betabot | 157f0b21d5dcfc4e06c98545a986f2e41168f39a8d41c7f301ee4a047d55006f

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10v20201028
submitted
13-11-2020 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura__pdf__69829.exe
Size

749KB
MD5

a09b11ac0a5932ab7bea125d1e83ce96
SHA1

147918bd893d12180931e1a622866e8e42252f1b
SHA256

157f0b21d5dcfc4e06c98545a986f2e41168f39a8d41c7f301ee4a047d55006f
SHA512

b8e30534d0aa6814b0f714cfebb3b506562f1dd4a501c75d3b6e5b082cb8fff6d4e9a0df44588c67d362c7d4ff2a22eef0f113b744ffe502b995d2f3ad255141

Score

10^/10

betabot backdoor botnet evasion persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

mm553g9u9393_1.exe3siu1711y3.exegiakk917ogk77c.exe1m31uq3e.exe

pid process

2352 mm553g9u9393_1.exe
2704 3siu1711y3.exe
3936 giakk917ogk77c.exe
3568 1m31uq3e.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

pid	process
2352	mm553g9u9393_1.exe
2704	3siu1711y3.exe
3936	giakk917ogk77c.exe
3568	1m31uq3e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\mm553g9u9393.exe\""	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\mm553g9u9393.exe\""	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\mm553g9u9393.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Factura__pdf__69829.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Factura__pdf__69829.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Factura__pdf__69829.exe

description	ioc	process
File opened for modification	C:\ProgramData\Google Updater 2.09\desktop.ini	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

Factura__pdf__69829.exeexplorer.exe

pid	process
3688	Factura__pdf__69829.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Factura__pdf__69829.exemm553g9u9393_1.exe

description	pid	process	target process
PID 1812 set thread context of 3688	1812	Factura__pdf__69829.exe	Factura__pdf__69829.exe
PID 2352 set thread context of 0	2352	mm553g9u9393_1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exeFactura__pdf__69829.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Factura__pdf__69829.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Factura__pdf__69829.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	explorer.exe

NTFS ADS 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\mm553g9u9393_1.exe:14EDFC78	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\mm553g9u9393_1.exe:14EDFC78	explorer.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

explorer.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
2256	powershell.exe
2256	powershell.exe
3940	powershell.exe
2216	powershell.exe
1888	powershell.exe
1888	powershell.exe
2256	powershell.exe
3940	powershell.exe
1888	powershell.exe
2216	powershell.exe
3940	powershell.exe
2216	powershell.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe
3416	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

giakk917ogk77c.exe3siu1711y3.exe

pid process

3936 giakk917ogk77c.exe
2704 3siu1711y3.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Factura__pdf__69829.exe

pid process

3688 Factura__pdf__69829.exe
3688 Factura__pdf__69829.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Factura__pdf__69829.exe

pid process

3688 Factura__pdf__69829.exe

pid	process
3936	giakk917ogk77c.exe
2704	3siu1711y3.exe

Suspicious use of AdjustPrivilegeToken 116 IoCs

Processes:

