betabot | a4cf004074849571bb93e91dd43985d914bafd646ee7f630cd44db1e09fa3fab

Analysis

max time kernel
149s
max time network
139s
platform
windows10_x64
resource
win10v20201028
submitted
25-01-2021 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CFDI_Manager_80831.exe
Size

785KB
MD5

d776c8207ca1a020530692d6db741b09
SHA1

2a4623b17683996333b9d2afabeb1f60eee5ccdc
SHA256

a4cf004074849571bb93e91dd43985d914bafd646ee7f630cd44db1e09fa3fab
SHA512

1b788e8c30b01ec95a49d8d30b0138c43a0cb02d837a273c44f51085287356a9300b8c1ef1220d9e62c1a26f1937b0696fce2e317c756097395081140805e158

Score

10^/10

betabot backdoor botnet evasion persistence ransomware trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe

Executes dropped EXE 4 IoCs

Processes:

q53yu3175owi_1.exeqo9yoiu9easo.exe3qew95ggo.exe5g3se11u57gs5ic.exe

pid process

3604 q53yu3175owi_1.exe
3972 qo9yoiu9easo.exe
4212 3qew95ggo.exe
4256 5g3se11u57gs5ic.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

pid	process
3604	q53yu3175owi_1.exe
3972	qo9yoiu9easo.exe
4212	3qew95ggo.exe
4256	5g3se11u57gs5ic.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\q53yu3175owi.exe\""	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.09 = "C:\\ProgramData\\Google Updater 2.09\\q53yu3175owi.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.09 = "\"C:\\ProgramData\\Google Updater 2.09\\q53yu3175owi.exe\""	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

CFDI_Manager_80831.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CFDI_Manager_80831.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\ProgramData\Google Updater 2.09\desktop.ini explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CFDI_Manager_80831.exe

description	ioc	process
File opened for modification	C:\ProgramData\Google Updater 2.09\desktop.ini	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

CFDI_Manager_80831.exeexplorer.exe

pid	process
360	CFDI_Manager_80831.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

CFDI_Manager_80831.exeq53yu3175owi_1.exe

description	pid	process	target process
PID 4048 set thread context of 360	4048	CFDI_Manager_80831.exe	CFDI_Manager_80831.exe
PID 3604 set thread context of 0	3604	q53yu3175owi_1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CFDI_Manager_80831.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CFDI_Manager_80831.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CFDI_Manager_80831.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\DownloadVersionList = "0"	explorer.exe

NTFS ADS 2 IoCs

Processes:

explorer.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\q53yu3175owi_1.exe:14EDFC78	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\q53yu3175owi_1.exe:14EDFC78	explorer.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

explorer.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
3088	powershell.exe
1652	powershell.exe
2168	powershell.exe
1260	powershell.exe
2168	powershell.exe
1652	powershell.exe
1652	powershell.exe
3088	powershell.exe
2168	powershell.exe
1260	powershell.exe
3088	powershell.exe
1260	powershell.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

5g3se11u57gs5ic.exe

pid process

4256 5g3se11u57gs5ic.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CFDI_Manager_80831.exe

pid process

360 CFDI_Manager_80831.exe
360 CFDI_Manager_80831.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

CFDI_Manager_80831.exe

pid process

360 CFDI_Manager_80831.exe

pid	process
4256	5g3se11u57gs5ic.exe

Suspicious use of AdjustPrivilegeToken 116 IoCs

Processes:

