blacknet | e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

Analysis

max time kernel
54s
max time network
113s
platform
windows10_x64
resource
win10v20210408
submitted
01-08-2021 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
Size

220KB
MD5

97cb3fda3cff430377a866d6b437de8f
SHA1

2359c8459c1e1dd133c2842b51d2982e63016f92
SHA256

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a
SHA512

e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f

Score

10^/10

blacknet bot evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
true

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 5 IoCs

Processes:

furz.exeUacTest.exeInpwdja.exeMnrjvryib.exeWindowsUpdate.exe

pid process

2184 furz.exe
584 UacTest.exe
3188 Inpwdja.exe
3160 Mnrjvryib.exe
4240 WindowsUpdate.exe

pid	process
2184	furz.exe
584	UacTest.exe
3188	Inpwdja.exe
3160	Mnrjvryib.exe
4240	WindowsUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exefurz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe"	furz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

description	pid	process	target process
PID 632 set thread context of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

Drops file in Windows directory 2 IoCs

Processes:

furz.exe

description	ioc	process
File created	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe
File opened for modification	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4280 4240 WerFault.exe WindowsUpdate.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4480 schtasks.exe
2708 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3140 taskkill.exe

pid	pid_target	process	target process
4280	4240	WerFault.exe	WindowsUpdate.exe

pid	process
4480	schtasks.exe
2708	schtasks.exe

pid	process
3140	taskkill.exe

Modifies registry class 1 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4064 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1328 PING.EXE
3692 PING.EXE

pid	process
4064	reg.exe

pid	process
1328	PING.EXE
3692	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exefurz.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
4064	powershell.exe
4064	powershell.exe
3064	powershell.exe
3064	powershell.exe
3980	powershell.exe
3980	powershell.exe
3064	powershell.exe
4064	powershell.exe
3304	powershell.exe
3304	powershell.exe
3980	powershell.exe
576	powershell.exe
576	powershell.exe
1240	powershell.exe
1240	powershell.exe
4064	powershell.exe
2120	powershell.exe
2120	powershell.exe
3296	powershell.exe
3296	powershell.exe
3064	powershell.exe
1340	powershell.exe
1340	powershell.exe
2352	powershell.exe
2352	powershell.exe
3428	powershell.exe
3428	powershell.exe
4104	powershell.exe
4104	powershell.exe
3980	powershell.exe
3304	powershell.exe
1340	powershell.exe
3428	powershell.exe
1240	powershell.exe
576	powershell.exe
1340	powershell.exe
2120	powershell.exe
3296	powershell.exe
2352	powershell.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe
2184	furz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exetaskkill.exefurz.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWindowsUpdate.exe

description	pid	process
Token: SeDebugPrivilege	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	2184	furz.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeIncreaseQuotaPrivilege	2604	powershell.exe
Token: SeSecurityPrivilege	2604	powershell.exe
Token: SeTakeOwnershipPrivilege	2604	powershell.exe
Token: SeLoadDriverPrivilege	2604	powershell.exe
Token: SeSystemProfilePrivilege	2604	powershell.exe
Token: SeSystemtimePrivilege	2604	powershell.exe
Token: SeProfSingleProcessPrivilege	2604	powershell.exe
Token: SeIncBasePriorityPrivilege	2604	powershell.exe
Token: SeCreatePagefilePrivilege	2604	powershell.exe
Token: SeBackupPrivilege	2604	powershell.exe
Token: SeRestorePrivilege	2604	powershell.exe
Token: SeShutdownPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeSystemEnvironmentPrivilege	2604	powershell.exe
Token: SeRemoteShutdownPrivilege	2604	powershell.exe
Token: SeUndockPrivilege	2604	powershell.exe
Token: SeManageVolumePrivilege	2604	powershell.exe
Token: 33	2604	powershell.exe
Token: 34	2604	powershell.exe
Token: 35	2604	powershell.exe
Token: 36	2604	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4240	WindowsUpdate.exe
Token: SeIncreaseQuotaPrivilege	3064	powershell.exe
Token: SeSecurityPrivilege	3064	powershell.exe
Token: SeTakeOwnershipPrivilege	3064	powershell.exe
Token: SeLoadDriverPrivilege	3064	powershell.exe
Token: SeSystemProfilePrivilege	3064	powershell.exe
Token: SeSystemtimePrivilege	3064	powershell.exe
Token: SeProfSingleProcessPrivilege	3064	powershell.exe
Token: SeIncBasePriorityPrivilege	3064	powershell.exe
Token: SeCreatePagefilePrivilege	3064	powershell.exe
Token: SeBackupPrivilege	3064	powershell.exe
Token: SeRestorePrivilege	3064	powershell.exe
Token: SeShutdownPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeSystemEnvironmentPrivilege	3064	powershell.exe
Token: SeRemoteShutdownPrivilege	3064	powershell.exe
Token: SeUndockPrivilege	3064	powershell.exe
Token: SeManageVolumePrivilege	3064	powershell.exe
Token: 33	3064	powershell.exe
Token: 34	3064	powershell.exe
Token: 35	3064	powershell.exe
Token: 36	3064	powershell.exe
Token: SeIncreaseQuotaPrivilege	4064	powershell.exe
Token: SeSecurityPrivilege	4064	powershell.exe
Token: SeTakeOwnershipPrivilege	4064	powershell.exe
Token: SeLoadDriverPrivilege	4064	powershell.exe
Token: SeSystemProfilePrivilege	4064	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