Factura__pdf__69829.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3688	Factura__pdf__69829.exe
Token: SeRestorePrivilege	3688	Factura__pdf__69829.exe
Token: SeBackupPrivilege	3688	Factura__pdf__69829.exe
Token: SeLoadDriverPrivilege	3688	Factura__pdf__69829.exe
Token: SeCreatePagefilePrivilege	3688	Factura__pdf__69829.exe
Token: SeShutdownPrivilege	3688	Factura__pdf__69829.exe
Token: SeTakeOwnershipPrivilege	3688	Factura__pdf__69829.exe
Token: SeChangeNotifyPrivilege	3688	Factura__pdf__69829.exe
Token: SeCreateTokenPrivilege	3688	Factura__pdf__69829.exe
Token: SeMachineAccountPrivilege	3688	Factura__pdf__69829.exe
Token: SeSecurityPrivilege	3688	Factura__pdf__69829.exe
Token: SeAssignPrimaryTokenPrivilege	3688	Factura__pdf__69829.exe
Token: SeCreateGlobalPrivilege	3688	Factura__pdf__69829.exe
Token: 33	3688	Factura__pdf__69829.exe
Token: SeDebugPrivilege	3416	explorer.exe
Token: SeRestorePrivilege	3416	explorer.exe
Token: SeBackupPrivilege	3416	explorer.exe
Token: SeLoadDriverPrivilege	3416	explorer.exe
Token: SeCreatePagefilePrivilege	3416	explorer.exe
Token: SeShutdownPrivilege	3416	explorer.exe
Token: SeTakeOwnershipPrivilege	3416	explorer.exe
Token: SeChangeNotifyPrivilege	3416	explorer.exe
Token: SeCreateTokenPrivilege	3416	explorer.exe
Token: SeMachineAccountPrivilege	3416	explorer.exe
Token: SeSecurityPrivilege	3416	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	3416	explorer.exe
Token: SeCreateGlobalPrivilege	3416	explorer.exe
Token: 33	3416	explorer.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeIncreaseQuotaPrivilege	3940	powershell.exe
Token: SeSecurityPrivilege	3940	powershell.exe
Token: SeTakeOwnershipPrivilege	3940	powershell.exe
Token: SeLoadDriverPrivilege	3940	powershell.exe
Token: SeSystemProfilePrivilege	3940	powershell.exe
Token: SeSystemtimePrivilege	3940	powershell.exe
Token: SeProfSingleProcessPrivilege	3940	powershell.exe
Token: SeIncBasePriorityPrivilege	3940	powershell.exe
Token: SeCreatePagefilePrivilege	3940	powershell.exe
Token: SeBackupPrivilege	3940	powershell.exe
Token: SeRestorePrivilege	3940	powershell.exe
Token: SeShutdownPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeSystemEnvironmentPrivilege	3940	powershell.exe
Token: SeRemoteShutdownPrivilege	3940	powershell.exe
Token: SeUndockPrivilege	3940	powershell.exe
Token: SeManageVolumePrivilege	3940	powershell.exe
Token: 33	3940	powershell.exe
Token: 34	3940	powershell.exe
Token: 35	3940	powershell.exe
Token: SeIncreaseQuotaPrivilege	2216	powershell.exe
Token: SeSecurityPrivilege	2216	powershell.exe
Token: 36	3940	powershell.exe
Token: SeTakeOwnershipPrivilege	2216	powershell.exe
Token: SeLoadDriverPrivilege	2216	powershell.exe
Token: SeSystemProfilePrivilege	2216	powershell.exe
Token: SeSystemtimePrivilege	2216	powershell.exe
Token: SeProfSingleProcessPrivilege	2216	powershell.exe
Token: SeIncBasePriorityPrivilege	2216	powershell.exe
Token: SeCreatePagefilePrivilege	2216	powershell.exe
Token: SeBackupPrivilege	2216	powershell.exe
Token: SeRestorePrivilege	2216	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

3siu1711y3.exegiakk917ogk77c.exe

pid process

2704 3siu1711y3.exe
3936 giakk917ogk77c.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

3siu1711y3.exe1m31uq3e.exegiakk917ogk77c.exe

pid process

2704 3siu1711y3.exe
2704 3siu1711y3.exe
3568 1m31uq3e.exe
3936 giakk917ogk77c.exe
3936 giakk917ogk77c.exe

pid	process
2704	3siu1711y3.exe
3936	giakk917ogk77c.exe

pid	process
2704	3siu1711y3.exe
2704	3siu1711y3.exe
3568	1m31uq3e.exe
3936	giakk917ogk77c.exe
3936	giakk917ogk77c.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Factura__pdf__69829.exeFactura__pdf__69829.exeexplorer.exe1m31uq3e.exe