CFDI_Manager_80831.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	360	CFDI_Manager_80831.exe
Token: SeRestorePrivilege	360	CFDI_Manager_80831.exe
Token: SeBackupPrivilege	360	CFDI_Manager_80831.exe
Token: SeLoadDriverPrivilege	360	CFDI_Manager_80831.exe
Token: SeCreatePagefilePrivilege	360	CFDI_Manager_80831.exe
Token: SeShutdownPrivilege	360	CFDI_Manager_80831.exe
Token: SeTakeOwnershipPrivilege	360	CFDI_Manager_80831.exe
Token: SeChangeNotifyPrivilege	360	CFDI_Manager_80831.exe
Token: SeCreateTokenPrivilege	360	CFDI_Manager_80831.exe
Token: SeMachineAccountPrivilege	360	CFDI_Manager_80831.exe
Token: SeSecurityPrivilege	360	CFDI_Manager_80831.exe
Token: SeAssignPrimaryTokenPrivilege	360	CFDI_Manager_80831.exe
Token: SeCreateGlobalPrivilege	360	CFDI_Manager_80831.exe
Token: 33	360	CFDI_Manager_80831.exe
Token: SeDebugPrivilege	2832	explorer.exe
Token: SeRestorePrivilege	2832	explorer.exe
Token: SeBackupPrivilege	2832	explorer.exe
Token: SeLoadDriverPrivilege	2832	explorer.exe
Token: SeCreatePagefilePrivilege	2832	explorer.exe
Token: SeShutdownPrivilege	2832	explorer.exe
Token: SeTakeOwnershipPrivilege	2832	explorer.exe
Token: SeChangeNotifyPrivilege	2832	explorer.exe
Token: SeCreateTokenPrivilege	2832	explorer.exe
Token: SeMachineAccountPrivilege	2832	explorer.exe
Token: SeSecurityPrivilege	2832	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2832	explorer.exe
Token: SeCreateGlobalPrivilege	2832	explorer.exe
Token: 33	2832	explorer.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeIncreaseQuotaPrivilege	2168	powershell.exe
Token: SeSecurityPrivilege	2168	powershell.exe
Token: SeIncreaseQuotaPrivilege	1260	powershell.exe
Token: SeSecurityPrivilege	1260	powershell.exe
Token: SeTakeOwnershipPrivilege	2168	powershell.exe
Token: SeTakeOwnershipPrivilege	1260	powershell.exe
Token: SeLoadDriverPrivilege	2168	powershell.exe
Token: SeLoadDriverPrivilege	1260	powershell.exe
Token: SeSystemProfilePrivilege	2168	powershell.exe
Token: SeSystemProfilePrivilege	1260	powershell.exe
Token: SeSystemtimePrivilege	2168	powershell.exe
Token: SeSystemtimePrivilege	1260	powershell.exe
Token: SeProfSingleProcessPrivilege	2168	powershell.exe
Token: SeProfSingleProcessPrivilege	1260	powershell.exe
Token: SeIncBasePriorityPrivilege	2168	powershell.exe
Token: SeIncBasePriorityPrivilege	1260	powershell.exe
Token: SeCreatePagefilePrivilege	2168	powershell.exe
Token: SeCreatePagefilePrivilege	1260	powershell.exe
Token: SeBackupPrivilege	2168	powershell.exe
Token: SeBackupPrivilege	1260	powershell.exe
Token: SeRestorePrivilege	2168	powershell.exe
Token: SeRestorePrivilege	1260	powershell.exe
Token: SeShutdownPrivilege	2168	powershell.exe
Token: SeShutdownPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeSystemEnvironmentPrivilege	2168	powershell.exe
Token: SeSystemEnvironmentPrivilege	1260	powershell.exe
Token: SeRemoteShutdownPrivilege	2168	powershell.exe
Token: SeRemoteShutdownPrivilege	1260	powershell.exe
Token: SeUndockPrivilege	2168	powershell.exe
Token: SeUndockPrivilege	1260	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5g3se11u57gs5ic.exe

pid process

4256 5g3se11u57gs5ic.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

qo9yoiu9easo.exe5g3se11u57gs5ic.exe

pid process

3972 qo9yoiu9easo.exe
4256 5g3se11u57gs5ic.exe
4256 5g3se11u57gs5ic.exe

pid	process
4256	5g3se11u57gs5ic.exe

pid	process
3972	qo9yoiu9easo.exe
4256	5g3se11u57gs5ic.exe
4256	5g3se11u57gs5ic.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

