8a80883586680543eabc8589a8962e0a0b6c0e73bbcd68b0482c6

Download Submit
memory/1076-73-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-67-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-54-0x0000000005500000-0x000000000557E000-memory.dmp

Filesize
504KB

Download
memory/1076-3941-0x0000000005C50000-0x0000000005CE2000-memory.dmp

Filesize
584KB

Download
memory/1076-62-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-125-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-122-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-120-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-118-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-116-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-114-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-111-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-109-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-107-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-105-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-103-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-100-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-59-0x0000000005B40000-0x0000000005BBC000-memory.dmp

Filesize
496KB

Download
memory/1076-96-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-94-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-91-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-90-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-87-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-85-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-83-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-81-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-79-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-77-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-75-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-98-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-71-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-69-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-65-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1076-64-0x0000000005B40000-0x0000000005BB7000-memory.dmp

Filesize
476KB

Download
memory/1144-58-0x0000000005B40000-0x0000000005BC6000-memory.dmp

Filesize
536KB

Download
memory/1144-57-0x0000000005590000-0x0000000005B36000-memory.dmp

Filesize
5.6MB

Download
memory/1144-55-0x0000000005500000-0x0000000005588000-memory.dmp

Filesize
544KB

Download
memory/2876-4-0x00007FFB68110000-0x00007FFB68BD2000-memory.dmp

Filesize
10.8MB

Download
memory/2876-1-0x0000000000D00000-0x0000000000FA4000-memory.dmp

Filesize
2.6MB

Download
memory/2876-0-0x00007FFB68113000-0x00007FFB68115000-memory.dmp

Filesize
8KB

Download
memory/2876-53-0x00007FFB68110000-0x00007FFB68BD2000-memory.dmp

Filesize
10.8MB

Download
memory/3148-11348-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

Filesize
304KB

Download
memory/3624-60-0x00000000052A0000-0x0000000005698000-memory.dmp

Filesize
4.0MB

Download
memory/3624-56-0x00000000057B0000-0x0000000005BAA000-memory.dmp

Filesize
4.0MB

Download
memory/3624-14693-0x000000000AC70000-0x000000000AD18000-memory.dmp

Filesize
672KB

Download
memory/3624-61-0x0000000006190000-0x000000000622C000-memory.dmp

Filesize
624KB

Download
memory/3624-101-0x00000000052A0000-0x0000000005693000-memory.dmp

Filesize
3.9MB

Download
memory/3624-14647-0x0000000006680000-0x00000000066D6000-memory.dmp

Filesize
344KB

Download
memory/3624-92-0x00000000052A0000-0x0000000005693000-memory.dmp

Filesize
3.9MB

Download
memory/5456-14676-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/5456-14674-0x00000000056B0000-0x0000000005A07000-memory.dmp

Filesize
3.3MB

Download
memory/6952-14662-0x0000000006360000-0x00000000063AC000-memory.dmp

Filesize
304KB

Download
memory/6952-14651-0x0000000005980000-0x0000000005CD7000-memory.dmp

Filesize
3.3MB

Download
memory/7648-7788-0x0000000006DC0000-0x0000000006DCA000-memory.dmp

Filesize
40KB

Download
memory/8984-7168-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/8984-10783-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/8984-11186-0x0000000005EC0000-0x0000000005ECA000-memory.dmp

Filesize
40KB

Download
memory/8984-10606-0x00000000075E0000-0x0000000007C5A000-memory.dmp

Filesize
6.5MB

Download
memory/8984-11347-0x0000000007230000-0x00000000072C6000-memory.dmp

Filesize
600KB

Download
memory/8984-10331-0x0000000006E30000-0x0000000006E4E000-memory.dmp

Filesize
120KB

Download
memory/8984-10244-0x0000000006E50000-0x0000000006E82000-memory.dmp

Filesize
200KB

Download
memory/8984-10245-0x000000006FDB0000-0x000000006FDFC000-memory.dmp

Filesize
304KB

Download
memory/8984-10332-0x0000000006E90000-0x0000000006F33000-memory.dmp

Filesize
652KB

Download
memory/8984-8536-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/8984-8533-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

Filesize
120KB

Download
memory/8984-7282-0x0000000005870000-0x0000000005BC7000-memory.dmp

Filesize
3.3MB

Download
memory/8984-7167-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/8984-7169-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/8984-4836-0x0000000004D10000-0x00000000053DA000-memory.dmp

Filesize
6.8MB

Download
memory/8984-4776-0x0000000004600000-0x0000000004636000-memory.dmp

Filesize
216KB

Download