agenttesla | 95110acd4adb865b07e81e023006891a9da09a0f5851d6c8fae423f018b0a50e

Analysis

max time kernel
113s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
20-04-2021 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Property Details.pdf.bin.exe
Size

379KB
MD5

3618134640661e484c11406b7bae2aa7
SHA1

55f2fcab1e76b94cfdf8537a3675a65ac764d338
SHA256

4cc9fc3c6c06119543c1f09d6900c35303905b8d8e18ebc6d9d3d8f6a8ff6507
SHA512

a4b30d04d26996aed6738908bec6f32da09e6dd2e1eee971544fe84091ef6faf1325283a58913f6db915d6ad6ba8ebf9177bf692eed7d13cabdf435e7215705b

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4364-318-0x0000000000436F6E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Property Details.pdf.bin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Property Details.pdf.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Property Details.pdf.bin.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Property Details.pdf.bin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	Property Details.pdf.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	Property Details.pdf.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe = "0"	Property Details.pdf.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe = "0"	Property Details.pdf.bin.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Property Details.pdf.bin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Property Details.pdf.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	Property Details.pdf.bin.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

Property Details.pdf.bin.exe

pid	process
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe
860	Property Details.pdf.bin.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Property Details.pdf.bin.exe

description pid process target process

PID 860 set thread context of 4364 860 Property Details.pdf.bin.exe Property Details.pdf.bin.exe

description	pid	process	target process
PID 860 set thread context of 4364	860	Property Details.pdf.bin.exe	Property Details.pdf.bin.exe

Drops file in Program Files directory 2 IoCs

Processes:

Property Details.pdf.bin.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe	Property Details.pdf.bin.exe
File opened for modification	C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe	Property Details.pdf.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4204 timeout.exe

pid	process
4204	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2404	powershell.exe
188	powershell.exe
764	powershell.exe
188	powershell.exe
764	powershell.exe
2404	powershell.exe
764	powershell.exe
2404	powershell.exe
188	powershell.exe
2512	powershell.exe
1172	powershell.exe
3956	powershell.exe
2512	powershell.exe
3956	powershell.exe
1172	powershell.exe
2512	powershell.exe
3956	powershell.exe
1172	powershell.exe
4348	powershell.exe
4348	powershell.exe
4396	powershell.exe
4396	powershell.exe
4460	powershell.exe
4460	powershell.exe
4396	powershell.exe
4348	powershell.exe
4460	powershell.exe
4348	powershell.exe
4396	powershell.exe
4460	powershell.exe
4888	powershell.exe
4888	powershell.exe
4924	powershell.exe
4924	powershell.exe
4972	powershell.exe
4972	powershell.exe
4924	powershell.exe
4972	powershell.exe
4888	powershell.exe
4924	powershell.exe
4972	powershell.exe
4888	powershell.exe
4896	powershell.exe
4896	powershell.exe
5116	powershell.exe
5116	powershell.exe
4832	powershell.exe
4832	powershell.exe
4896	powershell.exe
5116	powershell.exe
4832	powershell.exe
4896	powershell.exe
5116	powershell.exe
4832	powershell.exe
5420	powershell.exe
5420	powershell.exe
5480	powershell.exe
5480	powershell.exe
5544	powershell.exe
5544	powershell.exe
5420	powershell.exe
5480	powershell.exe
5544	powershell.exe
5480	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

Property Details.pdf.bin.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeProperty Details.pdf.bin.exe

description	pid	process
Token: SeDebugPrivilege	860	Property Details.pdf.bin.exe
Token: SeDebugPrivilege	188	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	5544	powershell.exe
Token: SeDebugPrivilege	5948	powershell.exe
Token: SeDebugPrivilege	6036	powershell.exe
Token: SeDebugPrivilege	5988	powershell.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	6044	powershell.exe
Token: SeDebugPrivilege	5428	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	4364	Property Details.pdf.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Property Details.pdf.bin.exe

description	pid	process	target process
PID 860 wrote to memory of 188	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 188	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 188	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 2404	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 2404	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 2404	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 764	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 764	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 764	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 2512	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 2512	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 2512	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 1172	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 1172	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 1172	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 3956	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 3956	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 3956	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4348	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4348	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4348	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4396	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4396	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4396	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4460	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4460	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4460	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4888	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4888	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4888	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4924	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4924	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4924	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4972	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4972	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4972	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4896	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4896	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4896	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5116	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5116	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5116	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4832	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4832	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 4832	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5420	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5420	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5420	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5480	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5480	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5480	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5544	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5544	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5544	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5948	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5948	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5948	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5988	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5988	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5988	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 6036	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 6036	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 6036	860	Property Details.pdf.bin.exe	powershell.exe
PID 860 wrote to memory of 5500	860	Property Details.pdf.bin.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe"
1⤵
- Checks BIOS information in registry
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\AtxSQAJZhgKHQxShyHlJxWyLMVNzuWhgEuTVnDnOZTz\svchost.exe" -Force
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:4736