furz.exeWindowsUpdate.exe

pid process

2184 furz.exe
2184 furz.exe
2184 furz.exe
4240 WindowsUpdate.exe
4240 WindowsUpdate.exe
4240 WindowsUpdate.exe

pid	process
2184	furz.exe
2184	furz.exe
2184	furz.exe
4240	WindowsUpdate.exe
4240	WindowsUpdate.exe
4240	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exeE6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.execmd.exeUacTest.exeInpwdja.exeMnrjvryib.execmd.execmd.execmd.exefurz.exe

description	pid	process	target process
PID 632 wrote to memory of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 632 wrote to memory of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 632 wrote to memory of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 632 wrote to memory of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 632 wrote to memory of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 632 wrote to memory of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 632 wrote to memory of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 632 wrote to memory of 4080	632	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 4080 wrote to memory of 2184	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	furz.exe
PID 4080 wrote to memory of 2184	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	furz.exe
PID 4080 wrote to memory of 584	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	UacTest.exe
PID 4080 wrote to memory of 584	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	UacTest.exe
PID 4080 wrote to memory of 584	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	UacTest.exe
PID 4080 wrote to memory of 2244	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	cmd.exe
PID 4080 wrote to memory of 2244	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	cmd.exe
PID 4080 wrote to memory of 2244	4080	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	cmd.exe
PID 2244 wrote to memory of 1328	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 1328	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 1328	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 3692	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 3692	2244	cmd.exe	PING.EXE
PID 2244 wrote to memory of 3692	2244	cmd.exe	PING.EXE
PID 584 wrote to memory of 3188	584	UacTest.exe	Inpwdja.exe
PID 584 wrote to memory of 3188	584	UacTest.exe	Inpwdja.exe
PID 584 wrote to memory of 3188	584	UacTest.exe	Inpwdja.exe
PID 584 wrote to memory of 3160	584	UacTest.exe	Mnrjvryib.exe
PID 584 wrote to memory of 3160	584	UacTest.exe	Mnrjvryib.exe
PID 584 wrote to memory of 3160	584	UacTest.exe	Mnrjvryib.exe
PID 3188 wrote to memory of 2156	3188	Inpwdja.exe	cmd.exe
PID 3188 wrote to memory of 2156	3188	Inpwdja.exe	cmd.exe
PID 3160 wrote to memory of 2984	3160	Mnrjvryib.exe	cmd.exe
PID 3160 wrote to memory of 2984	3160	Mnrjvryib.exe	cmd.exe
PID 2156 wrote to memory of 496	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 496	2156	cmd.exe	cmd.exe
PID 2984 wrote to memory of 3140	2984	cmd.exe	taskkill.exe
PID 2984 wrote to memory of 3140	2984	cmd.exe	taskkill.exe
PID 496 wrote to memory of 4064	496	cmd.exe	reg.exe
PID 496 wrote to memory of 4064	496	cmd.exe	reg.exe
PID 2184 wrote to memory of 2604	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 2604	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 4064	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 4064	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3980	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3980	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3064	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3064	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 576	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 576	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3304	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3304	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 1240	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 1240	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 2120	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 2120	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3296	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3296	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 1340	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 1340	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 2352	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 2352	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3428	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 3428	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 4104	2184	furz.exe	powershell.exe
PID 2184 wrote to memory of 4104	2184	furz.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
"C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632

