af31c48d80c132e90058ed0ca5f7a2061816eef48e70db70d81b6c07438177ef

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patch.exe
Size

59KB
MD5

27016937b5781c4f84b6b3432170f4d0
SHA1

bc812a8c4d44a3503ffd6a46e4fdab925c622344
SHA256

fc1a02b509b8f351ac45bd45efd4e7296b365545a48ffd6a14e8e07bc7189155
SHA512

24a726276cc53c5a0d075d1bf930e24b3a1891e0754b17c28a5a35b5677fd792d9adb55e5e0a7fe18f056febb8af4a49a5a0fac33389205d1f4dcc0060422be7
SSDEEP

1536:5ilGC+HMax3AZ5GiavgfreZCRIr71mazhAN5TAS:5igLV3SIareERU5mazh3S

Score

8^/10

evasion

Malware Config

Signatures

Blocks application from running via registry modification 1 IoCs
Adds application to list of disallowed applications.
evasion

Processes:

Patch.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "0" Patch.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

Patch.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" Patch.exe
Disables Task Manager via registry modification
evasion
Disables cmd.exe use via registry modification 1 IoCs
evasion

Processes:

Patch.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0" Patch.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "0"	Patch.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	Patch.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	Patch.exe

Modifies registry class 3 IoCs

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Wow6432Node\CLSID\IAS_TEST	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\IAS_TEST\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\IAS_TEST	reg.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4804 reg.exe
3596 reg.exe
4180 reg.exe

pid	process
4804	reg.exe
3596	reg.exe
4180	reg.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Patch.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4968	Patch.exe
4968	Patch.exe
4968	Patch.exe
4968	Patch.exe
4968	Patch.exe
4968	Patch.exe
3468	powershell.exe
3468	powershell.exe
4552	powershell.exe
4552	powershell.exe
1428	powershell.exe
1428	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
2516	powershell.exe
3600	powershell.exe
3600	powershell.exe
2256	powershell.exe
2256	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Patch.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4968 wrote to memory of 4520	4968	Patch.exe	reg.exe
PID 4968 wrote to memory of 4520	4968	Patch.exe	reg.exe
PID 4968 wrote to memory of 4520	4968	Patch.exe	reg.exe
PID 4968 wrote to memory of 4368	4968	Patch.exe	cmd.exe
PID 4968 wrote to memory of 4368	4968	Patch.exe	cmd.exe
PID 4968 wrote to memory of 4368	4968	Patch.exe	cmd.exe
PID 4368 wrote to memory of 1724	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 1724	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 1724	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4156	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4156	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 2524	4368	cmd.exe	find.exe
PID 4368 wrote to memory of 2524	4368	cmd.exe	find.exe
PID 4368 wrote to memory of 1348	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 1348	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 1348	4368	cmd.exe	cmd.exe
PID 1348 wrote to memory of 2644	1348	cmd.exe	cmd.exe
PID 1348 wrote to memory of 2644	1348	cmd.exe	cmd.exe
PID 1348 wrote to memory of 2644	1348	cmd.exe	cmd.exe
PID 1348 wrote to memory of 3524	1348	cmd.exe	cmd.exe
PID 1348 wrote to memory of 3524	1348	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4644	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4644	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4644	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 544	4368	cmd.exe	find.exe
PID 4368 wrote to memory of 544	4368	cmd.exe	find.exe
PID 4368 wrote to memory of 3468	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 3468	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 2840	4368	cmd.exe	find.exe
PID 4368 wrote to memory of 2840	4368	cmd.exe	find.exe
PID 4368 wrote to memory of 4552	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 4552	4368	cmd.exe	powershell.exe
PID 4368 wrote to memory of 3548	4368	cmd.exe	find.exe
PID 4368 wrote to memory of 3548	4368	cmd.exe	find.exe
PID 4368 wrote to memory of 4496	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4496	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4496	4368	cmd.exe	cmd.exe
PID 4496 wrote to memory of 1428	4496	cmd.exe	powershell.exe
PID 4496 wrote to memory of 1428	4496	cmd.exe	powershell.exe
PID 4368 wrote to memory of 5052	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 5052	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 2996	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 2996	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 2996	4368	cmd.exe	cmd.exe
PID 2996 wrote to memory of 2516	2996	cmd.exe	powershell.exe
PID 2996 wrote to memory of 2516	2996	cmd.exe	powershell.exe
PID 4368 wrote to memory of 3320	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 3320	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4180	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4180	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 2364	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 2364	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4804	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4804	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4660	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 4660	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 3596	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 3596	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 3768	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 3768	4368	cmd.exe	reg.exe
PID 4368 wrote to memory of 2160	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 2160	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 2160	4368	cmd.exe	cmd.exe
PID 2160 wrote to memory of 2300	2160	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Patch.exe"
1⤵
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\reg.exe
reg.exe import C:\Users\Admin\AppData\Local\Temp\IDMRegClean.reg
2⤵
PID:4520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c call "C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ver
3⤵
PID:1724

