dd4c86cf085ceb60020f03c2fcf1f669452f5bef09c753b03ab0a6b778b87b34

Analysis

max time kernel
101s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
30/03/2025, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_Suite.v9.8.EN.bat
Size

1.1MB
MD5

17f656676e34f8a8252522d1a9e2bf40
SHA1

b34bc6fbf8a4f8f9e893b8703c14f8f51e90b7d6
SHA256

bed604d258d3e0ead02bd44c3c5c40feb56e0cee751169ab763887c727087747
SHA512

1835f1b25f13fb0f8c991e08593a9d60bbaca80c1b03dd62b861d8078d87ea5c0dac0efe79759b2270d76b5aad654ee0d1142ccae604d717163335c5e9da8511
SSDEEP

24576:5WDaRGrHDQCBdTx/pn6E9gMqfolasayo4QB0zx1:oDaRGbDXL/pnvYfSle4ue7

Score

7^/10

defense_evasion discovery execution privilege_escalation

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
896	center.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4548	powershell.exe
5992	powershell.exe
4500	powershell.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4540	reg.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	center.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin\shell\runas\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin\shell\runas	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin\shell\runas	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\"& call \"%2\" %3"	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin\shell\runas\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1216697136-3907990103-1733992739-1000_Classes\.Admin	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4540	reg.exe
544	reg.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4548	powershell.exe
4548	powershell.exe
5992	powershell.exe
5992	powershell.exe
4500	powershell.exe
4500	powershell.exe
4100	powershell.exe
4100	powershell.exe
3484	powershell.exe
3484	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 4576	1424	cmd.exe	79
PID 1424 wrote to memory of 4576	1424	cmd.exe	79
PID 1424 wrote to memory of 4540	1424	cmd.exe	80
PID 1424 wrote to memory of 4540	1424	cmd.exe	80
PID 1424 wrote to memory of 3004	1424	cmd.exe	81
PID 1424 wrote to memory of 3004	1424	cmd.exe	81
PID 1424 wrote to memory of 544	1424	cmd.exe	82
PID 1424 wrote to memory of 544	1424	cmd.exe	82
PID 1424 wrote to memory of 4548	1424	cmd.exe	83
PID 1424 wrote to memory of 4548	1424	cmd.exe	83
PID 4548 wrote to memory of 3632	4548	powershell.exe	84
PID 4548 wrote to memory of 3632	4548	powershell.exe	84
PID 3632 wrote to memory of 3284	3632	csc.exe	85
PID 3632 wrote to memory of 3284	3632	csc.exe	85
PID 4548 wrote to memory of 5028	4548	powershell.exe	86
PID 4548 wrote to memory of 5028	4548	powershell.exe	86
PID 1424 wrote to memory of 2744	1424	cmd.exe	87
PID 1424 wrote to memory of 2744	1424	cmd.exe	87
PID 2744 wrote to memory of 3168	2744	cmd.exe	88
PID 2744 wrote to memory of 3168	2744	cmd.exe	88
PID 2744 wrote to memory of 5992	2744	cmd.exe	89
PID 2744 wrote to memory of 5992	2744	cmd.exe	89
PID 5992 wrote to memory of 5140	5992	powershell.exe	90
PID 5992 wrote to memory of 5140	5992	powershell.exe	90
PID 5140 wrote to memory of 4760	5140	csc.exe	91
PID 5140 wrote to memory of 4760	5140	csc.exe	91
PID 2744 wrote to memory of 5304	2744	cmd.exe	92
PID 2744 wrote to memory of 5304	2744	cmd.exe	92
PID 2744 wrote to memory of 4500	2744	cmd.exe	93
PID 2744 wrote to memory of 4500	2744	cmd.exe	93
PID 2744 wrote to memory of 5084	2744	cmd.exe	94
PID 2744 wrote to memory of 5084	2744	cmd.exe	94
PID 2744 wrote to memory of 4192	2744	cmd.exe	95
PID 2744 wrote to memory of 4192	2744	cmd.exe	95
PID 2744 wrote to memory of 896	2744	cmd.exe	96
PID 2744 wrote to memory of 896	2744	cmd.exe	96
PID 2744 wrote to memory of 896	2744	cmd.exe	96
PID 2744 wrote to memory of 4228	2744	cmd.exe	97
PID 2744 wrote to memory of 4228	2744	cmd.exe	97
PID 2744 wrote to memory of 2072	2744	cmd.exe	98
PID 2744 wrote to memory of 2072	2744	cmd.exe	98
PID 2072 wrote to memory of 5752	2072	cmd.exe	99
PID 2072 wrote to memory of 5752	2072	cmd.exe	99
PID 2744 wrote to memory of 4984	2744	cmd.exe	100
PID 2744 wrote to memory of 4984	2744	cmd.exe	100
PID 4984 wrote to memory of 4100	4984	cmd.exe	101
PID 4984 wrote to memory of 4100	4984	cmd.exe	101
PID 2744 wrote to memory of 3476	2744	cmd.exe	103
PID 2744 wrote to memory of 3476	2744	cmd.exe	103
PID 3476 wrote to memory of 3484	3476	cmd.exe	104
PID 3476 wrote to memory of 3484	3476	cmd.exe	104
PID 2744 wrote to memory of 348	2744	cmd.exe	105
PID 2744 wrote to memory of 348	2744	cmd.exe	105
PID 2744 wrote to memory of 1084	2744	cmd.exe	106
PID 2744 wrote to memory of 1084	2744	cmd.exe	106
PID 2744 wrote to memory of 4268	2744	cmd.exe	107
PID 2744 wrote to memory of 4268	2744	cmd.exe	107
PID 2744 wrote to memory of 5280	2744	cmd.exe	108
PID 2744 wrote to memory of 5280	2744	cmd.exe	108
PID 2744 wrote to memory of 5860	2744	cmd.exe	109
PID 2744 wrote to memory of 5860	2744	cmd.exe	109
PID 2744 wrote to memory of 5864	2744	cmd.exe	110
PID 2744 wrote to memory of 5864	2744	cmd.exe	110
PID 2744 wrote to memory of 1864	2744	cmd.exe	111