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4204

C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Property Details.pdf.bin.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
13a87a793ded826ca8d7d57e641b6278

SHA1
637a79edd8b5fa31a254d79d4a288696ea3bccc9

SHA256
9b2c53d7b737a12a11d4ba8fa41ff1d1e05a1a68ca3ef311fc6128920e8e922b

SHA512
aad377d89798aba6d96f80ede07b8262c278fc7939827aad26f0ddb8a862254a148e513228e8306e9ed5554c5108b0ccdcdab499be34591ba2fc65489cdea801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f6637fc3586b2fc6377311fbaece6446

SHA1
f75a7fa8e9c5f023708ca0ed3bf837526a6573d0

SHA256
c9fb720a30fc92f095f7f00a139913df6680eee4b4a7e890bbf0a6a4d02aeaf9

SHA512
2560054f171f11e78a03acc84902c0072a7904527fea81359195dd8014d54ceae84a37b503017f49665e0c6e8141e7909db21df5d11f3e4564ccbedb1fc3ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f6637fc3586b2fc6377311fbaece6446

SHA1
f75a7fa8e9c5f023708ca0ed3bf837526a6573d0

SHA256
c9fb720a30fc92f095f7f00a139913df6680eee4b4a7e890bbf0a6a4d02aeaf9

SHA512
2560054f171f11e78a03acc84902c0072a7904527fea81359195dd8014d54ceae84a37b503017f49665e0c6e8141e7909db21df5d11f3e4564ccbedb1fc3ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f6637fc3586b2fc6377311fbaece6446

SHA1
f75a7fa8e9c5f023708ca0ed3bf837526a6573d0

SHA256
c9fb720a30fc92f095f7f00a139913df6680eee4b4a7e890bbf0a6a4d02aeaf9

SHA512
2560054f171f11e78a03acc84902c0072a7904527fea81359195dd8014d54ceae84a37b503017f49665e0c6e8141e7909db21df5d11f3e4564ccbedb1fc3ab07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
4896b10278df2e1593eba9b0d7fb51e3

SHA1
4d756b7c8c7943bd5bcbf576d59fa06f21482042

SHA256
22731862438bcfb05189e7151adce97437c8b81b7b6756bc26c4c4e40c92c816

SHA512
8e0fab96cef34c5f6c8293ae779fb78351b24468af726a0beaf1d6bd20e6670971f428e06d651b1e6ca3743937aebc1067474100b1bf46aa3c245a68fc61af00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
4896b10278df2e1593eba9b0d7fb51e3

SHA1
4d756b7c8c7943bd5bcbf576d59fa06f21482042

SHA256
22731862438bcfb05189e7151adce97437c8b81b7b6756bc26c4c4e40c92c816

SHA512
8e0fab96cef34c5f6c8293ae779fb78351b24468af726a0beaf1d6bd20e6670971f428e06d651b1e6ca3743937aebc1067474100b1bf46aa3c245a68fc61af00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c94866c123349b7c386fb8db6cae9423

SHA1
b738d6da026fa1d2a691bb9c7f6f46ca749c25b6

SHA256
fc59bb4dea4a5a747d0faf094f771bb48ba67abc3c16acebabab938777569547

SHA512
21f240eeb82973d88e072033e00df74328f6ecb8c3e7a546a6247e07ba7d05f1e327b705628c19e2ee24a15cf62cf421f6d899d115b57bd13545c40227df7c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c94866c123349b7c386fb8db6cae9423

SHA1
b738d6da026fa1d2a691bb9c7f6f46ca749c25b6

SHA256
fc59bb4dea4a5a747d0faf094f771bb48ba67abc3c16acebabab938777569547

SHA512
21f240eeb82973d88e072033e00df74328f6ecb8c3e7a546a6247e07ba7d05f1e327b705628c19e2ee24a15cf62cf421f6d899d115b57bd13545c40227df7c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
535d0745dbb2ec4c187f1f806d456aa7

