blacknet | e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

Analysis

max time kernel
73s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
01-08-2021 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
Size

220KB
MD5

97cb3fda3cff430377a866d6b437de8f
SHA1

2359c8459c1e1dd133c2842b51d2982e63016f92
SHA256

e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a
SHA512

e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f

Score

10^/10

blacknet bot evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
true

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\furz.exe	family_blacknet
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\furz.exe	disable_win_def
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 5 IoCs

Processes:

furz.exeUacTest.exeInpwdja.exeMnrjvryib.exeWindowsUpdate.exe

pid process

188 furz.exe
1508 UacTest.exe
1444 Inpwdja.exe
416 Mnrjvryib.exe
5004 WindowsUpdate.exe

pid	process
188	furz.exe
1508	UacTest.exe
1444	Inpwdja.exe
416	Mnrjvryib.exe
5004	WindowsUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exefurz.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe"	furz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

description	pid	process	target process
PID 992 set thread context of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

Drops file in Windows directory 2 IoCs

Processes:

furz.exe

description	ioc	process
File created	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe
File opened for modification	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5216 5004 WerFault.exe WindowsUpdate.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4880 schtasks.exe
6040 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

364 taskkill.exe

pid	pid_target	process	target process
5216	5004	WerFault.exe	WindowsUpdate.exe

pid	process
4880	schtasks.exe
6040	schtasks.exe

pid	process
364	taskkill.exe

Modifies registry class 1 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3168 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3692 PING.EXE
1272 PING.EXE

pid	process
3168	reg.exe

pid	process
3692	PING.EXE
1272	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exefurz.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
188	furz.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
3928	powershell.exe
4088	powershell.exe
1824	powershell.exe
992	powershell.exe
628	powershell.exe
628	powershell.exe
2796	powershell.exe
2796	powershell.exe
3956	powershell.exe
3956	powershell.exe
3928	powershell.exe
3928	powershell.exe
184	powershell.exe
184	powershell.exe
2240	powershell.exe
2240	powershell.exe
184	powershell.exe
4192	powershell.exe
4192	powershell.exe
4088	powershell.exe
4088	powershell.exe
4352	powershell.exe
4352	powershell.exe
1824	powershell.exe
1824	powershell.exe
4192	powershell.exe
992	powershell.exe
992	powershell.exe
4504	powershell.exe
4504	powershell.exe
628	powershell.exe
628	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exetaskkill.exefurz.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWindowsUpdate.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
Token: SeDebugPrivilege	364	taskkill.exe
Token: SeDebugPrivilege	188	furz.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeIncreaseQuotaPrivilege	732	powershell.exe
Token: SeSecurityPrivilege	732	powershell.exe
Token: SeTakeOwnershipPrivilege	732	powershell.exe
Token: SeLoadDriverPrivilege	732	powershell.exe
Token: SeSystemProfilePrivilege	732	powershell.exe
Token: SeSystemtimePrivilege	732	powershell.exe
Token: SeProfSingleProcessPrivilege	732	powershell.exe
Token: SeIncBasePriorityPrivilege	732	powershell.exe
Token: SeCreatePagefilePrivilege	732	powershell.exe
Token: SeBackupPrivilege	732	powershell.exe
Token: SeRestorePrivilege	732	powershell.exe
Token: SeShutdownPrivilege	732	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeSystemEnvironmentPrivilege	732	powershell.exe
Token: SeRemoteShutdownPrivilege	732	powershell.exe
Token: SeUndockPrivilege	732	powershell.exe
Token: SeManageVolumePrivilege	732	powershell.exe
Token: 33	732	powershell.exe
Token: 34	732	powershell.exe
Token: 35	732	powershell.exe
Token: 36	732	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	5004	WindowsUpdate.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe
Token: 35	3928	powershell.exe
Token: 36	3928	powershell.exe
Token: SeIncreaseQuotaPrivilege	184	powershell.exe
Token: SeSecurityPrivilege	184	powershell.exe
Token: SeTakeOwnershipPrivilege	184	powershell.exe
Token: SeLoadDriverPrivilege	184	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

furz.exeWindowsUpdate.exe

pid process

188 furz.exe
188 furz.exe
188 furz.exe
5004 WindowsUpdate.exe
5004 WindowsUpdate.exe
5004 WindowsUpdate.exe

pid	process
188	furz.exe
188	furz.exe
188	furz.exe
5004	WindowsUpdate.exe
5004	WindowsUpdate.exe
5004	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exeE6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.execmd.exeUacTest.exeInpwdja.exeMnrjvryib.execmd.execmd.execmd.exefurz.exe