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KMS_Suite.v9.8.EN.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\system32\mode.com
  mode con cols=78 lines=5
  2⤵
  PID:4576
- C:\Windows\system32\reg.exe
  reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\"& call \"%2\" %3"
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Modifies registry class
  - Modifies registry key
  PID:4540
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:3004
- C:\Windows\system32\reg.exe
  reg delete hkcu\software\classes\.Admin\ /f
  2⤵
  - Modifies registry class
  - Modifies registry key
  PID:544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -c $f=[IO.File]::ReadAllText($env:0)-split':KMS_Suite\:.*';iex($f[1]); X(1)
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cu0zwfl0\cu0zwfl0.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES470B.tmp" "c:\Users\Admin\AppData\Local\Temp\cu0zwfl0\CSCA556F5A6E32948418CAEE12149318B97.TMP"
      4⤵
      PID:3284
- - C:\Windows\system32\expand.exe
    "C:\Windows\system32\expand.exe" -R 1 -F:* .
    3⤵
    - Drops file in Windows directory
    PID:5028
- C:\Windows\system32\cmd.exe
  cmd.exe /c KMS_Suite.bat -suite
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\mode.com
    mode con cols=78 lines=6
    3⤵
    PID:3168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File disablex.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5992
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\djwuur43\djwuur43.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5140
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C8A.tmp" "c:\Users\Admin\AppData\Local\Temp\djwuur43\CSCC15354EBB51B44D38BA349AA73E926F7.TMP"
        5⤵
        