SHA1
2c5ecb1752672c4804e83a16eed782795d383fbd

SHA256
64d1ba1e93b70ddba47f7874cd7b2106ede1b49856cd1189bf6fea5e7de41fd2

SHA512
cb57e7e2eaf2e51d52212452495f7a2a99af94865cef4bed17b314191cc746bac0140a73b45accb3ecfbf4bbcae73ee1b1dc74fb90747901faac3053bea787cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
62be622f90f81bca0ea0695be6b57104

SHA1
58b5820cf6b6ecb13c5c4efd4c9448da8c7f766a

SHA256
1d6f77d6e31c6e7f1cc10c65c967f049edc86d0472d406b6dfb8295cb334a7f9

SHA512
c7d2e8bdee7cff5652563228829e9947a206a485654eef15e80689ab69f034d2678587d334d0c2d30921b698f49c142506566702c14e873713ee6fd0b06bc520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
62be622f90f81bca0ea0695be6b57104

SHA1
58b5820cf6b6ecb13c5c4efd4c9448da8c7f766a

SHA256
1d6f77d6e31c6e7f1cc10c65c967f049edc86d0472d406b6dfb8295cb334a7f9

SHA512
c7d2e8bdee7cff5652563228829e9947a206a485654eef15e80689ab69f034d2678587d334d0c2d30921b698f49c142506566702c14e873713ee6fd0b06bc520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3660dc9d1a8c1297b1dad779c0677307

SHA1
38c4dd59ebb7c5753ee35e3272398ece7f8b758f

SHA256
2d3ffef393dcb1ca0b2208ca1d74c59cff39a9aa71ee8d45feda609320233753

SHA512
0b0884805a1d33ddbf925689f4d55cbcae71877845bea6931920a8f69fbe8c34af2f39637d9a015893dd24cdc66b4c2cb6ebba410380d5e1567b478391ee836f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
13ab7c0113572cddee209ccd9c30a4c9

SHA1
b538eae5d62581e56b640ba9e9db9b452257f24f

SHA256
a3b578c4ff9737d0555cb24297dd66a0ba4c26f20a7fb3601e45892d40cb2f70

SHA512
43c5124b2e299e9f51afd86ef6a67c345b54c3685388fd956c39907a325c268d26e1d915a851dcbb6c3aaabfcdd233ad04103959abdb61f2a45e6fb1a89e6de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2c716bd7e9b8b02ec233209a2dcaa4e0

SHA1
3de438fb459cb29f5666d0a2f538dc3ce43c6424

SHA256
c38f8865750cbb6c8a133ec262534829274dafe17aceb652b0c0a2ea2867268f

SHA512
30bdfddfc3a70b53feff0b71eea0bdeba8edae9c54ba04855f392ffd442f6381fce3c5004b7029615208b94c244cb26029fab3ff84963f5910cab7e481b1806a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e213467c0094d99992de59672d29f8af

SHA1
1f0ef0022719a1e63e37efc9769e0138ad202dfd

SHA256
9b75e7d0870d046c2d3c3655d26d46a70e86dbb4400f062b5164d8eab5f55ffb

SHA512
4299cd2aa359656278b76dff7423026ebb28f7ffcd72c592ceab8905878df1791a97767b79154c0b07b104d637bed70fea34175633041fe058b02fe1d1ea7ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3888b45aeac3273e1df6d58828497df3

SHA1
48140be6c376d73efaa381666b1ffc2ecc62080c

SHA256
e9d0ba1a00ce2ba9bcada0f5f943bc2ea9562ed25ee4160da5636bd0469f39a1

SHA512
55036363b8d3f53cbc2235c3166da1549eed28c06d75990034295a4c97f7e0f6a01b415832f2f6bcf407f622f1cd322d1244d8d27ab1e576b8c2bf1b36b317c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
593ab1af100914fa3623c2055632055a

SHA1
7235efb5770536f06de4710389d269ebed4d110b

SHA256
a9e4bd865dab5280bd999aecf6b9ee7bc44abf7dc90ed97603624f718e9fa209

SHA512
76df5295d9e65b2be810b777a0ed9b189a57cab4875a736710cb7a14907a89effad378fddd110f695065f6c1ab301e6f8cc229281355288ccfb157f508996497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
69c260a7eaa367f20a126d59b9737a26