C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
"C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\furz.exe
"C:\Users\Admin\AppData\Local\Temp\furz.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
4⤵
PID:4312

C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
"C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
5⤵
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
5⤵
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
5⤵
PID:3812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
5⤵
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
5⤵
PID:4112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
5⤵
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
5⤵
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
5⤵
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
5⤵
PID:1488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
5⤵
PID:4256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
5⤵
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
5⤵
PID:4432

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
5⤵
PID:4464

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4240 -s 2684
5⤵
- Program crash
PID:4280

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4480

C:\Users\Admin\AppData\Local\Temp\UacTest.exe
"C:\Users\Admin\AppData\Local\Temp\UacTest.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
"C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B3B5.tmp\B3C6.tmp\B3C7.bat C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- Modifies registry key
PID:4064

C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
"C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B3C5.tmp\B3C6.tmp\B3C7.bat C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\system32\taskkill.exe
Taskkill /IM cmd.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
4⤵
- Runs ping.exe
PID:1328

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
4⤵
- Runs ping.exe
PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe.log
MD5
4cce90d514b02375cc96049f5979fa96

SHA1
336fdb6c53577dbcac509d31bd515757817bff35

SHA256
ab019bbc94253e3afc0fc09d3722a6eecab94857c734fbd75b3e558cc48427d0

SHA512
530e3566fe42db495103a110dd50d665fef013f2ebd09db1b149f51825fd4406d4e5b8272fceb99581b47609940a2994a14893ca3712ae3cf4509c39b060d3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f4417c586f5677ca0dc898b73a2a9fcb

SHA1
9e85a2d3ffffdda1454dfa9466f08242b7bcdf60

SHA256
a4aceef4c2de2d649bd4b2e5e0e3b00b8326c51375817936a5b65bbf291acefd

SHA512
3c935b7850a120476b86fa4d1a58cbf7ce35cfa0f79fd589a4e206838361f33556e99d3790e22339d251e7719a47a52cd1fb0e4f65b8a712694e7cea226e8c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
06acdc704bdc9e2959beaface51069f8

SHA1
cce519a76c258b50d00c482e5dba3d0c83e6ac76

SHA256
1daba4c0fafee78656ba15d836e4046898f4cbe7566b42be0c987ecf172535ea

SHA512
9619dcb55e6e88b8707206ca7b6d5ba54261bed7c26c4a949c3c5e8e3875741180f976efd3511f18775e28e775916285eaf3ef31417c6a3c5c6f80f940118a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7ebd6978e400c87c08b32d646fc371c7

SHA1
0fcfafa9909f939ab41157295fc63040eafa0cbc

SHA256
a760542c4a1a489c23deaaef01865e04f89897e9d047b997cf4a211a36f0bfa1

SHA512
efbb7ee4890b0de4676d397e10b286bf8e521932638699c7f51ad9f1c5aa4aa9ca41429938ea03a97974234feeaa2635d65f54e56b005346c15c445022557f86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b2f79611e3623eeedd8b57eeec2c0d82

SHA1
6bf5336b68b3ba35ad27e8d4bb6fd66d9a1a0878

SHA256
f24d857591ff73c1f3cc15b3e076f12f25a07d38fe98ed50680d7b62cb66dce1

SHA512
73f29e56d36edfd863227dc12131334337c8cfc28840ecddd442cf0cea63bc4fa319649a15930d5a2bde2fc960ed5c1f814fe9c9711c3989bab2804c4a47a8eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b2f79611e3623eeedd8b57eeec2c0d82

SHA1
6bf5336b68b3ba35ad27e8d4bb6fd66d9a1a0878

SHA256
f24d857591ff73c1f3cc15b3e076f12f25a07d38fe98ed50680d7b62cb66dce1

SHA512
73f29e56d36edfd863227dc12131334337c8cfc28840ecddd442cf0cea63bc4fa319649a15930d5a2bde2fc960ed5c1f814fe9c9711c3989bab2804c4a47a8eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5289d24bb73d83bdc35e861b6253d76e