        PID:4760
- - C:\Windows\system32\mode.com
    mode con: cols=90 lines=40
    3⤵
    PID:5304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -noprofile "$W=(get-host).ui.rawui; $B=$W.buffersize; $B.height=90; $W.buffersize=$B"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:5084
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:4192
- - C:\Users\Admin\AppData\Local\Temp\bin\center.exe
    center.exe kF5nJ4D92hfOpc8
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ver
    3⤵
    PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
      4⤵
      PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Caption from Win32_OperatingSystem').Get()).Caption"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -nop -c "(([WMISEARCHER]'Select Version from Win32_OperatingSystem').Get()).Version"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3484
- - C:\Windows\system32\mode.com
    mode con cols=92 lines=35
    3⤵
    PID:348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c time /t
    3⤵
    PID:1084
- - C:\Windows\system32\findstr.exe
    findstr /v /a:78 /R "^$" " KMS & KMS 2038 & Digital & Online Activation Suite v9.8 - mephistooo2 - www.TNCTR.com" nul
    3⤵
    PID:4268
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " SUPPORTED MICROSOFT PRODUCTS" nul
    3⤵
    PID:5280
- - C:\Windows\system32\findstr.exe
    findstr /v /a:6 /R "^$" " [1] ACTIVATION START FOR WINDOWS & OFFICE (KMS Inject Method)" nul
    3⤵
    PID:5860
- - C:\Windows\system32\findstr.exe
    findstr /v /a:9 /R "^$" " [2] ACTIVATION START FOR WINDOWS 10-11 (Digital & KMS 2038 Activation Method)" nul
    3⤵
    PID:5864
- - C:\Windows\system32\findstr.exe
    findstr /v /a:2 /R "^$" " [3] ACTIVATION START FOR WINDOWS & OFFICE (Online Activation Method)" nul
    3⤵
    PID:1864
- - C:\Windows\system32\findstr.exe
    findstr /v /a:7 /R "^$" " [4] WINDOWS & OFFICE ACTIVATION STATUS CHECK" nul
    3⤵
    PID:2012
- - C:\Windows\system32\findstr.exe
    findstr /v /a:3 /R "^$" " [5] KMS & KMS 2038 & DIGITAL & ONLINE ACTIVATION VISIT WEBSITE" nul
    3⤵
    PID:5684
- - C:\Windows\system32\findstr.exe
    findstr /v /a:4 /R "^$" " [6] EXIT" nul
    3⤵
    PID:4436
- - C:\Windows\system32\choice.exe
    choice /C:123456 /N /M "YOUR CHOICE :"
    3⤵
    PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
aa0a32b11dca7b04f4cc5fe8c55cb357

SHA1
00e354fd0754a7d721a270cdc08f970b9a3f6605

SHA256
e336a593bd31921c46757a88a99759f6a33854d0c8b854c0c8f118e5cede1ea1

SHA512
1db91d3540da2c7eb4e151d698f3a9c1d2caed3161c41f1c2c73781a65e9dfc818902f0220c0aa9fc2c617d4851f23f4a576c4e5fe0f40ec78e9ed01c8ad8b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
caf429e82ad6ac8ff92518beddb79a35

SHA1
5e82c5fe1acb72235c65327da008c37efb106276

SHA256
c36336719e66ebd289035b6525866ac49ce71b39e475bbb59a2e7b7aff274a5b

SHA512
2c5eb03ea727559a34badd5bdbe094117e71b11b9d415598f61d7e0381476e6c98764868c83fe46bce7ff8b70fb510efa7d79a582641d8ad028cdbaa660d3336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0ff7e1af4cc86e108eef582452b35523

SHA1
c2ccf2811d56c3a3a58dced2b07f95076c6b5b96

SHA256
62ed8ef2250f9f744852cb67df0286c80f94e26aed646989b76e5b78f2f1f0d0

SHA512
374675fd36cd8bc38acaec44d4cc855b85feece548d99616496d498e61e943fd695fec7c57550a58a32455e8b21b41bafa18cd1dadac69676fff1de1a56da937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b3fbb9529ff9a9c95630d09e169fd4a8

SHA1
b6510200af19bb97830284f910717f7717b4d882

SHA256
c14f1415460e50b0c815ac0823cebc8126c640c5e7295c8baa36df5ba96c2cb4

SHA512
5b666a366f4b9a627949dd67ca308ee8fd59f469661485aac2f3a0a4d3f6d05afab9c89af1f7cadb15639873fc01fc98e69ecc6556cc65df6c6cc47020f4ca16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ KMS & KMS 2038 & Digital & Online Activation Suite v9.8 - mephistooo2 - www.TNCTR.com

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1

Filesize
865KB

MD5
60b56dcf1ef66a07739c4faf9789fcbd

SHA1
3a22be0f32400d0ce9337169327141751a958ab2

SHA256
c43c53387b72ea36cd944f1d1f211c4bc22434cdc27839c693a81ffe4af71c06

SHA512
b06614c6c09cea4a3f8c3c4b091d9abe8e8443a7fc3dd0417f7621f256e59d068b5f48bf6aea79aa25f6c926cd060e8c87e85232a094fdc32684578b81bcba8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMS_Suite.bat