description	pid	process	target process
PID 992 wrote to memory of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 992 wrote to memory of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 992 wrote to memory of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 992 wrote to memory of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 992 wrote to memory of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 992 wrote to memory of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 992 wrote to memory of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 992 wrote to memory of 3200	992	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
PID 3200 wrote to memory of 188	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	furz.exe
PID 3200 wrote to memory of 188	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	furz.exe
PID 3200 wrote to memory of 1508	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	UacTest.exe
PID 3200 wrote to memory of 1508	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	UacTest.exe
PID 3200 wrote to memory of 1508	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	UacTest.exe
PID 3200 wrote to memory of 1532	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	cmd.exe
PID 3200 wrote to memory of 1532	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	cmd.exe
PID 3200 wrote to memory of 1532	3200	E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe	cmd.exe
PID 1532 wrote to memory of 3692	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 3692	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 3692	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 1272	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 1272	1532	cmd.exe	PING.EXE
PID 1532 wrote to memory of 1272	1532	cmd.exe	PING.EXE
PID 1508 wrote to memory of 1444	1508	UacTest.exe	Inpwdja.exe
PID 1508 wrote to memory of 1444	1508	UacTest.exe	Inpwdja.exe
PID 1508 wrote to memory of 1444	1508	UacTest.exe	Inpwdja.exe
PID 1508 wrote to memory of 416	1508	UacTest.exe	Mnrjvryib.exe
PID 1508 wrote to memory of 416	1508	UacTest.exe	Mnrjvryib.exe
PID 1508 wrote to memory of 416	1508	UacTest.exe	Mnrjvryib.exe
PID 1444 wrote to memory of 3164	1444	Inpwdja.exe	cmd.exe
PID 1444 wrote to memory of 3164	1444	Inpwdja.exe	cmd.exe
PID 416 wrote to memory of 4028	416	Mnrjvryib.exe	cmd.exe
PID 416 wrote to memory of 4028	416	Mnrjvryib.exe	cmd.exe
PID 416 wrote to memory of 4028	416	Mnrjvryib.exe	cmd.exe
PID 3164 wrote to memory of 2524	3164	cmd.exe	cmd.exe
PID 3164 wrote to memory of 2524	3164	cmd.exe	cmd.exe
PID 2524 wrote to memory of 3168	2524	cmd.exe	reg.exe
PID 2524 wrote to memory of 3168	2524	cmd.exe	reg.exe
PID 4028 wrote to memory of 364	4028	cmd.exe	taskkill.exe
PID 4028 wrote to memory of 364	4028	cmd.exe	taskkill.exe
PID 4028 wrote to memory of 364	4028	cmd.exe	taskkill.exe
PID 188 wrote to memory of 732	188	furz.exe	powershell.exe
PID 188 wrote to memory of 732	188	furz.exe	powershell.exe
PID 188 wrote to memory of 3928	188	furz.exe	powershell.exe
PID 188 wrote to memory of 3928	188	furz.exe	powershell.exe
PID 188 wrote to memory of 1824	188	furz.exe	powershell.exe
PID 188 wrote to memory of 1824	188	furz.exe	powershell.exe
PID 188 wrote to memory of 4088	188	furz.exe	powershell.exe
PID 188 wrote to memory of 4088	188	furz.exe	powershell.exe
PID 188 wrote to memory of 992	188	furz.exe	powershell.exe
PID 188 wrote to memory of 992	188	furz.exe	powershell.exe
PID 188 wrote to memory of 628	188	furz.exe	powershell.exe
PID 188 wrote to memory of 628	188	furz.exe	powershell.exe
PID 188 wrote to memory of 2796	188	furz.exe	powershell.exe
PID 188 wrote to memory of 2796	188	furz.exe	powershell.exe
PID 188 wrote to memory of 3956	188	furz.exe	powershell.exe
PID 188 wrote to memory of 3956	188	furz.exe	powershell.exe
PID 188 wrote to memory of 184	188	furz.exe	powershell.exe
PID 188 wrote to memory of 184	188	furz.exe	powershell.exe
PID 188 wrote to memory of 2240	188	furz.exe	powershell.exe
PID 188 wrote to memory of 2240	188	furz.exe	powershell.exe
PID 188 wrote to memory of 4192	188	furz.exe	powershell.exe
PID 188 wrote to memory of 4192	188	furz.exe	powershell.exe
PID 188 wrote to memory of 4352	188	furz.exe	powershell.exe
PID 188 wrote to memory of 4352	188	furz.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
"C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
"C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\furz.exe
"C:\Users\Admin\AppData\Local\Temp\furz.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
4⤵
PID:5048

C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
"C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
5⤵
PID:4300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
5⤵
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
5⤵
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
5⤵
PID:852

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "WindowsUpdate.exe" /f
5⤵
PID:4440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
5⤵
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
5⤵
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
5⤵
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
5⤵
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
5⤵
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
5⤵
PID:5124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
5⤵
PID:5284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
5⤵
PID:5516

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:6040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5004 -s 2868
5⤵
- Program crash
PID:5216

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4880

C:\Users\Admin\AppData\Local\Temp\UacTest.exe
"C:\Users\Admin\AppData\Local\Temp\UacTest.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
"C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ABE5.tmp\ABE6.tmp\ABE7.bat C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\System32\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- Modifies registry key
PID:3168

C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
"C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AC14.tmp\AC15.tmp\AC16.bat C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\taskkill.exe
Taskkill /IM cmd.exe /F
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 100
4⤵
- Runs ping.exe
PID:3692

