Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

192f0f1221...a0.exe

windows7-x64

10

192f0f1221...a0.exe

windows10-2004-x64

10

193e069cb0...e1.exe

windows7-x64

10

193e069cb0...e1.exe

windows10-2004-x64

10

196a171e0e...b9.exe

windows7-x64

10

196a171e0e...b9.exe

windows10-2004-x64

10

197a511efa...32.exe

windows7-x64

8

197a511efa...32.exe

windows10-2004-x64

8

19ec0ef7b7...c4.exe

windows7-x64

10

19ec0ef7b7...c4.exe

windows10-2004-x64

10

1a4ae15ef3...a3.exe

windows7-x64

10

1a4ae15ef3...a3.exe

windows10-2004-x64

10

1a76abc85d...f9.exe

windows7-x64

6

1a76abc85d...f9.exe

windows10-2004-x64

6

1a9cd1714a...bf.exe

windows7-x64

10

1a9cd1714a...bf.exe

windows10-2004-x64

10

1b06c73e9c...af.exe

windows7-x64

10

1b06c73e9c...af.exe

windows10-2004-x64

10

1b0acebe24...06.exe

windows7-x64

10

1b0acebe24...06.exe

windows10-2004-x64

10

1b64ed84e0...ca.exe

windows7-x64

10

1b64ed84e0...ca.exe

windows10-2004-x64

10

1b7c2cbdf7...fc.exe

windows7-x64

10

1b7c2cbdf7...fc.exe

windows10-2004-x64

10

1bb302f6b2...b3.exe

windows7-x64

10

1bb302f6b2...b3.exe

windows10-2004-x64

10

1bbf7d818b...fd.exe

windows7-x64

10

1bbf7d818b...fd.exe

windows10-2004-x64

10

1be2b92cea...ae.exe

windows7-x64

10

1be2b92cea...ae.exe

windows10-2004-x64

10

1c2345047a...a0.exe

windows7-x64

10

1c2345047a...a0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    192f0f1221e376146e725a4d23ee69a0.exe

  • Size

    1.9MB

  • MD5

    192f0f1221e376146e725a4d23ee69a0

  • SHA1

    9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff

  • SHA256

    019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d

  • SHA512

    daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54

  • SSDEEP

    24576:kz4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:kOMX0/08SVYTcxMXPxthD

Score
10/10
defense_evasionexecutiontrojan

Malware Config

Signatures

  • Process spawned unexpected child process 12 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 30 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 10 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Checks whether UAC is enabled 1 TTPs 20 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 30 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe
    "C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2832
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\192f0f1221e376146e725a4d23ee69a0.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\sysmon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3996
    • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
      "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4424
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b6ae157-8b64-43cb-ac10-a948f173177f.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
          "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5016
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb7bcdea-7451-4191-97bb-7b63583916a8.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4908
            • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
              "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1996
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d8afdd-eb20-4e77-b784-b85e7f9732e7.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:648
                • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
                  "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1688
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adae97e0-5685-40c2-a067-5084cdafa210.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5112
                    • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
                      "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
                      10⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:4796
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0b4b5c5-dbff-4607-8e87-0383aaa9a4e4.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4412
                        • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
                          "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
                          12⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:4844
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6700d9fb-c70e-4df5-802b-0a60dde3a10d.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3720
                            • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
                              "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
                              14⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:2644
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2aa43f5-8e59-4c2f-a2c1-f6e1860f8773.vbs"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:6044
                                • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
                                  "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
                                  16⤵
                                  • UAC bypass
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:3964
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58d4f751-9ef0-4884-911e-d5bcc125af2c.vbs"
                                    17⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2532
                                    • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
                                      "C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe"
                                      18⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:4112
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1789c539-d417-4967-a27b-2073ad42ae17.vbs"
                                        19⤵
                                          PID:5044
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59b708f5-8b3b-4a9d-812e-f8fab493c2ab.vbs"
                                          19⤵
                                            PID:2964
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30476efc-f3f6-4980-8ce8-6a01e7edc179.vbs"
                                        17⤵
                                          PID:4196
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ae8190-d26a-46e1-b614-1d5a1cceb15e.vbs"
                                      15⤵
                                        PID:3900
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2010a383-8cfa-4199-ac9e-39e244c1c1de.vbs"
                                    13⤵
                                      PID:3548
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbbca99c-bd07-4012-ab91-e0547f958ba5.vbs"
                                  11⤵
                                    PID:5292
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6791963a-f45c-4765-beb6-e7982de27768.vbs"
                                9⤵
                                  PID:3276
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11a04fb8-89e2-47d7-8e08-bbf933b6c666.vbs"
                              7⤵
                                PID:1544
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a76d9b01-68ad-4456-a1a4-00c1be7279e6.vbs"
                            5⤵
                              PID:4700
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\986d70b7-8c75-4058-9f1f-4cf43ce0a349.vbs"
                          3⤵
                            PID:5740
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2828
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5752
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\fontdrvhost.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1572
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4548
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4972
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4508
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\sysmon.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3148
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\Documents\sysmon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5004
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\sysmon.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:5040
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4136
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4888
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
                        1⤵
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4988