CFDI_Manager_80831.exeCFDI_Manager_80831.exeexplorer.exeqo9yoiu9easo.exe

description	pid	process	target process
PID 4048 wrote to memory of 360	4048	CFDI_Manager_80831.exe	CFDI_Manager_80831.exe
PID 4048 wrote to memory of 360	4048	CFDI_Manager_80831.exe	CFDI_Manager_80831.exe
PID 4048 wrote to memory of 360	4048	CFDI_Manager_80831.exe	CFDI_Manager_80831.exe
PID 4048 wrote to memory of 360	4048	CFDI_Manager_80831.exe	CFDI_Manager_80831.exe
PID 4048 wrote to memory of 360	4048	CFDI_Manager_80831.exe	CFDI_Manager_80831.exe
PID 360 wrote to memory of 2832	360	CFDI_Manager_80831.exe	explorer.exe
PID 360 wrote to memory of 2832	360	CFDI_Manager_80831.exe	explorer.exe
PID 360 wrote to memory of 2832	360	CFDI_Manager_80831.exe	explorer.exe
PID 2832 wrote to memory of 3604	2832	explorer.exe	q53yu3175owi_1.exe
PID 2832 wrote to memory of 3604	2832	explorer.exe	q53yu3175owi_1.exe
PID 2832 wrote to memory of 3604	2832	explorer.exe	q53yu3175owi_1.exe
PID 2832 wrote to memory of 3972	2832	explorer.exe	qo9yoiu9easo.exe
PID 2832 wrote to memory of 3972	2832	explorer.exe	qo9yoiu9easo.exe
PID 2832 wrote to memory of 3972	2832	explorer.exe	qo9yoiu9easo.exe
PID 3972 wrote to memory of 1652	3972	qo9yoiu9easo.exe	powershell.exe
PID 3972 wrote to memory of 1652	3972	qo9yoiu9easo.exe	powershell.exe
PID 3972 wrote to memory of 2168	3972	qo9yoiu9easo.exe	powershell.exe
PID 3972 wrote to memory of 2168	3972	qo9yoiu9easo.exe	powershell.exe
PID 3972 wrote to memory of 3088	3972	qo9yoiu9easo.exe	powershell.exe
PID 3972 wrote to memory of 3088	3972	qo9yoiu9easo.exe	powershell.exe
PID 3972 wrote to memory of 1260	3972	qo9yoiu9easo.exe	powershell.exe
PID 3972 wrote to memory of 1260	3972	qo9yoiu9easo.exe	powershell.exe
PID 2832 wrote to memory of 4212	2832	explorer.exe	3qew95ggo.exe
PID 2832 wrote to memory of 4212	2832	explorer.exe	3qew95ggo.exe
PID 2832 wrote to memory of 4212	2832	explorer.exe	3qew95ggo.exe
PID 2832 wrote to memory of 4256	2832	explorer.exe	5g3se11u57gs5ic.exe
PID 2832 wrote to memory of 4256	2832	explorer.exe	5g3se11u57gs5ic.exe

C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_80831.exe
"C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_80831.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_80831.exe
"C:\Users\Admin\AppData\Local\Temp\CFDI_Manager_80831.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
3⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\q53yu3175owi_1.exe
/suac
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3604

C:\Users\Admin\AppData\Local\Temp\qo9yoiu9easo.exe
"C:\Users\Admin\AppData\Local\Temp\qo9yoiu9easo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Google Updater 2.09\'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Users\Admin\AppData\Local\Temp\3qew95ggo.exe
"C:\Users\Admin\AppData\Local\Temp\3qew95ggo.exe"
4⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Local\Temp\5g3se11u57gs5ic.exe
"C:\Users\Admin\AppData\Local\Temp\5g3se11u57gs5ic.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dc6c9918b7311cfd97b8ccbd54058b64

SHA1
c4bd4c47470599c0cb6d178986635d716b11009f

SHA256
9ab4d577419153b1cb430bdc496c916d56ed1e460403a093e50cd37b332a86f1

SHA512
2f93ff8a431190142168cb1bde9102515bcec25a779a1025a11ded1161e65adb73a796f6ba717c3b1f4643cd8b1a1d6b6f89f1faee66b323ee47d9694b75087c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dc6c9918b7311cfd97b8ccbd54058b64

SHA1
c4bd4c47470599c0cb6d178986635d716b11009f

SHA256
9ab4d577419153b1cb430bdc496c916d56ed1e460403a093e50cd37b332a86f1

SHA512
2f93ff8a431190142168cb1bde9102515bcec25a779a1025a11ded1161e65adb73a796f6ba717c3b1f4643cd8b1a1d6b6f89f1faee66b323ee47d9694b75087c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f34aa3427b08fb43c8ce5c06fb2f7bb0

SHA1
8fc93808ca6cd18583c89c2c8e41b74552581701

SHA256
cd587f7124cbb8eaaae6372047ece27bd51b80ea70e1cd747fe67304a479ce84

SHA512
7478a809bd3dad31e7481840df453f1b6b500e968487fad6c211f037385ebf90343499e260add41d238a2e0d04385b619d4df490d56c88a5f775b724e64a9dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qew95ggo.exe
MD5
dc9127dc898edcb166176abfc891ee59

SHA1
400466e887170c260628143430d08335a88d5298

SHA256
4490550a55d971b2305d209e9a9d6fdb4954fb1c4c435d0b1f4e98d84a938074

SHA512
85347b252c34c39b8781a592af94de66dc65908c8d2c92a447cc8fca4996eea65e4c0875f891c9372ff51873c05894f846d9e37e965959f4c5c5d0367e0afb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qew95ggo.exe
MD5
dc9127dc898edcb166176abfc891ee59