Filesize
143KB

MD5
f4bf6cb2324388678ecc2b0b600b0c6e

SHA1
cca2a203325d72f28e6ef3fc5bdca6a7308dfb8b

SHA256
8492bfef0395e601f810e841d50f51524ae6858556a41ba69710ceb2a9f48a56

SHA512
c30e68061059001f7c3984d70cc7522a2c31e9de4eba9e8008b0781169d3e9e41454e61ce21f1043cd4f8c0898adbc210409fd52d208b117f04c11ddef91bb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES470B.tmp

Filesize
1KB

MD5
ca2207d90238956aa49d9c12f840ac69

SHA1
12b82b89c8d79f2f64d727774d961a8669b67de4

SHA256
83ce26ac9dabe3dd89bbdafd15380cba9bee778ff97390be7a67710112287816

SHA512
4960bfe171a6bbd1eaf560806cef9dcf1799e504a7c701a6b0f76eda111d7d13dabceb8ec30b59e76415433ddabc533b4e5245c924b301c1f80a2ae36d45f612

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4C8A.tmp

Filesize
1KB

MD5
2c982f0e330e1671b28170fbde84b548

SHA1
f5f4c117e34b314a3774703415a11dc4328aa541

SHA256
e4f27678c85f8374032b5071ff668ec7b0b0ef037a983e9d783dce44988b4057

SHA512
a7e8732a77cce2ba24135b464ee1203ed594623358b4ce425787d38f9922e0c4af169354679e0f36bb39eede05b738063e5361f0ba69bafc77a568488dcb77c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gi54fjlz.euh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\center.exe

Filesize
72KB

MD5
0a847eafddc4529388e1a1b291354cf8

SHA1
adddd1b79c64c7c1d0d440df847be31ee94e664d

SHA256
69533d9b66b840b4764f901cd6a502d12453b604617a841f4c2c602fc87df255

SHA512
7b3ddb5be55367fc5fcfaa99f9a3b7f0888234c82146f3af6b012ff1feacf8b087cf53cce3e57492417a8e88657a045d948fedc07645e5a018604c158bd15710

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin\disablex.ps1

Filesize
1KB

MD5
522c0e01b280581a62954cf1e7971eaa

SHA1
4b8a66cd6839d05a3bd2732124a4441797940075

SHA256
2d2e271131e130688218b369cada1444807a0a65120df942a98e7887bdfe7201

SHA512
c9299b176f3279f1f37a9744d6361009daafe815a8e8b96e3d9dd0865ef9f938e3c33773fde3dac93f5d3cebc6b1d2952c02e0816a9b0ca5c8d0c6f19f3f1950

Download Submit
C:\Users\Admin\AppData\Local\Temp\cu0zwfl0\cu0zwfl0.dll

Filesize
3KB

MD5
107e0fb79ea82af259f294a74c40a72f

SHA1
55b95bbbf401064d1d6cc456ed532c6e7a448acd

SHA256
d8e91946c738e8bb70cd299c0429344feb8b9a1ad526973da3767cd2fd5e49db

SHA512
89981115786b4ff07debc391b5564863b6f0768fb27b91caf1337fb3f128f9be513bc793ff7b2e7f80b150455f6a2d1cc6697602031badc20b2a5cab041ee013

Download Submit
C:\Users\Admin\AppData\Local\Temp\djwuur43\djwuur43.dll

Filesize
3KB

MD5
1e6a19184b3c16dd877038ee7704da6f

SHA1
863888f417efce17f383371cdde06a2f045aabd2

SHA256
f358b042dc2f503f6621d23754a18e8771c9fce902f6fade85c09f092a064ce1

SHA512
5039aba7e74a69e64b42208e414c8dd8977ff773317280ce642a0b0909e2952120194060abf9a8a436ae06ec0c747f8bbc4bd4ee0d1b69ff90d793b6d01585bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cu0zwfl0\CSCA556F5A6E32948418CAEE12149318B97.TMP