description	pid	process	target process
PID 1812 wrote to memory of 3688	1812	Factura__pdf__69829.exe	Factura__pdf__69829.exe
PID 1812 wrote to memory of 3688	1812	Factura__pdf__69829.exe	Factura__pdf__69829.exe
PID 1812 wrote to memory of 3688	1812	Factura__pdf__69829.exe	Factura__pdf__69829.exe
PID 1812 wrote to memory of 3688	1812	Factura__pdf__69829.exe	Factura__pdf__69829.exe
PID 1812 wrote to memory of 3688	1812	Factura__pdf__69829.exe	Factura__pdf__69829.exe
PID 3688 wrote to memory of 3416	3688	Factura__pdf__69829.exe	explorer.exe
PID 3688 wrote to memory of 3416	3688	Factura__pdf__69829.exe	explorer.exe
PID 3688 wrote to memory of 3416	3688	Factura__pdf__69829.exe	explorer.exe
PID 3416 wrote to memory of 2352	3416	explorer.exe	mm553g9u9393_1.exe
PID 3416 wrote to memory of 2352	3416	explorer.exe	mm553g9u9393_1.exe
PID 3416 wrote to memory of 2352	3416	explorer.exe	mm553g9u9393_1.exe
PID 3416 wrote to memory of 2704	3416	explorer.exe	3siu1711y3.exe
PID 3416 wrote to memory of 2704	3416	explorer.exe	3siu1711y3.exe
PID 3416 wrote to memory of 3936	3416	explorer.exe	giakk917ogk77c.exe
PID 3416 wrote to memory of 3936	3416	explorer.exe	giakk917ogk77c.exe
PID 3416 wrote to memory of 3568	3416	explorer.exe	1m31uq3e.exe
PID 3416 wrote to memory of 3568	3416	explorer.exe	1m31uq3e.exe
PID 3416 wrote to memory of 3568	3416	explorer.exe	1m31uq3e.exe
PID 3568 wrote to memory of 2256	3568	1m31uq3e.exe	powershell.exe
PID 3568 wrote to memory of 2256	3568	1m31uq3e.exe	powershell.exe
PID 3568 wrote to memory of 3940	3568	1m31uq3e.exe	powershell.exe
PID 3568 wrote to memory of 3940	3568	1m31uq3e.exe	powershell.exe
PID 3568 wrote to memory of 2216	3568	1m31uq3e.exe	powershell.exe
PID 3568 wrote to memory of 2216	3568	1m31uq3e.exe	powershell.exe
PID 3568 wrote to memory of 1888	3568	1m31uq3e.exe	powershell.exe
PID 3568 wrote to memory of 1888	3568	1m31uq3e.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Factura__pdf__69829.exe
"C:\Users\Admin\AppData\Local\Temp\Factura__pdf__69829.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\Factura__pdf__69829.exe
"C:\Users\Admin\AppData\Local\Temp\Factura__pdf__69829.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Local\Temp\mm553g9u9393_1.exe
/suac
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2352

C:\Users\Admin\AppData\Local\Temp\3siu1711y3.exe
"C:\Users\Admin\AppData\Local\Temp\3siu1711y3.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Users\Admin\AppData\Local\Temp\giakk917ogk77c.exe
"C:\Users\Admin\AppData\Local\Temp\giakk917ogk77c.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3936

C:\Users\Admin\AppData\Local\Temp\1m31uq3e.exe
"C:\Users\Admin\AppData\Local\Temp\1m31uq3e.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Google Updater 2.09\'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2ffc5dd431caa9b32527ade4ebd88de8

SHA1
63d781f90a7b664105ad6cd86dad92275d08c61a

SHA256
38173967aac9d65201a2bc9fa6b91d37e60eaec25f09a720d13970c334d352b2

SHA512
9fe580340614df5f3aafd342e2c38fa03d4839e29a4984a8aa27709e249a2c9500c332e1d77b6982e9032d72d3bb979c9e3df08c1efadf9b118d7f3a5f80d662

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b1d3fc1d23415f6faf8b316930d9bce3

SHA1
96248622cad35c977271d7f697533df2b77a9834

SHA256
478986efa8369a558f18021d02b14e3e8e023d591325459bc1ed1b92ce1256a4

SHA512
d4c27239017b596b7056a2f6408ad3653a3e158edf7ba9bc6e4d84c87ead47bba28f75dc6fb444f2a77590efb124c329d4b529060dc30ed8bf8ae515eda81009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d7456cb546ef5f1b925854c0dca99de1

SHA1
4df4591f70931278e60af75a274545d2f1a57295

SHA256
7bf7d309078fbd42a876ce894710e6c4777de1fc289a99c342d282aff62d4bdc

SHA512
b3bf97f4a52c99327c596db9a17fc5b9886cc0cb36706dc4479f10e29c6485e311153b8c7bdb8796b4caa1b199c8cff0f4b257fa02c8772d77a61fcb3fc8ab22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1m31uq3e.exe
MD5
02f5f7ca2efc404e1793583772fe081c