SHA1
58a52fcbeec085de1682a9e8d11e92b90a5e4ff7

SHA256
9f0efade73d88fefb4df73d9a4812cb8d487cf403ce098e95e7c78d1266f5e69

SHA512
0c44d1279e9ba0434b00d9f9d7d4a96eee87b504a95da7758246bbea0f4ab3498933a70a8a2cf009f6bdd7801ed50482a2fdcf770ec43664dd5f012a38b1cea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
69c260a7eaa367f20a126d59b9737a26

SHA1
58a52fcbeec085de1682a9e8d11e92b90a5e4ff7

SHA256
9f0efade73d88fefb4df73d9a4812cb8d487cf403ce098e95e7c78d1266f5e69

SHA512
0c44d1279e9ba0434b00d9f9d7d4a96eee87b504a95da7758246bbea0f4ab3498933a70a8a2cf009f6bdd7801ed50482a2fdcf770ec43664dd5f012a38b1cea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
69c260a7eaa367f20a126d59b9737a26

SHA1
58a52fcbeec085de1682a9e8d11e92b90a5e4ff7

SHA256
9f0efade73d88fefb4df73d9a4812cb8d487cf403ce098e95e7c78d1266f5e69

SHA512
0c44d1279e9ba0434b00d9f9d7d4a96eee87b504a95da7758246bbea0f4ab3498933a70a8a2cf009f6bdd7801ed50482a2fdcf770ec43664dd5f012a38b1cea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
813d1555b6787b307ad9df6222f341a9

SHA1
80c20e869af7e9611a9d624cbadb93e6d756a5cb

SHA256
9e9bee4b8455fdf3e92ffdae26d9869f6a99d4c0a18f6a460668438ccaaf2688

SHA512
088077d93a6f700ec107f3c0d48f2392e90ad8f3c59c70ef59afd0099e17ce4b1bedc87730cc5f660a49c8ee87ed747036ed821a5e7f4725aeeba84641fa062c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
813d1555b6787b307ad9df6222f341a9

SHA1
80c20e869af7e9611a9d624cbadb93e6d756a5cb

SHA256
9e9bee4b8455fdf3e92ffdae26d9869f6a99d4c0a18f6a460668438ccaaf2688

SHA512
088077d93a6f700ec107f3c0d48f2392e90ad8f3c59c70ef59afd0099e17ce4b1bedc87730cc5f660a49c8ee87ed747036ed821a5e7f4725aeeba84641fa062c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8d209e4c418713172ea8b536f07d9296

SHA1
9413a7845e0b367fd24e6677786aa65f6c75070f

SHA256
658f8bea41915fdcdd7cc965eab53da5c443ac2ad76423e804692d9e24008428

SHA512
ac4bd7e8d0030c78074cee080faf6aed66746964646b9c48c0a1e14b08b9d664d9503d1021c59716d62262029435a520596a7a84cba1aef39e7b33b8a72a8302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ca08c8e3fb3bec50ad902d702dc4f206

SHA1
1569cb3f242fb733cfbd771b8e42f4fccf342c51

SHA256
397ecac9d68f042fb5ba2ea0cd1aa6eee8eb31bb08a92784ae29b309ec0a77ee

SHA512
464f0b4557aa7efee572edeec8454f492ecdd597b5e88a169aab5707d74341d01474bde9e34ebdcabb314171360f3e6cfbecdd9ccae9c4aa38c1d1e904e09de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
53870fe1d24514fd0f9af9f70bc72213

SHA1
eb0d21a671b317289d6b343950fc01a3813fdfa3

SHA256
bc551a2a2732a14fba81365478f122d775fbe01eb8780990bc6987a6daa48ba2

SHA512
4932fba44cb51f1d89f7ce543ec502882eb41e22363bf0507151ae8d70e58ab85b21a740c0c2603b9dc60901216b0f4a6180dd2d97206fb597a93f693d02de2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
53870fe1d24514fd0f9af9f70bc72213

SHA1
eb0d21a671b317289d6b343950fc01a3813fdfa3

SHA256
bc551a2a2732a14fba81365478f122d775fbe01eb8780990bc6987a6daa48ba2

SHA512
4932fba44cb51f1d89f7ce543ec502882eb41e22363bf0507151ae8d70e58ab85b21a740c0c2603b9dc60901216b0f4a6180dd2d97206fb597a93f693d02de2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
81e9091efd6ba1386f1a5d5d10d0feda