SHA1
400466e887170c260628143430d08335a88d5298

SHA256
4490550a55d971b2305d209e9a9d6fdb4954fb1c4c435d0b1f4e98d84a938074

SHA512
85347b252c34c39b8781a592af94de66dc65908c8d2c92a447cc8fca4996eea65e4c0875f891c9372ff51873c05894f846d9e37e965959f4c5c5d0367e0afb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5g3se11u57gs5ic.exe
MD5
74a1acd3f2863c088dd3cbf6c82140e8

SHA1
a8b05f002998a2c839c186d244fb7855352a67b9

SHA256
b9cb7bda47bec1b2cc0b4bebb2d00424f0bec38dcea5667dd2a661539a42228d

SHA512
390b14843a2f58ce1bee3550a8cc7cb73ab7d108965d75c6532917f6bc8bf99fc3cbf9bdd59ddce1f8cb1e06d239ee4ee899a5c878c3485f6951081d9732201e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5g3se11u57gs5ic.exe
MD5
74a1acd3f2863c088dd3cbf6c82140e8

SHA1
a8b05f002998a2c839c186d244fb7855352a67b9

SHA256
b9cb7bda47bec1b2cc0b4bebb2d00424f0bec38dcea5667dd2a661539a42228d

SHA512
390b14843a2f58ce1bee3550a8cc7cb73ab7d108965d75c6532917f6bc8bf99fc3cbf9bdd59ddce1f8cb1e06d239ee4ee899a5c878c3485f6951081d9732201e

Download Submit
C:\Users\Admin\AppData\Local\Temp\q53yu3175owi_1.exe
MD5
d776c8207ca1a020530692d6db741b09

SHA1
2a4623b17683996333b9d2afabeb1f60eee5ccdc

SHA256
a4cf004074849571bb93e91dd43985d914bafd646ee7f630cd44db1e09fa3fab

SHA512
1b788e8c30b01ec95a49d8d30b0138c43a0cb02d837a273c44f51085287356a9300b8c1ef1220d9e62c1a26f1937b0696fce2e317c756097395081140805e158

Download Submit
C:\Users\Admin\AppData\Local\Temp\q53yu3175owi_1.exe
MD5
d776c8207ca1a020530692d6db741b09

SHA1
2a4623b17683996333b9d2afabeb1f60eee5ccdc

SHA256
a4cf004074849571bb93e91dd43985d914bafd646ee7f630cd44db1e09fa3fab

SHA512
1b788e8c30b01ec95a49d8d30b0138c43a0cb02d837a273c44f51085287356a9300b8c1ef1220d9e62c1a26f1937b0696fce2e317c756097395081140805e158

Download Submit
C:\Users\Admin\AppData\Local\Temp\qo9yoiu9easo.exe
MD5
4fd50d4173e873a52e7841fe2a3f921e

SHA1
4ffd734a7877f78fdf2b65b37e90b2db3be20fe3

SHA256
456b6497adb103204e78b1888c75cc73a6e61e8aa1d5eec27eb594f98e0601ed

SHA512
5c272aeb5a27d905251d4e41216d69060eebe2d978602f339776486bbb007ea294183921a7c57c8a8dafaf50080df08b411f45610dfebd6a61d7dc28658d8ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qo9yoiu9easo.exe
MD5
4fd50d4173e873a52e7841fe2a3f921e

SHA1
4ffd734a7877f78fdf2b65b37e90b2db3be20fe3

SHA256
456b6497adb103204e78b1888c75cc73a6e61e8aa1d5eec27eb594f98e0601ed

SHA512
5c272aeb5a27d905251d4e41216d69060eebe2d978602f339776486bbb007ea294183921a7c57c8a8dafaf50080df08b411f45610dfebd6a61d7dc28658d8ab0

Download Submit
memory/360-6-0x00000000005F0000-0x00000000005FD000-memory.dmp

Filesize
52KB

Download
memory/360-7-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/360-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/360-3-0x00000000004015C6-mapping.dmp

Download
memory/360-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/360-8-0x00000000027A0000-0x00000000027AC000-memory.dmp

Filesize
48KB

Download
memory/360-5-0x00000000022A0000-0x0000000002306000-memory.dmp

Filesize
408KB

Download
memory/360-15-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1260-29-0x0000000000000000-mapping.dmp