SHA1
36c27d4cb7ffcaed916683887688bd1c1b68dd4c

SHA256
03bf56a8d570d12980875268a3897d214e4a11a11e9c00beebd1c10078cb6263

SHA512
7fd07365176849e7f9b678796998250b65682d8bfda9acfd8a7ac7afca753c41b77439c701986076d0160ad0c0d7c21bf2f01d78b3dac493c2f6167da8ae695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1m31uq3e.exe
MD5
02f5f7ca2efc404e1793583772fe081c

SHA1
36c27d4cb7ffcaed916683887688bd1c1b68dd4c

SHA256
03bf56a8d570d12980875268a3897d214e4a11a11e9c00beebd1c10078cb6263

SHA512
7fd07365176849e7f9b678796998250b65682d8bfda9acfd8a7ac7afca753c41b77439c701986076d0160ad0c0d7c21bf2f01d78b3dac493c2f6167da8ae695b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3siu1711y3.exe
MD5
fc787a086afdacb23cd4136064294de7

SHA1
a8e22420eff649743f4cb6a434b3cb717432543a

SHA256
a19f13a56372672b76326bfc3bb906182f326def3fe2e8d5dbbc3a52507a2245

SHA512
7c6381c8f0b9c9d8c7d5cacfce86d253ad788d8fa45233596ba0b96fe8664facd8eb13cf3436e24afcb278a449c3d7d14a0dd88f4081b679a05bf97c55bf6003

Download Submit
C:\Users\Admin\AppData\Local\Temp\3siu1711y3.exe
MD5
fc787a086afdacb23cd4136064294de7

SHA1
a8e22420eff649743f4cb6a434b3cb717432543a

SHA256
a19f13a56372672b76326bfc3bb906182f326def3fe2e8d5dbbc3a52507a2245

SHA512
7c6381c8f0b9c9d8c7d5cacfce86d253ad788d8fa45233596ba0b96fe8664facd8eb13cf3436e24afcb278a449c3d7d14a0dd88f4081b679a05bf97c55bf6003

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dbg.txt
MD5
605e9ec302dbfd6e2f70359cee9a95cd

SHA1
08c55f1ebb5a005f0e17182f48801dad048ee6fc

SHA256
55491c04f7bdcb3305836ab70d036c05bf18ae4342bbeb538eb597deb6251137

SHA512
3ba192150a3fc6943d8200d5d5b13fdc6a7295343f45f49da31415300018ad242c34ce626857137896e46bc5443e1429d5461a184981308296783a9ec348812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dbg.txt
MD5
38fe96ffe5f8c1039be411debc74d551

SHA1
ba1f0f50dbbb4d2333572bfbd70c241967924258

SHA256
8b631848ea3f5709832c4a176e4c4165c80376c86065d2f96c635f78745b514c

SHA512
dcc796762f0a1fd1d8f4121386ca0825735aa347915a43a9f526a9f71e5a4c19b8a80216e63779658b8b34cd79789adf8a506436fee18b74553c79e31d8e93b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dbg.txt
MD5
38fe96ffe5f8c1039be411debc74d551

SHA1
ba1f0f50dbbb4d2333572bfbd70c241967924258

SHA256
8b631848ea3f5709832c4a176e4c4165c80376c86065d2f96c635f78745b514c

SHA512
dcc796762f0a1fd1d8f4121386ca0825735aa347915a43a9f526a9f71e5a4c19b8a80216e63779658b8b34cd79789adf8a506436fee18b74553c79e31d8e93b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\giakk917ogk77c.exe
MD5
5025181e3b7b39716d8abb12587653b7

SHA1
fbd5bd12845b5fc2c0fca4d5517e6d41c7226217

SHA256
99f645012b9b6cbd56885547a4dd6c578844f9206882a98b9aa45130c138c757

SHA512
f69045d17c20542ecd9625a3910b73e46826d0263c0aa4e9338212d88fcf842a1e38c09dd2d89845dc2122553888ae66cd03c0d15c2fe81dc2431f25052bab28