SHA1
2dd8ea0a863de97527c18ead768e91eea800374b

SHA256
899148324ba77d302e6384db3301de8f627af01b68015be2365159e301308f7c

SHA512
fe7d285f653ad1df7f6e70a2595c2c7d93fd51a61853d17815e20ab7fd5ed8f633ce65c200cdb2a43f664e10d16ed511aa896e7eab3534c1e56cc5d9cb5b0a02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d6afe65147ad708dc8aa173232374c8a

SHA1
60b1af100025f3e8e0e3ec31e180549950862a25

SHA256
42406fc90d23e679c94774d4f2b889b55fdc47a8455ab6bcf6866426ae2b3f6e

SHA512
0e9b6e803e800a90b84315b71d62533d388260cb9f9ea6d64d2cfa5437a97b02f3ac02aa3222d9652ad00df018ec611f4a0e5a739eb78e3dfec1af95c19de116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d6afe65147ad708dc8aa173232374c8a

SHA1
60b1af100025f3e8e0e3ec31e180549950862a25

SHA256
42406fc90d23e679c94774d4f2b889b55fdc47a8455ab6bcf6866426ae2b3f6e

SHA512
0e9b6e803e800a90b84315b71d62533d388260cb9f9ea6d64d2cfa5437a97b02f3ac02aa3222d9652ad00df018ec611f4a0e5a739eb78e3dfec1af95c19de116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d6afe65147ad708dc8aa173232374c8a

SHA1
60b1af100025f3e8e0e3ec31e180549950862a25

SHA256
42406fc90d23e679c94774d4f2b889b55fdc47a8455ab6bcf6866426ae2b3f6e

SHA512
0e9b6e803e800a90b84315b71d62533d388260cb9f9ea6d64d2cfa5437a97b02f3ac02aa3222d9652ad00df018ec611f4a0e5a739eb78e3dfec1af95c19de116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1ee64ec710bbe64d78120b4ff833b2cc

SHA1
c4aa141ddf51c6b013d214296061387d4d770713

SHA256
315bf7d8dcbaf7081f782067cd50aa6c221ce18a51e1aa23fee767f33eede044

SHA512
c4f48c69da7d9fb0288f87b4fbe7b3e637d298f79aed27132c4b8fad7a893d17a21dd81b90e4ae69c224e41b23f2c4e6b72e214e0db277541dc6a98ffd524fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
24ba1ef92403144e8ec0baf711c58fe5

SHA1
b9937656dfcb2172b79efdac9eb8cb6144e0c147

SHA256
e4a643de1c919d44e1112bced1520eac310f85afad3a307c8e5c03d813b4669e

SHA512
62a6919a6195325bfdbc7a5010016b23103c7226eeebce66dd429f6caa772139fafe07ff34cb9bbe964201044b74196e3a3ff867c9a5ef01e807d43e371b4769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
24ba1ef92403144e8ec0baf711c58fe5

SHA1
b9937656dfcb2172b79efdac9eb8cb6144e0c147

SHA256
e4a643de1c919d44e1112bced1520eac310f85afad3a307c8e5c03d813b4669e

SHA512
62a6919a6195325bfdbc7a5010016b23103c7226eeebce66dd429f6caa772139fafe07ff34cb9bbe964201044b74196e3a3ff867c9a5ef01e807d43e371b4769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c2dd5effa76bf761b14d0a1d59f2e882

SHA1
ee73aba7dfe4debe12b1051147156ed7577e101c

SHA256
176864cbd1b23cc9aad555da898cb4cd051b7db4dea304c3e6a5e7e0e4cee5d3

SHA512
7e2690865477b3c7634584582710fd22a78ada418b836018f20b25098d2875fe4f76a2f8516ffd393976a8d41b73799236d51e5dc3650c93e15b4c97fc822385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
910d467bacaf8179401c226e3cb7e0be

SHA1
03fb19a9dfe3b387bb251a2183b28c6cd70c38bd

SHA256
c32cf639abcfbb0339760859c0eb644e3cf086863dd40344b20733bdc31b8be3

SHA512
93ef61a2c407aa4f1c3296ba6de2544e4ccfa2ce105828fb815dbf40f9ae1d6784306a1cfeaf86dfa70e0012f3bc4bf5c56c8960e585ac1b05cbaddb9fca1e46

Download Submit
memory/188-141-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/188-121-0x0000000000000000-mapping.dmp