Download
memory/1260-40-0x0000017CAA990000-0x0000017CAA992000-memory.dmp

Filesize
8KB

Download
memory/1260-54-0x0000017CAA998000-0x0000017CAA999000-memory.dmp

Filesize
4KB

Download
memory/1260-52-0x0000017CAA996000-0x0000017CAA998000-memory.dmp

Filesize
8KB

Download
memory/1260-41-0x0000017CAA993000-0x0000017CAA995000-memory.dmp

Filesize
8KB

Download
memory/1260-33-0x00007FFE2F920000-0x00007FFE3030C000-memory.dmp

Filesize
9.9MB

Download
memory/1652-31-0x00007FFE2F920000-0x00007FFE3030C000-memory.dmp

Filesize
9.9MB

Download
memory/1652-36-0x000001AD73E60000-0x000001AD73E62000-memory.dmp

Filesize
8KB

Download
memory/1652-26-0x0000000000000000-mapping.dmp

Download
memory/1652-37-0x000001AD73E63000-0x000001AD73E65000-memory.dmp

Filesize
8KB

Download
memory/1652-57-0x000001AD73E68000-0x000001AD73E69000-memory.dmp

Filesize
4KB

Download
memory/1652-46-0x000001AD76020000-0x000001AD76021000-memory.dmp

Filesize
4KB

Download
memory/1652-51-0x000001AD73E66000-0x000001AD73E68000-memory.dmp

Filesize
8KB

Download
memory/2168-30-0x00007FFE2F920000-0x00007FFE3030C000-memory.dmp

Filesize
9.9MB

Download
memory/2168-27-0x0000000000000000-mapping.dmp

Download
memory/2168-34-0x000001E0E0080000-0x000001E0E0082000-memory.dmp

Filesize
8KB

Download
memory/2168-35-0x000001E0E0083000-0x000001E0E0085000-memory.dmp

Filesize
8KB

Download
memory/2168-50-0x000001E0E0086000-0x000001E0E0088000-memory.dmp

Filesize
8KB

Download
memory/2168-56-0x000001E0E0088000-0x000001E0E0089000-memory.dmp

Filesize
4KB

Download
memory/2832-9-0x0000000000000000-mapping.dmp

Download
memory/2832-10-0x0000000000160000-0x00000000005A0000-memory.dmp

Filesize
4.2MB

Download
memory/2832-17-0x0000000004AA0000-0x0000000004AA2000-memory.dmp

Filesize
8KB

Download
memory/2832-11-0x0000000002EA0000-0x0000000002FCE000-memory.dmp

Filesize
1.2MB

Download
memory/3088-55-0x0000019676C98000-0x0000019676C99000-memory.dmp

Filesize
4KB

Download
memory/3088-42-0x0000019676C30000-0x0000019676C31000-memory.dmp

Filesize
4KB

Download
memory/3088-32-0x00007FFE2F920000-0x00007FFE3030C000-memory.dmp

Filesize
9.9MB

Download
memory/3088-39-0x0000019676C93000-0x0000019676C95000-memory.dmp

Filesize
8KB

Download
memory/3088-38-0x0000019676C90000-0x0000019676C92000-memory.dmp

Filesize
8KB

Download
memory/3088-28-0x0000000000000000-mapping.dmp

Download
memory/3088-53-0x0000019676C96000-0x0000019676C98000-memory.dmp

Filesize
8KB

Download
memory/3604-18-0x0000000000000000-mapping.dmp

Download
memory/3972-21-0x0000000000000000-mapping.dmp

Download
memory/4212-65-0x0000000071990000-0x000000007207E000-memory.dmp

Filesize
6.9MB

Download
memory/4212-61-0x0000000000000000-mapping.dmp

Download
memory/4212-70-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/4256-66-0x0000000000000000-mapping.dmp

Download
memory/4256-69-0x00007FFE2F920000-0x00007FFE3030C000-memory.dmp

Filesize
9.9MB

Download
memory/4256-72-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/4256-74-0x000000001BD90000-0x000000001BD92000-memory.dmp

Filesize
8KB

Download
memory/4256-75-0x000000001BD93000-0x000000001BD95000-memory.dmp

Filesize
8KB

Download
memory/4256-76-0x000000001BD95000-0x000000001BD97000-memory.dmp

Filesize
8KB

Download
memory/4256-77-0x000000001BD97000-0x000000001BD99000-memory.dmp

Filesize
8KB

Download
memory/4256-78-0x000000001BD99000-0x000000001BD9F000-memory.dmp

Filesize
24KB

Download