C:\Windows\system32\reg.exe
reg query "HKCU\Console" /v ForceV2
3⤵
PID:4156

C:\Windows\system32\find.exe
find /i "0x0"
3⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo prompt $E | cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo prompt $E "
4⤵
PID:2644

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat" "
3⤵
PID:4644

C:\Windows\system32\find.exe
find /i "C:\Users\Admin\AppData\Local\Temp"
3⤵
PID:544

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat') -split ':PowerShellTest:\s*';iex ($f[1])"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\system32\find.exe
find /i "FullLanguage"
3⤵
PID:2840

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property CreationClassName"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\system32\find.exe
find /i "computersystem"
3⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value" 2>nul
3⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "([System.Security.Principal.NTAccount](Get-WmiObject -Class Win32_ComputerSystem).UserName).Translate([System.Security.Principal.SecurityIdentifier]).Value"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\reg.exe
reg query HKU\\Software
3⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid" 2>nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$explorerProc = Get-Process -Name explorer | Where-Object {$_.SessionId -eq (Get-Process -Id $pid).SessionId} | Select-Object -First 1; $sid = (gwmi -Query ('Select * From Win32_Process Where ProcessID=' + $explorerProc.Id)).GetOwnerSid().Sid; $sid"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\reg.exe
reg query HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\Software
3⤵
PID:3320

C:\Windows\system32\reg.exe
reg delete HKCU\IAS_TEST /f
3⤵
- Modifies registry key
PID:4180

C:\Windows\system32\reg.exe
reg delete HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\IAS_TEST /f
3⤵
PID:2364

C:\Windows\system32\reg.exe
reg add HKCU\IAS_TEST
3⤵
- Modifies registry key
PID:4804

C:\Windows\system32\reg.exe
reg query HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\IAS_TEST
3⤵
PID:4660

C:\Windows\system32\reg.exe
reg delete HKCU\IAS_TEST /f
3⤵
- Modifies registry key
PID:3596

C:\Windows\system32\reg.exe
reg delete HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\IAS_TEST /f
3⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
3⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PROCESSOR_ARCHITECTURE
4⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\DownloadManager" /v ExePath 2>nul
3⤵
PID:2716

C:\Windows\system32\reg.exe
reg query "HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\DownloadManager" /v ExePath
4⤵
PID:4992

C:\Windows\system32\reg.exe
reg add HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
3⤵
- Modifies registry class
PID:1212

C:\Windows\system32\reg.exe
reg query HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST
3⤵
PID:3608

C:\Windows\system32\reg.exe
reg delete HKU\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Classes\Wow6432Node\CLSID\IAS_TEST /f
3⤵
- Modifies registry class
PID:3976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
3⤵
PID:4860

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "(Get-Date).ToString('yyyyMMdd-HHmmssfff')"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\system32\reg.exe
reg export HKCU\Software\Classes\Wow6432Node\CLSID "C:\Windows\Temp\_Backup_HKCU_CLSID_20240701-054350934.reg"
3⤵
PID:4840

C:\Windows\system32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Email"
3⤵
PID:4940

C:\Windows\system32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "Serial"
3⤵
PID:1580

C:\Windows\system32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "scansk"
3⤵
PID:1360

C:\Windows\system32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "tvfrdt"
3⤵
PID:3936

C:\Windows\system32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "radxcnt"
3⤵
PID:3000

C:\Windows\system32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LstCheck"
3⤵
PID:4088

C:\Windows\system32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "ptrk_scdt"
3⤵
PID:4304

C:\Windows\system32\reg.exe
reg query "HKCU\Software\DownloadManager" "/v" "LastCheckQU"
3⤵
PID:2304

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Wow6432Node\Internet Download Manager"
3⤵
PID:3472