Download
memory/188-209-0x0000000006C03000-0x0000000006C04000-memory.dmp

Filesize
4KB

Download
memory/188-131-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/188-201-0x000000007E370000-0x000000007E371000-memory.dmp

Filesize
4KB

Download
memory/188-159-0x0000000008470000-0x0000000008471000-memory.dmp

Filesize
4KB

Download
memory/188-135-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/188-155-0x0000000006C02000-0x0000000006C03000-memory.dmp

Filesize
4KB

Download
memory/764-154-0x0000000004CB2000-0x0000000004CB3000-memory.dmp

Filesize
4KB

Download
memory/764-150-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/764-136-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/764-206-0x0000000004CB3000-0x0000000004CB4000-memory.dmp

Filesize
4KB

Download
memory/764-123-0x0000000000000000-mapping.dmp

Download
memory/764-162-0x0000000008800000-0x0000000008801000-memory.dmp

Filesize
4KB

Download
memory/764-198-0x000000007F750000-0x000000007F751000-memory.dmp

Filesize
4KB

Download
memory/860-128-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/860-119-0x0000000005100000-0x000000000519D000-memory.dmp

Filesize
628KB

Download
memory/860-116-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/860-140-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/860-118-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/860-117-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/860-120-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/860-114-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1020-311-0x0000000000000000-mapping.dmp

Download
memory/1172-215-0x000000007E630000-0x000000007E631000-memory.dmp

Filesize
4KB

Download
memory/1172-166-0x0000000000000000-mapping.dmp

Download
memory/1172-179-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1172-195-0x0000000001052000-0x0000000001053000-memory.dmp

Filesize
4KB

Download
memory/1172-217-0x0000000001053000-0x0000000001054000-memory.dmp

Filesize
4KB

Download
memory/2296-305-0x0000000000000000-mapping.dmp

Download
memory/2404-134-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/2404-137-0x00000000079A0000-0x00000000079A1000-memory.dmp

Filesize
4KB

Download
memory/2404-122-0x0000000000000000-mapping.dmp

Download
memory/2404-144-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/2404-153-0x0000000004D42000-0x0000000004D43000-memory.dmp

Filesize
4KB

Download
memory/2404-156-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/2404-200-0x000000007F010000-0x000000007F011000-memory.dmp

Filesize
4KB

Download
memory/2404-205-0x0000000004D43000-0x0000000004D44000-memory.dmp

Filesize
4KB

Download
memory/2512-203-0x00000000046C3000-0x00000000046C4000-memory.dmp

Filesize
4KB

Download
memory/2512-163-0x0000000000000000-mapping.dmp

Download
memory/2512-202-0x000000007F5E0000-0x000000007F5E1000-memory.dmp

Filesize
4KB

Download
memory/2512-176-0x00000000046C2000-0x00000000046C3000-memory.dmp

Filesize
4KB

Download
memory/2512-173-0x00000000046C0000-0x00000000046C1000-memory.dmp

Filesize
4KB

Download
memory/2844-306-0x0000000000000000-mapping.dmp

Download
memory/3632-312-0x0000000000000000-mapping.dmp

Download
memory/3916-310-0x0000000000000000-mapping.dmp

Download
memory/3956-194-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/3956-196-0x00000000010F2000-0x00000000010F3000-memory.dmp

Filesize
4KB

Download
memory/3956-167-0x0000000000000000-mapping.dmp

Download
memory/3956-211-0x000000007F670000-0x000000007F671000-memory.dmp

Filesize
4KB

Download
memory/3956-216-0x00000000010F3000-0x00000000010F4000-memory.dmp

Filesize
4KB

Download
memory/4204-317-0x0000000000000000-mapping.dmp

Download
memory/4348-208-0x0000000001012000-0x0000000001013000-memory.dmp

Filesize
4KB

Download
memory/4348-197-0x0000000000000000-mapping.dmp

Download
memory/4348-218-0x000000007E120000-0x000000007E121000-memory.dmp

Filesize
4KB

Download
memory/4348-207-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/4348-223-0x0000000001013000-0x0000000001014000-memory.dmp

Filesize
4KB

Download
memory/4364-318-0x0000000000436F6E-mapping.dmp

Download
memory/4396-212-0x0000000000F52000-0x0000000000F53000-memory.dmp

Filesize
4KB

Download
memory/4396-225-0x0000000000F53000-0x0000000000F54000-memory.dmp

Filesize
4KB

Download
memory/4396-199-0x0000000000000000-mapping.dmp

Download
memory/4396-219-0x000000007EE60000-0x000000007EE61000-memory.dmp

Filesize
4KB

Download
memory/4396-210-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4460-214-0x00000000067E2000-0x00000000067E3000-memory.dmp