SHA1
f5f49f48d01d04e014bc31965d1c23a13924075d

SHA256
5d981ec3b4e544f10baa7a5ced0d2c3ddf8c5bbc7a6d480837bd9fd92f24f9a4

SHA512
74bd7521dc9d0df73046c202367d723c30cbf7212c0c9d3a72d0a9cb10a3af0d7f68df784649afe43a85d3739ba3e70affa8dc3cfce16a661c98632fa4699ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
454bbb2d32116fd7416d86a5ea5fe144

SHA1
d12d1a46bdd8e70c8ad1fd91b73cbb8d324030d0

SHA256
d7fe8bd754851635f256a31fb6bfb1bebe7d50875ffa19bb2ea6717bb2f0ae56

SHA512
dc1bd5db2bea9463d0e70c6b4696f0fde93d1076da87c2d941a9e4013e1f4fda096e1d2b4c4fbb470335e1d85656ae869a86265323d48bb4b865b5702781739c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
454bbb2d32116fd7416d86a5ea5fe144

SHA1
d12d1a46bdd8e70c8ad1fd91b73cbb8d324030d0

SHA256
d7fe8bd754851635f256a31fb6bfb1bebe7d50875ffa19bb2ea6717bb2f0ae56

SHA512
dc1bd5db2bea9463d0e70c6b4696f0fde93d1076da87c2d941a9e4013e1f4fda096e1d2b4c4fbb470335e1d85656ae869a86265323d48bb4b865b5702781739c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
602e70385212f8c73141d31b3d1235ff

SHA1
8e3df37a306664d7bc3595a970748e8c3b14e870

SHA256
331a8ac17fe40bd3e672030b324bdfd090a1846a081bf788944c4eba75354798

SHA512
68f8a319f37164500dbf2d03c7aa38b748dac8fb25339b1fb0dd21833bf2229e9a4aacc45c63d25743e58978b9b618d4bbf3233dd77bd2fb6565bcacfd48bd10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
602e70385212f8c73141d31b3d1235ff

SHA1
8e3df37a306664d7bc3595a970748e8c3b14e870

SHA256
331a8ac17fe40bd3e672030b324bdfd090a1846a081bf788944c4eba75354798

SHA512
68f8a319f37164500dbf2d03c7aa38b748dac8fb25339b1fb0dd21833bf2229e9a4aacc45c63d25743e58978b9b618d4bbf3233dd77bd2fb6565bcacfd48bd10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fa99c573ce8cf9f20dadcef07516d5ab

SHA1
03a3b5138627b7906b221566302a9b66e9393916

SHA256
0f2efba6c94dd47bcdcb0db3e181eb8a83f1d0d7eed21f78f6d35fffe2f7b9b6

SHA512
db62abc426372b964b6f3eb609f63feeb2614a1a2d7b08d25558ce35aaeaf7921c8ef9a6d4d86582d9493d233aba2b96c14289bc0593d0cd3dbbc5baa2408cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f14b85cc5c966d57c3ae6614c382f799

SHA1
2b6301d3c23059230d97ef1e17488b13ec0bdbda

SHA256
737dd66dc265ce3ec5cfdb28d32eae9bbaf4354d883a7c3ce56f6d7878456d5b

SHA512
8b661710dca913cb40ccbb11e658079cbca0e776a3c8daa4fce69df2050f3756a9f0bc42f70fff0c029eb0a5de4b3167f77816c577ef4d6867e9ef42da87c6ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2d80e461dbe90598c8bfafeb63514f00

SHA1
8e72807bb6c77d34f1e6d549eef26edc435e0507

SHA256
dc26020e61ad77435274569741fc408831dc639564e92dd94d24c26ecb43f127

SHA512
41e4227be9fdb9fa27db4e1cccc2a2b7684746a4f355342cef448d555fca3bf74686b1be2e6b30d280fa3cc3cbb170ba08c6f9da41102e7dab79f7d8b2cfe07b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2f2c394ef3d9d98a17ab165624c88751

SHA1
de2ddf7835815480d77851a90d84fd16f5228908

SHA256
dde7c83551a8980ba88aaeda54c936861896e04c4661207249520372514792c3

SHA512
fca27f54ac302972f2617497c0a1ecd66d8c924c0975c47364b5301beea70a6d213ad157c2aa6554a0bfee16e37c8845ca4849b333e1798afa8856db0bd4bbe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c95d57fdb3c6ec446731895e94077239