Download Submit
C:\Users\Admin\AppData\Local\Temp\giakk917ogk77c.exe
MD5
5025181e3b7b39716d8abb12587653b7

SHA1
fbd5bd12845b5fc2c0fca4d5517e6d41c7226217

SHA256
99f645012b9b6cbd56885547a4dd6c578844f9206882a98b9aa45130c138c757

SHA512
f69045d17c20542ecd9625a3910b73e46826d0263c0aa4e9338212d88fcf842a1e38c09dd2d89845dc2122553888ae66cd03c0d15c2fe81dc2431f25052bab28

Download Submit
C:\Users\Admin\AppData\Local\Temp\mm553g9u9393_1.exe
MD5
a09b11ac0a5932ab7bea125d1e83ce96

SHA1
147918bd893d12180931e1a622866e8e42252f1b

SHA256
157f0b21d5dcfc4e06c98545a986f2e41168f39a8d41c7f301ee4a047d55006f

SHA512
b8e30534d0aa6814b0f714cfebb3b506562f1dd4a501c75d3b6e5b082cb8fff6d4e9a0df44588c67d362c7d4ff2a22eef0f113b744ffe502b995d2f3ad255141

Download Submit
C:\Users\Admin\AppData\Local\Temp\mm553g9u9393_1.exe
MD5
a09b11ac0a5932ab7bea125d1e83ce96

SHA1
147918bd893d12180931e1a622866e8e42252f1b

SHA256
157f0b21d5dcfc4e06c98545a986f2e41168f39a8d41c7f301ee4a047d55006f

SHA512
b8e30534d0aa6814b0f714cfebb3b506562f1dd4a501c75d3b6e5b082cb8fff6d4e9a0df44588c67d362c7d4ff2a22eef0f113b744ffe502b995d2f3ad255141

Download Submit
memory/1888-36-0x00007FF8C5890000-0x00007FF8C627C000-memory.dmp

Filesize
9.9MB

Download
memory/1888-32-0x0000000000000000-mapping.dmp

Download
memory/2216-35-0x00007FF8C5890000-0x00007FF8C627C000-memory.dmp

Filesize
9.9MB

Download
memory/2216-31-0x0000000000000000-mapping.dmp

Download
memory/2256-34-0x00007FF8C5890000-0x00007FF8C627C000-memory.dmp

Filesize
9.9MB

Download
memory/2256-40-0x00000120EB1C0000-0x00000120EB1C1000-memory.dmp

Filesize
4KB

Download
memory/2256-37-0x00000120EB010000-0x00000120EB011000-memory.dmp

Filesize
4KB

Download
memory/2256-28-0x0000000000000000-mapping.dmp

Download
memory/2352-8-0x0000000000000000-mapping.dmp

Download
memory/2704-11-0x0000000000000000-mapping.dmp

Download
memory/2704-15-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2704-14-0x00007FF8C5890000-0x00007FF8C627C000-memory.dmp

Filesize
9.9MB

Download
memory/3416-6-0x00000000009E0000-0x0000000000E20000-memory.dmp

Filesize
4.2MB

Download
memory/3416-7-0x00000000009E0000-0x0000000000E20000-memory.dmp

Filesize
4.2MB

Download
memory/3416-5-0x0000000000000000-mapping.dmp

Download
memory/3568-23-0x0000000000000000-mapping.dmp

Download
memory/3688-4-0x0000000002B90000-0x0000000002FD0000-memory.dmp

Filesize
4.2MB

Download
memory/3688-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-3-0x0000000002740000-0x0000000002865000-memory.dmp

Filesize
1.1MB

Download
memory/3688-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-1-0x00000000004015C6-mapping.dmp

Download
memory/3936-17-0x0000000000000000-mapping.dmp

Download
memory/3936-20-0x00007FF8C5890000-0x00007FF8C627C000-memory.dmp

Filesize
9.9MB

Download
memory/3936-21-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/3940-33-0x00007FF8C5890000-0x00007FF8C627C000-memory.dmp

Filesize
9.9MB

Download
memory/3940-29-0x0000000000000000-mapping.dmp

Download