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files (x86)\Windows Photo Viewer\de-DE\RuntimeBroker.exe
                        Filesize

                        1.9MB

                        MD5

                        b7894080a21eb5a3bce7689afbb0522f

                        SHA1

                        e4b1e9b8c5457b36927b850a1efd2a13c47357de

                        SHA256

                        a639a90c71371f8ea6c9caf3a8f8ac932bd5e94ebbd8a94ba80bb7646862130b

                        SHA512

                        dbd9c611da30593733a8cf7a030c0a56a53b1050811cdfd22d0a2d5754b9212a3a09994e12617e9918b7e08784dbc4105bdacf67cec7ef7d96f3b4f56db79f3e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
                        Filesize

                        1KB

                        MD5

                        364147c1feef3565925ea5b4ac701a01

                        SHA1

                        9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

                        SHA256

                        38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

                        SHA512

                        bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                        Filesize

                        2KB

                        MD5

                        d85ba6ff808d9e5444a4b369f5bc2730

                        SHA1

                        31aa9d96590fff6981b315e0b391b575e4c0804a

                        SHA256

                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                        SHA512

                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        084d49c16a0db5a169356315e8e97d83

                        SHA1

                        af662c8666ef7c52c9711c0f143e0b8620f27d19

                        SHA256

                        a374d799d8b4b9c2cac922c093a90cbaf6d0bda3155faf176c6f95b46b8f35d2

                        SHA512

                        c14524f55f0e58bb64a99298b82d995136a0057c2a7e4e972b9c90477871ae416063318ba8b7f43a4fc66ca8b21eca26505645c4d195fe3ab9419c8d35a459fb

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        842369b08704bbddf9de4d90016e58dd

                        SHA1

                        8bc3da656c08abbc14c58201e65b0dc823964bea

                        SHA256

                        cbf20404c609c0792de4320ac3fa1806269cf5d97420565e3f43d409a11a2808

                        SHA512

                        8f6cc3419f04b1cb4e6c7986ad9fb8a43fb380fee263937e223d8a5269aec918c2c8cd362ee708de0ded3a533f4cd43624d606f45b37e128bec52ada30c43b42

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                        Filesize

                        944B

                        MD5

                        ffb4808be0aaa918b807bb4dd4f5e080

                        SHA1

                        8895ae463a633e1201ed09468acc86e1e57a838b

                        SHA256

                        26fb93195d69045c08c9720cd9291fec8cb24fe49f5dd2604c26d6873f41c3b2

                        SHA512

                        7370e92e6c097ee52ef4d3e3b9ccbf482bbd3603bb25355c84c4c1599c94c8d0d4edc230d7db1ab8dd4d34c40afec839187fa5db46d48c58802e9e3107414ed9

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\0b6ae157-8b64-43cb-ac10-a948f173177f.vbs
                        Filesize

                        743B

                        MD5

                        93e69e1ff8482f031b35d40d2ef71303

                        SHA1

                        d77127acce0290e180676f139fcaf8335af765b2

                        SHA256

                        9081711b1675f592ace8cdf863fc0d8ee9b611a7f0ff3844914846277f62a8d2

                        SHA512

                        44eb6228484aeed97f6d96cc4f94e046adb2ddd129b2145fa71e1d834a8d3a6640b2b6c73af0f18da1344ebe06e22fce19524a9b3a825bf39d3e0a8addec0e23

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\1789c539-d417-4967-a27b-2073ad42ae17.vbs
                        Filesize

                        743B

                        MD5

                        b7ecc58b7f6d397feb464dd173641da7

                        SHA1

                        a4bb906602e86f8df5d5f8efdcfbc00fc4bd1505

                        SHA256

                        6a55cf218a931fa5c0553f356211aa3c5e61d5f9e1f4717401f22fee98d65a87

                        SHA512

                        209b2d9aba98c6db84e41019aee110a3e0aee085ed21c40a0647c6f86a7d4a2073ef929636221569cea72aaf70f27783d3a9fe2bff71772a94ee9e2ed2c1e05d