SHA1
46e6fd4b92e01fdc8911e943952b4c5bf74f9fcd

SHA256
98e2989e8585c206914b438bda123c9f44bcb771fc6e61b1a6c2793c0311bf88

SHA512
b3edfee2351c9b8dc9698109aa842aa924510d4a6d5c14c3c92ae514a3186813b6a7e2acb5b03bebc717615da3ab1730d9a4271f67907d9c9d53f685988b53af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c95d57fdb3c6ec446731895e94077239

SHA1
46e6fd4b92e01fdc8911e943952b4c5bf74f9fcd

SHA256
98e2989e8585c206914b438bda123c9f44bcb771fc6e61b1a6c2793c0311bf88

SHA512
b3edfee2351c9b8dc9698109aa842aa924510d4a6d5c14c3c92ae514a3186813b6a7e2acb5b03bebc717615da3ab1730d9a4271f67907d9c9d53f685988b53af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1323ce9fb20a07f00c583fb2cac1e374

SHA1
71863f3540055b187b17c1f284617fce4ceb4eff

SHA256
55a052134f6195c72c2616c9cda8cc9129d3b184be46196f19a4357c19e64f1d

SHA512
a8910c4a8849dca549c2680e14f928530cfcd1d02cfcfb961b032990b647e6d444e646f4148a2c6109e6fbb10281b463878c8f482530abe076d1a04122baa986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0a738d71d456ac478f78b335090528e8

SHA1
311109539c66dbcba3f84bff6d788460c8ed0520

SHA256
37a2af223f9eb2b792554e6b0bcb4865462948c70f1416637b883f36a3f1c7fa

SHA512
d7870b454364f2d782e36a6b6bb18757db6a76fcf551bddf01bf2c4284dcb46d19f0735847876c792b46d15bce68c7236c1bac3f4c96a10de8b2dc9403626cf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e934449b8961dc066449fdd4a1f97d19

SHA1
78e3eb2ef1fdda64e87cb0fa82dee07de9bcac4a

SHA256
c739ea5fc8aa8f378279ab2146433f26c0c661dd4cf18a72d900f050e0c4e9df

SHA512
04d2b38b9824533ee3afff099a3116e67266de93bd14c6a8363bcc9433a83d70fd62dd77d4517fb581ef63f77cf4985c33a75a87cd99469074a5d3889171303d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ead419de172f3a7e8299eb20dffe4657

SHA1
43b0f6e0016a76b6ed6e0c690bdfb1fd081b61d1

SHA256
9efe9e923e8457d6b0c8abc01f260f746985b458fb5fae261250ccd553dd0ec8

SHA512
666212b4b92c69a92ed20dd3815386b525bd0fec9dec97e069160e74bab08484410e7a262b38c5e99b947f9dd91c341305b1d2f97ba22dd8e4b1d96430a6e2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1736be7daada3003b698c274e79d8a19

SHA1
f9b8f2bbdc3f5bb085aa489b7ab7c0cea03f20ed

SHA256
ee00429c7908aa26e6f801a78c925dc2b090c9710d642171b8b667689ecf96c8

SHA512
42c5bce28aef5054d7eff99c5923f5642778e82e48dc50b1d0473655470b6bfb6e83bc3693fc92330919853e76d7b562af0b77fcb04f97f2b2c17d8f5ced4a87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ead419de172f3a7e8299eb20dffe4657

SHA1
43b0f6e0016a76b6ed6e0c690bdfb1fd081b61d1

SHA256
9efe9e923e8457d6b0c8abc01f260f746985b458fb5fae261250ccd553dd0ec8

SHA512
666212b4b92c69a92ed20dd3815386b525bd0fec9dec97e069160e74bab08484410e7a262b38c5e99b947f9dd91c341305b1d2f97ba22dd8e4b1d96430a6e2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
39d673bcd57109815bb028ca5b68361a

SHA1
1f53f2c653d6a8728cc59d05b8b358210b1095a0

SHA256
83494cd83edc256f54b8677d5c0023c7cb5eeceb43f6c80c1e5829471d43dfa5

SHA512
c156ba81ef6c774eea5abf374f91c1d72af52970e1d82efde22ac554adbcfc3de0f45192f3dbefca0b3d0f54e3c4c942a6a0620e29a55acf110b612f0408c883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dee99f3f4261ff94bd61bcc81cb2ae44