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "$sid = 'S-1-5-21-2539840389-1261165778-1087677076-1000'; $HKCUsync = 1; $lockKey = $null; $deleteKey = 1; $f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat') -split ':regscan\:.*';iex ($f[1])"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:1244

C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
3⤵
PID:4728

C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\WOW6432Node\Internet Download Manager" /v "AdvIntDriverEnabled2" /t REG_DWORD /d "1" /f
3⤵
PID:4084

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\DownloadManager" /v "nLst" /t REG_DWORD /d "1" /f
3⤵
PID:3200

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\DownloadManager" /v "LName" /t REG_SZ /d " " /f
3⤵
PID:4348

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\DownloadManager" /v "FName" /t REG_SZ /d "Admin" /f
3⤵
PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1f0f8c49b22409ca78499f5df1ce9456

SHA1
5300f7ed636959c8c8366418e891dbe49a3edba9

SHA256
429128efcec165baf50a81021e610933e1020f5298d865f7b30daf370fb22014

SHA512
ca976a7ab0ef4782c3003433e8d99d34d8060cb3a8790e787b56db1e207902b9dd15ecb6e76fecbd00f5e83a8add34329b25f86b90c62055f0d0d1de5607d2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9856eec246073417aba7c4e517d16d0b

SHA1
ce495a8b86044e11eaf50cc89a92116cc9b13724

SHA256
0ed72f3f9a4847fc67fe0d6dc44d1773b8a652aaaf84352440b44da59a66d7f8

SHA512
8227671cae6eb7e5d2f77e82656c9099efb0e59b9478a7884216e83bc2be8c11ae2cbdea1c9137da263825c3a8357321fc5c931841020596cdd82ca42489f16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9ceb72904c633682071bbadb79af7e9d

SHA1
86e86410ff740cf245a66b1f79f113fb74a281db

SHA256
cf8a3cb25524804594478ee47d2140c24d2f215f8d6a71732da00cdef4724fee

SHA512
35c29f94d37e3ae1c29ff27b7e60b4a7a26679ce514f25a7273ce81909b0820601b0e54c7d915c98b100d8f180b503a1319a12fca9a03dcc4780dc8c92ab0344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9f662a527b4fa6330e90dba6d1f917fc

SHA1
b3ef8e00b7a9f2777179ff7ad8baf67619892ef4

SHA256
8f1d319297459b44e375d9f30fc9744eed2ecd6f44f464f48726cdb9a2da2328

SHA512
c27a48f0cd8f362188e119167e2d358b849fbd6876233e10447f42da0a5d521724c6eac94e3f13a308dbf018831b16f588aeffb07a4d48024b8e862313fc5b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\BATCLEN.bat
Filesize
19KB

MD5
9fe22c4ad624881f8f0977cc7614346f

SHA1
9716758c55c57c354fd3e7ba14a40ae03d9db7d0

SHA256
12b47c1949cc555c2f68f9fd4677ed5266f25c4da4630bec36e303629b133225

SHA512
5e54cbdabf2c84a9df1128aade9a4743e8bf26140675a43f00255e45af28862660b2d45b7138fa2b7a80c8e409bdc5a13500068aa587440cb8fa7df65d171354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IDMRegClean.reg
Filesize
5KB

MD5
45dc895cb92093f466aca0e3fe5c09b7

SHA1
5d815d6dde9a40a822f6144c0f7e9f31f8c6936a

SHA256
4c0e2396b9fca1bbeb36e9ebb27f27e63cd2662abf8b18f042d872322e1363eb

SHA512
e5fb3d67149c373cbb6050d3b783fe521e22a518e2bac0450d8ca2d21d9fd7686d4da631be1ae0c448da000b07f0ce205508241639712e812768c2bcab7a0ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGB15E.tmp
Filesize
32KB

MD5
e9d06132591c36129e4455d063612beb

SHA1
798619665c9915bc2f50bec9f0d9d0707a5a485e

SHA256
357e1fb247f831c9b4a0363445a0a7446af42dea4585f5c7357391e5732f4b2c

SHA512
6eabef2e10285611260d6ea1503bbb2eafb830c3dc4544f064edfa0e6821f21bbe65a77878cb18f8ebfd80ff520459e9a65f274f9c0eec7e772bec1c41d0476e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yhkymxmu.xnv.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3468-12-0x000001829C720000-0x000001829C742000-memory.dmp

Filesize
136KB

Download
memory/4968-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4968-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4968-81-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download