Filesize
652B

MD5
9b84387a21db8e71485763d3486249fc

SHA1
54efacb519304ff8155c75c4222438b2069b154b

SHA256
bd7717ff824077bcd7ac60569bd9e12e1a8668c27a3eed9967bb78ea1a8f4b02

SHA512
b7ee9d2037609c1e3902d19bcc40572f9f991390cbf9c676172c9cbf0aefc7ee0b2dc7c64ffe1b5794d34b0d16dd9a3fd84722f29384d89a28311feb57a6f753

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cu0zwfl0\cu0zwfl0.0.cs

Filesize
521B

MD5
047f0cf592670e8fca358f12e4cd5a89

SHA1
0cd8cdde668e7e64adb49e388e75e1136429e5f6

SHA256
32e77d9085ad9ea0fd1eb5a9556e29cb42f5d3016ccf9853f3c39d358f479978

SHA512
368b22e424520c272195d3264123fceb2dba549574ff7282c210ffb6d9e8f574b7392f199304f2adef974d4d926fbccb1ce50fbd8ad4e89f05cec58635357cc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cu0zwfl0\cu0zwfl0.cmdline

Filesize
369B

MD5
e70ad1c5ade5b1751efdac749a740ce7

SHA1
c126414cf2962384453ccccf0a9a852d936b938f

SHA256
1a6091dc7c7832f35e13b30dc9bd6ad2725f1ac4609b376566234db6652f2594

SHA512
e79b7f097b45079c228195794aa9463fd515d1b0c014d24f631c67db7315832a3d3d293d1f3f0d84e39df65c6d4d7bca644bf17f0fb437cb5f6d196e2f944e7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djwuur43\CSCC15354EBB51B44D38BA349AA73E926F7.TMP

Filesize
652B

MD5
72ed95978c4aee3f8d5bed3ef1b33a4a

SHA1
cf0b5a863d83e42cf5008ad735d4d10b024f7872

SHA256
61629cc824d89c0d8b9f8965d692c60c064255b72607f96f9ccac30032f702be

SHA512
8e252e6d2c1ddfe5849a57dd9c4ba96ddd4d0daccbe3cf11c464b512521521be8d6dc9058e140afd5076cec31e02e206c141459dc9bb57d9399895b8a45a886a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djwuur43\djwuur43.0.cs

Filesize
1KB

MD5
810a30d3e12a7bb7b78a5ec70fec88ee

SHA1
921dc2985f892a800c2bb00e9166d232e78accf4

SHA256
86a49c1dfe76226db0daa8be63437e41d76c379f6c8a80d77930b771a6780487

SHA512
6792ef5c81b717b90f2bd211973d52be6ff2677915e76c2bb21b44610b5803852bac0d90df32faf9a50636c67ebc516abf3a2ca4a37ceb411133527740d5543a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djwuur43\djwuur43.cmdline

Filesize
369B

MD5
fffc62a0f6951c4a8a8c9d6d68456cc3

SHA1
b4d457c8fac89d8843c801e114b5cd7ff08e1bab

SHA256
d5497e9ceea7aa096bb4f17d4619f9104b92b6f42e9bcb8634f6a757786aa49b

SHA512
0ce5c7e9bf33641364695fdc572b821d4c9bfcaa8c3624085062d105c9d54d285b7d32354a18b358f8da68fde5deb9ef21f66697f46be1206b1cef2f012b710c

Download Submit
memory/4548-14-0x00007FF8280F0000-0x00007FF828BB2000-memory.dmp

Filesize
10.8MB

Download
memory/4548-0-0x00007FF8280F3000-0x00007FF8280F5000-memory.dmp

Filesize
8KB

Download
memory/4548-11-0x00007FF8280F0000-0x00007FF828BB2000-memory.dmp

Filesize
10.8MB

Download
memory/4548-25-0x00000279801A0000-0x00000279801A8000-memory.dmp

Filesize
32KB

Download
memory/4548-10-0x00007FF8280F0000-0x00007FF828BB2000-memory.dmp

Filesize
10.8MB

Download
memory/4548-9-0x00000279FF110000-0x00000279FF132000-memory.dmp

Filesize
136KB

Download
memory/4548-65-0x00007FF8280F0000-0x00007FF828BB2000-memory.dmp

Filesize
10.8MB

Download
memory/5992-90-0x000001DFD2120000-0x000001DFD2128000-memory.dmp

Filesize
32KB

Download