SHA1
7c685377342c497e3bd4d52ef5abac71a1856c48

SHA256
e4789a8241623450156fe1a392e5aa5bf2a1f22d2ca4694093d65bc1b27d0881

SHA512
99d720fb1384dc7e84a6bd4aace4fc6fb2fb99613c9cb11d2561581eb50c37475e3f83f66f8ecd91840908710046a27a427dd1b9bbddbd3a1dbb3bdcb856d4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
dee99f3f4261ff94bd61bcc81cb2ae44

SHA1
7c685377342c497e3bd4d52ef5abac71a1856c48

SHA256
e4789a8241623450156fe1a392e5aa5bf2a1f22d2ca4694093d65bc1b27d0881

SHA512
99d720fb1384dc7e84a6bd4aace4fc6fb2fb99613c9cb11d2561581eb50c37475e3f83f66f8ecd91840908710046a27a427dd1b9bbddbd3a1dbb3bdcb856d4e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3B5.tmp\B3C6.tmp\B3C7.bat
MD5
befbbfdadeef80e445fdd152a121a6d1

SHA1
67019f2a12662f2ff92dc7977769b0debdbf564e

SHA256
0848f1ac65974856844e59ff3b8d492c88acf43f0fd64505d5bf3fd4e43d9da6

SHA512
867c4ee6cb22ba7ba0d5aa9c16d321f36013588b6057e3f3f0e6de670481ab1f7d46c1553b9410ff753de7e923d1b774db0c8297091fd9c852bdc96fee43ee32

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3C5.tmp\B3C6.tmp\B3C7.bat
MD5
4f4ecd10fc86be6be730390c06be67c8

SHA1
4c59c25907109fd48d8d94caaa8b8266ffa3c7c3

SHA256
a9bf329ec3514d7d5698851137d508b763b1a627747b1ce40ddd5c524538459c

SHA512
b4e89c807071e770b9327693032c8d1ebc06811dfeccfe0892e00deb449b75cb5d921ed2f7ae53d3fae00837bd6eed3fcb0bfc7168cad0f0c44997e51e4365f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UacTest.exe
MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UacTest.exe
MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\furz.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\furz.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
memory/496-157-0x0000000000000000-mapping.dmp

Download
memory/576-201-0x0000000000000000-mapping.dmp

Download
memory/576-503-0x000002157BF76000-0x000002157BF78000-memory.dmp

Filesize
8KB

Download
memory/576-243-0x000002157BF70000-0x000002157BF72000-memory.dmp

Filesize
8KB

Download
memory/576-260-0x000002157BF73000-0x000002157BF75000-memory.dmp

Filesize
8KB

Download
memory/584-145-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/584-144-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/584-136-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/584-131-0x0000000000000000-mapping.dmp

Download
memory/632-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/632-119-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/632-118-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/632-116-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/632-120-0x0000000005160000-0x0000000005163000-memory.dmp

Filesize
12KB

Download
memory/632-117-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/904-733-0x0000000000000000-mapping.dmp

Download
memory/1240-203-0x0000000000000000-mapping.dmp

Download
memory/1240-247-0x00000237BD550000-0x00000237BD552000-memory.dmp

Filesize
8KB

Download
memory/1240-467-0x00000237BD556000-0x00000237BD558000-memory.dmp

Filesize
8KB

Download
memory/1240-282-0x00000237BD553000-0x00000237BD555000-memory.dmp

Filesize
8KB

Download
memory/1328-142-0x0000000000000000-mapping.dmp

Download
memory/1340-210-0x0000000000000000-mapping.dmp

Download
memory/1340-398-0x00000160AA526000-0x00000160AA528000-memory.dmp

Filesize
8KB

Download
memory/1340-645-0x00000160AA528000-0x00000160AA529000-memory.dmp

Filesize
4KB

Download
memory/1340-262-0x00000160AA520000-0x00000160AA522000-memory.dmp

Filesize
8KB

Download
memory/1340-266-0x00000160AA523000-0x00000160AA525000-memory.dmp

Filesize
8KB

Download
memory/1488-754-0x0000000000000000-mapping.dmp

Download
memory/2120-206-0x0000000000000000-mapping.dmp

Download
memory/2120-506-0x000002EC5DA86000-0x000002EC5DA88000-memory.dmp

Filesize
8KB

Download
memory/2120-251-0x000002EC5DA80000-0x000002EC5DA82000-memory.dmp

Filesize
8KB

Download
memory/2120-283-0x000002EC5DA83000-0x000002EC5DA85000-memory.dmp

Filesize
8KB

Download
memory/2156-153-0x0000000000000000-mapping.dmp

Download
memory/2184-160-0x0000000002BD3000-0x0000000002BD4000-memory.dmp

Filesize
4KB

Download
memory/2184-400-0x0000000002BDA000-0x0000000002BDF000-memory.dmp

Filesize
20KB

Download
memory/2184-128-0x0000000000000000-mapping.dmp

Download
memory/2184-132-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2184-435-0x000000001F361000-0x000000001F366000-memory.dmp