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\58d4f751-9ef0-4884-911e-d5bcc125af2c.vbs
                        Filesize

                        743B

                        MD5

                        0a2e3215745ff4c5b946949b2fe2fbf4

                        SHA1

                        4aea9d97e32f82ec670a9e9e02b1e20ee2f1c627

                        SHA256

                        cd3e08e48e2030fa770869ddbce520198a001e47895c79f069b1f65269606977

                        SHA512

                        94fd68ff0f253697264141ea0039eb9e6b86940eb8f1d20c2c1c73fbe6e74baac474f7d4163eccbc90ff7b0e4f7d69909adee3aa4cfffcde3a93227d5a884ec2

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\6700d9fb-c70e-4df5-802b-0a60dde3a10d.vbs
                        Filesize

                        743B

                        MD5

                        b8739458d1e32adb250fb571d618a0e8

                        SHA1

                        aec28b21fc530f20e364f63597e282bdf7820b25

                        SHA256

                        b348155d09610b0027d2af8ced9f13d674076e6bc57e5bb8fb1170cf2d684be0

                        SHA512

                        77ca8c26988b44941023083784b069a089c48067bdcac8c0868f331e7b3daa917e164f6ac7e2cc83492739515f895153d97289503528aec56b7eeb2926189664

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\75d8afdd-eb20-4e77-b784-b85e7f9732e7.vbs
                        Filesize

                        743B

                        MD5

                        ee37f0cb0dffd9aa549a48dc18ac09ec

                        SHA1

                        604645fe606098e8163aba99dda3870b3b02daa0

                        SHA256

                        59283d2cba9109742391c88ce249e395bda4a76121e900b3a8b87f923c9203a2

                        SHA512

                        37134845e7c5c3b49e4db2cea5b99beeb1c1fc4fd1a3d5cd5daf521833507707ec6d08e272d75048bc5224a37538824bbcd6c8b43c851a283eea74403d4053ee

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\RCX54A9.tmp
                        Filesize

                        1.9MB

                        MD5

                        192f0f1221e376146e725a4d23ee69a0

                        SHA1

                        9500b9672eac1b1b2dee0e81f8b8efbb6d0d90ff

                        SHA256

                        019443010d028a6d5828afc530b1bd568e536afe32e715fe6a771f3ee1a3cc9d

                        SHA512

                        daab36e062d27fd7a62607eb16a6013523fafabb31618e681feeae2fc92eb93d43c1f1a8051849aee4839d8b025ccf7227f5081847fd7b2c78e6f233f8d25a54

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rg2ywzog.5go.ps1
                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\a76d9b01-68ad-4456-a1a4-00c1be7279e6.vbs
                        Filesize

                        519B

                        MD5

                        70001a75882477b11b14ead821e0041c

                        SHA1

                        bc61badbf3c0b0e20506b7205db00040035fcbce

                        SHA256

                        0163fece010a4d0cfd72d263786e1f7dafa903dd8bb4dcb190f88da1d7e2f2ef

                        SHA512

                        9b02297879ffb5b5c5ed99ce87d9bb4e10d18c12c0da25bc6a4d799b3e827d9274bc7d6e6bf2a10112dab6adfcca47fd1933efc9ca8a751d2b30f5a0e63d277e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\adae97e0-5685-40c2-a067-5084cdafa210.vbs
                        Filesize

                        743B

                        MD5

                        ba6115ad6f7d86261f8c6f87a007a44a

                        SHA1

                        4356173d94a391cf9d8300561864e11302b2a101

                        SHA256

                        d540ed9f50e9fae86ada2e15a683a26ff7f44289b640841c1c8b84014233cbf5

                        SHA512

                        bad9ba2c46f02281c2961f9b45bad5298c4f0e4e333f0b8f75cbf2104608b832bef3ca97fa2f83077cf2e867fdf9366ad7d551606a33f0b1ccb9e0bf97e2e1f4

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\b0b4b5c5-dbff-4607-8e87-0383aaa9a4e4.vbs
                        Filesize

                        743B

                        MD5

                        0810b2bf273f247893a309e7c28f2f77

                        SHA1

                        ce453f4c13e8c82b84d7ae489d483a6fc020844b

                        SHA256

                        1acb333b8f6649a966339896ca11f92b5b08106443a0a340e3986cb25d59ccef

                        SHA512

                        e392e0dd705af82cb4dcb686036f983d98de520e57b7510f3420dd9b7f23d129c51b3a23ca75c49cf714dee3704eb5a60dc24c9a19462b09c173de7c3ef267d0