Filesize
4KB

Download
memory/4460-213-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/4460-204-0x0000000000000000-mapping.dmp

Download
memory/4460-232-0x00000000067E3000-0x00000000067E4000-memory.dmp

Filesize
4KB

Download
memory/4460-230-0x000000007E3E0000-0x000000007E3E1000-memory.dmp

Filesize
4KB

Download
memory/4736-316-0x0000000000000000-mapping.dmp

Download
memory/4832-250-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/4832-244-0x0000000000000000-mapping.dmp

Download
memory/4832-249-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4888-226-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4888-227-0x0000000000E12000-0x0000000000E13000-memory.dmp

Filesize
4KB

Download
memory/4888-253-0x000000007EF00000-0x000000007EF01000-memory.dmp

Filesize
4KB

Download
memory/4888-220-0x0000000000000000-mapping.dmp

Download
memory/4888-241-0x0000000000E14000-0x0000000000E16000-memory.dmp

Filesize
8KB

Download
memory/4888-240-0x0000000000E13000-0x0000000000E14000-memory.dmp

Filesize
4KB

Download
memory/4896-246-0x00000000067D2000-0x00000000067D3000-memory.dmp

Filesize
4KB

Download
memory/4896-245-0x00000000067D0000-0x00000000067D1000-memory.dmp

Filesize
4KB

Download
memory/4896-261-0x00000000067D4000-0x00000000067D6000-memory.dmp

Filesize
8KB

Download
memory/4896-259-0x00000000067D3000-0x00000000067D4000-memory.dmp

Filesize
4KB

Download
memory/4896-264-0x000000007F470000-0x000000007F471000-memory.dmp

Filesize
4KB

Download
memory/4896-242-0x0000000000000000-mapping.dmp

Download
memory/4924-239-0x0000000006C74000-0x0000000006C76000-memory.dmp

Filesize
8KB

Download
memory/4924-229-0x0000000006C72000-0x0000000006C73000-memory.dmp

Filesize
4KB

Download
memory/4924-221-0x0000000000000000-mapping.dmp

Download
memory/4924-228-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/4924-252-0x000000007F6F0000-0x000000007F6F1000-memory.dmp

Filesize
4KB

Download
memory/4924-238-0x0000000006C73000-0x0000000006C74000-memory.dmp

Filesize
4KB

Download
memory/4972-222-0x0000000000000000-mapping.dmp

Download
memory/4972-251-0x000000007E230000-0x000000007E231000-memory.dmp

Filesize
4KB

Download
memory/4972-236-0x0000000007273000-0x0000000007274000-memory.dmp

Filesize
4KB

Download
memory/4972-237-0x0000000007274000-0x0000000007276000-memory.dmp

Filesize
8KB

Download
memory/4972-231-0x0000000007272000-0x0000000007273000-memory.dmp

Filesize
4KB

Download
memory/4972-224-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/5116-248-0x0000000006DC2000-0x0000000006DC3000-memory.dmp

Filesize
4KB

Download
memory/5116-257-0x0000000006DC3000-0x0000000006DC4000-memory.dmp

Filesize
4KB

Download
memory/5116-263-0x000000007F5D0000-0x000000007F5D1000-memory.dmp

Filesize
4KB

Download
memory/5116-243-0x0000000000000000-mapping.dmp

Download
memory/5116-260-0x0000000006DC4000-0x0000000006DC6000-memory.dmp

Filesize
8KB

Download
memory/5116-247-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/5420-255-0x0000000000000000-mapping.dmp

Download
memory/5428-304-0x0000000000000000-mapping.dmp

Download
memory/5480-256-0x0000000000000000-mapping.dmp

Download
memory/5500-290-0x0000000000000000-mapping.dmp

Download
memory/5544-262-0x0000000000000000-mapping.dmp

Download
memory/5864-293-0x0000000000000000-mapping.dmp

Download
memory/5948-272-0x0000000000000000-mapping.dmp

Download
memory/5988-273-0x0000000000000000-mapping.dmp

Download
memory/6036-274-0x0000000000000000-mapping.dmp

Download
memory/6044-294-0x0000000000000000-mapping.dmp

Download