Filesize
20KB

Download
memory/2184-146-0x0000000002BD0000-0x0000000002BD2000-memory.dmp

Filesize
8KB

Download
memory/2184-408-0x000000001F35C000-0x000000001F361000-memory.dmp

Filesize
20KB

Download
memory/2184-405-0x000000001F353000-0x000000001F356000-memory.dmp

Filesize
12KB

Download
memory/2184-161-0x0000000002BD2000-0x0000000002BD3000-memory.dmp

Filesize
4KB

Download
memory/2184-402-0x000000001F359000-0x000000001F35C000-memory.dmp

Filesize
12KB

Download
memory/2184-430-0x000000001F366000-0x000000001F36B000-memory.dmp

Filesize
20KB

Download
memory/2184-389-0x0000000002BD7000-0x0000000002BD8000-memory.dmp

Filesize
4KB

Download
memory/2184-394-0x000000001F356000-0x000000001F359000-memory.dmp

Filesize
12KB

Download
memory/2184-391-0x0000000002BD8000-0x0000000002BDA000-memory.dmp

Filesize
8KB

Download
memory/2184-385-0x000000001F350000-0x000000001F353000-memory.dmp

Filesize
12KB

Download
memory/2184-382-0x0000000002BD5000-0x0000000002BD7000-memory.dmp

Filesize
8KB

Download
memory/2244-137-0x0000000000000000-mapping.dmp

Download
memory/2352-286-0x00000196676D3000-0x00000196676D5000-memory.dmp

Filesize
8KB

Download
memory/2352-514-0x00000196676D6000-0x00000196676D8000-memory.dmp

Filesize
8KB

Download
memory/2352-215-0x0000000000000000-mapping.dmp

Download
memory/2352-269-0x00000196676D0000-0x00000196676D2000-memory.dmp

Filesize
8KB

Download
memory/2604-167-0x0000022E661C0000-0x0000022E661C1000-memory.dmp

Filesize
4KB

Download
memory/2604-162-0x0000000000000000-mapping.dmp

Download
memory/2604-176-0x0000022E65FA6000-0x0000022E65FA8000-memory.dmp

Filesize
8KB

Download
memory/2604-175-0x0000022E65FA3000-0x0000022E65FA5000-memory.dmp

Filesize
8KB

Download
memory/2604-171-0x0000022E67080000-0x0000022E67081000-memory.dmp

Filesize
4KB

Download
memory/2604-174-0x0000022E65FA0000-0x0000022E65FA2000-memory.dmp

Filesize
8KB

Download
memory/2708-866-0x0000000000000000-mapping.dmp

Download
memory/2760-711-0x0000000000000000-mapping.dmp

Download
memory/2984-154-0x0000000000000000-mapping.dmp

Download
memory/3064-641-0x0000022A62C68000-0x0000022A62C69000-memory.dmp

Filesize
4KB

Download
memory/3064-270-0x0000022A62C60000-0x0000022A62C62000-memory.dmp

Filesize
8KB

Download
memory/3064-341-0x0000022A62C66000-0x0000022A62C68000-memory.dmp

Filesize
8KB

Download
memory/3064-200-0x0000000000000000-mapping.dmp

Download
memory/3064-278-0x0000022A62C63000-0x0000022A62C65000-memory.dmp

Filesize
8KB

Download
memory/3140-158-0x0000000000000000-mapping.dmp

Download
memory/3160-149-0x0000000000000000-mapping.dmp

Download
memory/3188-147-0x0000000000000000-mapping.dmp

Download
memory/3296-511-0x0000019E5E3A6000-0x0000019E5E3A8000-memory.dmp

Filesize
8KB

Download
memory/3296-285-0x0000019E5E3A3000-0x0000019E5E3A5000-memory.dmp

Filesize
8KB

Download
memory/3296-256-0x0000019E5E3A0000-0x0000019E5E3A2000-memory.dmp

Filesize
8KB

Download
memory/3296-208-0x0000000000000000-mapping.dmp

Download
memory/3304-202-0x0000000000000000-mapping.dmp

Download
memory/3304-428-0x000001923CB46000-0x000001923CB48000-memory.dmp

Filesize
8KB

Download