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\b2aa43f5-8e59-4c2f-a2c1-f6e1860f8773.vbs
                        Filesize

                        743B

                        MD5

                        b26b53442243ddf60685b746c32a0e07

                        SHA1

                        aa585329e3921ac1a530a6e9598746e6058fba09

                        SHA256

                        ccde0b0a1c225eae73a5b51ff720c1859eade7ae1bfa04a8826d8e37600c5ab5

                        SHA512

                        a49ffb4e8c216c1b91ae43b591af07d7af6d7560fde075e2ae4fdc2b58f1fa40fbaa30346b6a4d7e62eaf82a033d5430208b22540d49aaadbbefe0bafe3cbba9

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\eb7bcdea-7451-4191-97bb-7b63583916a8.vbs
                        Filesize

                        743B

                        MD5

                        cb9b41199d53f23bd89d4d8fd909a9db

                        SHA1

                        fe7dc4654ec51deda888f6b96e5337297f9a8c69

                        SHA256

                        848bda3d52d9c1443ec77e96eceeeabea683e8b9aa93e83c12e4e1f2a9e76e63

                        SHA512

                        565dcf2e1d438b1e2e5a43faa4370b3d95bd24b96a8e2fc82c34fa6b12cb100e16b6871ae9ed9f3108f928ec29c95dac951fc77601f189aa40ccd7f96b91affa

                        Download Submit

                      • C:\Users\Default\Documents\sysmon.exe
                        Filesize

                        1.9MB

                        MD5

                        580e5064ca4b779d1d09219a657b7d50

                        SHA1

                        4f8ea6b2f6a4a6d7b8557a5f77278bbf6b8f7161

                        SHA256

                        2a6b133585b2961795c3cbb04a618a8686fee464bb3419e337140f9ded074dff

                        SHA512

                        85c088a2263d6341adf1837beb64e5369482c27cd1108e7f7637a4cf3d206c817bfa6f1ed1cfdaca4f3e8f612202125c63981debe2ac0f1052d1b16dd2023e77

                        Download Submit

                      • memory/1688-233-0x000000001BDF0000-0x000000001BE02000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/2832-19-0x000000001B6D0000-0x000000001B6DC000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2832-0-0x00007FFD48583000-0x00007FFD48585000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/2832-2-0x00007FFD48580000-0x00007FFD49041000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2832-1-0x0000000000080000-0x000000000026A000-memory.dmp

                        Filesize

                        1.9MB

                        Download

                      • memory/2832-3-0x0000000002380000-0x000000000239C000-memory.dmp

                        Filesize

                        112KB

                        Download

                      • memory/2832-6-0x00000000023A0000-0x00000000023B0000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/2832-187-0x00007FFD48580000-0x00007FFD49041000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2832-5-0x0000000000B80000-0x0000000000B88000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2832-7-0x00000000023B0000-0x00000000023C6000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/2832-8-0x00000000023D0000-0x00000000023DA000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/2832-9-0x00000000023F0000-0x0000000002446000-memory.dmp

                        Filesize

                        344KB

                        Download

                      • memory/2832-14-0x000000001C060000-0x000000001C588000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/2832-16-0x000000001AFE0000-0x000000001AFEA000-memory.dmp

                        Filesize

                        40KB

                        Download

                      • memory/2832-4-0x0000000002440000-0x0000000002490000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/2832-18-0x000000001B000000-0x000000001B008000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2832-17-0x000000001AFF0000-0x000000001AFFE000-memory.dmp

                        Filesize

                        56KB

                        Download

                      • memory/2832-20-0x000000001B6E0000-0x000000001B6EC000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2832-15-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2832-10-0x0000000002490000-0x000000000249C000-memory.dmp

                        Filesize

                        48KB

                        Download

                      • memory/2832-11-0x000000001AF90000-0x000000001AF98000-memory.dmp

                        Filesize

                        32KB

                        Download

                      • memory/2832-13-0x000000001AFA0000-0x000000001AFB2000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/3964-278-0x000000001D240000-0x000000001D252000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/4028-138-0x00000219EDF90000-0x00000219EDFB2000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/4424-199-0x000000001CD50000-0x000000001CDA6000-memory.dmp

                        Filesize

                        344KB

                        Download

                      • memory/4424-186-0x00000000003C0000-0x00000000005AA000-memory.dmp

                        Filesize

                        1.9MB

                        Download