memory/3304-239-0x000001923CB43000-0x000001923CB45000-memory.dmp

Filesize
8KB

Download
memory/3304-235-0x000001923CB40000-0x000001923CB42000-memory.dmp

Filesize
8KB

Download
memory/3428-273-0x0000019443150000-0x0000019443152000-memory.dmp

Filesize
8KB

Download
memory/3428-466-0x0000019443156000-0x0000019443158000-memory.dmp

Filesize
8KB

Download
memory/3428-219-0x0000000000000000-mapping.dmp

Download
memory/3428-274-0x0000019443153000-0x0000019443155000-memory.dmp

Filesize
8KB

Download
memory/3692-143-0x0000000000000000-mapping.dmp

Download
memory/3812-713-0x0000000000000000-mapping.dmp

Download
memory/3980-279-0x000002B2B1AD0000-0x000002B2B1AD2000-memory.dmp

Filesize
8KB

Download
memory/3980-199-0x0000000000000000-mapping.dmp

Download
memory/3980-643-0x000002B2B1AD8000-0x000002B2B1AD9000-memory.dmp

Filesize
4KB

Download
memory/3980-345-0x000002B2B1AD6000-0x000002B2B1AD8000-memory.dmp

Filesize
8KB

Download
memory/3980-280-0x000002B2B1AD3000-0x000002B2B1AD5000-memory.dmp

Filesize
8KB

Download
memory/4064-159-0x0000000000000000-mapping.dmp

Download
memory/4064-338-0x0000016C79256000-0x0000016C79258000-memory.dmp

Filesize
8KB

Download
memory/4064-198-0x0000000000000000-mapping.dmp

Download
memory/4064-230-0x0000016C79250000-0x0000016C79252000-memory.dmp

Filesize
8KB

Download
memory/4064-642-0x0000016C79258000-0x0000016C79259000-memory.dmp

Filesize
4KB

Download
memory/4064-233-0x0000016C79253000-0x0000016C79255000-memory.dmp

Filesize
8KB

Download
memory/4080-127-0x0000000005550000-0x0000000005A4E000-memory.dmp

Filesize
5.0MB

Download
memory/4080-126-0x0000000005550000-0x0000000005A4E000-memory.dmp

Filesize
5.0MB

Download
memory/4080-122-0x000000000042C00E-mapping.dmp

Download
memory/4080-121-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4104-287-0x000001F69E873000-0x000001F69E875000-memory.dmp

Filesize
8KB

Download
memory/4104-222-0x0000000000000000-mapping.dmp

Download
memory/4104-277-0x000001F69E870000-0x000001F69E872000-memory.dmp

Filesize
8KB

Download
memory/4104-509-0x000001F69E876000-0x000001F69E878000-memory.dmp

Filesize
8KB

Download
memory/4112-719-0x0000000000000000-mapping.dmp

Download
memory/4240-419-0x0000000000000000-mapping.dmp

Download
memory/4240-433-0x000000001B6D0000-0x000000001B6D2000-memory.dmp

Filesize
8KB

Download
memory/4240-463-0x000000001B6D2000-0x000000001B6D3000-memory.dmp

Filesize
4KB

Download
memory/4240-460-0x000000001B6D3000-0x000000001B6D4000-memory.dmp

Filesize
4KB

Download
memory/4256-761-0x0000000000000000-mapping.dmp

Download
memory/4312-324-0x0000000000000000-mapping.dmp

Download
memory/4432-773-0x0000000000000000-mapping.dmp

Download
memory/4464-776-0x0000000000000000-mapping.dmp

Download
memory/4480-421-0x0000000000000000-mapping.dmp

Download
memory/4584-712-0x0000000000000000-mapping.dmp

Download
memory/4692-745-0x0000000000000000-mapping.dmp

Download
memory/4732-714-0x0000000000000000-mapping.dmp

Download
memory/4920-767-0x0000000000000000-mapping.dmp

Download
memory/4996-726-0x0000000000000000-mapping.dmp

Download
memory/5056-659-0x0000000000000000-mapping.dmp

Download