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 900
4⤵
- Runs ping.exe
PID:1272

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe.log
MD5
4cce90d514b02375cc96049f5979fa96

SHA1
336fdb6c53577dbcac509d31bd515757817bff35

SHA256
ab019bbc94253e3afc0fc09d3722a6eecab94857c734fbd75b3e558cc48427d0

SHA512
530e3566fe42db495103a110dd50d665fef013f2ebd09db1b149f51825fd4406d4e5b8272fceb99581b47609940a2994a14893ca3712ae3cf4509c39b060d3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
98e68b47d5c01a0ec82ea83f120f3d11

SHA1
47f496e15e643c4b1fbe554f3bc98879e6ce716e

SHA256
47704fcecf0eaf167a8cb47c867b90a90a1460d93f2771e604ec4db7928849a9

SHA512
127459c105746092cb7e13ba0211bc5c428e2f249c92761fbb8383309b2c7671f67fdf2ff60a445eb7a7b07deeb765686416c65d503bf6f9d50e092921e6b2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
897bddaa17d178ccdad917bbc3c1854b

SHA1
1b5cb6b09e68a97722a15eaa39c4c5aa3ce0098f

SHA256
02187effa658e852fe8042ba936057506ba767bbd55a216b545a12d0da6f1abe

SHA512
741ba6b16e236d7960cd69be38b253cca3477c4eda2390b760e322c20e181c8e267c45f24bfa75f2f77828491fc9e86c33506dfb84193d19b93ae257e3180f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a4410b55dc29a7b50f49347756e155af

SHA1
4c034fab2a7ba0b62ae503ed043466c1e5386d7e

SHA256
31e817ee74786c2ce9258a492d0da57ff70507269bc40fecbf3bdab5e9a802e4

SHA512
4da1c7bc0100f6daafc9d046ecc6e5f5b9d0329528f3d59261abdfe979571bc6f19d53963d8e212f71622aa642dc2c78fd294404852f2ca64c74d314949fbbf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
df4fb0da715f9815fecea8ed49f5c3f8

SHA1
3238b61eb28c1a9857828d8fea1c3ab01c617e09

SHA256
9acc131f3ba9ee44958049bcdc6469b64661b5eff704aace7f39818b6103e1d3

SHA512
afc29ba89b7800c2dbde493e8af2adda505a908e484760a156c7fd6b7582fa370bdbea1161da8919e3560a5dfc135f8869580b70a8d8e9fdc44d7652c59ecc5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0a91fd4317fe42c505e0cfc0880a5102

SHA1
2855166ce7d5de9de12f96dca057943deb519990

SHA256
9b0a983d927ca3aafcef39a8fec7da0816e4cf4072ee545738de0ed8c0a7cf32

SHA512
5096d802f0a805fab95fc3ea2efcfa878c976a78c3b5cf5bf5e7b726d972e3d28b36394d80101f812e1bf4d9bb16e0942feabf537c9e396f56adea861ee64702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
688190b133ffe871812ae20550e21ac1

SHA1
bcf68ef99e2f0ef6f09b9b88502f1e201b8279e0

SHA256
777b488f5d4e6ef3f04415367fed8cb7360009060c7a66f42946d73d4c634572

SHA512
f9d6ad81d4b5a5cef98b9a60c62b278f02ec1f4687cba8a9f3377d34642caf0e0d995c76300edd4c1887d272036574ebe60fb58fbf3f0e1af76e223c2333702d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9395a0e8c6da23ca754a59d0e1fdfcd9

SHA1
627b1d93bdfa08cdfd13d8261edac5051ce621ba

SHA256
d86d08072583bee28a09dfc6ada0707696202e12f95457780cdfce354e3375cc

SHA512
47365f099bf89c047e6ca1098ea08eda2b03c9d27d18e6d2f94ad3c75a8e93f20b3945a49bdc0e65a3f71a870a687ab0c55b622c21a035d0191f7eca44056b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c56d667d1d9ed5a3d01767b9361f3702

SHA1
d103c0a1d97803639cd140b058f8751276ae8444

SHA256
8e27009aaf1471e11c4cc6c122b499c001fcf9d5f1e8db6a948db32388585c84

SHA512
809628b79f461cdf5a6cb3d7ab8b49a224360aee06a1d79b9ce546723e84e636254d043f533ee3a00ea4a0c9379d81ba6938fa68240b3cb6d1f41858790bcb97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2c09b7e82494857a58f531398e851b59

SHA1
3be7cead7a9e2c1e708336eeae6d9e0d809492c0

SHA256
303a787330552eae233a2283bafc4a7994de00df0fb13d4a9293108a43761483

SHA512
4043ac3b8609a148c3d57305a16cbb930856795fcfa0cd483a5afa5e73b1a105acaf563b435d8653e71c9b785a0bccb2411d1eb7dea478f42a8efd9e8246ccd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3e29fec30d5612d0c90a0f6621492b36

SHA1
63348df83fe0c82e342456d802cc1ac860ce21e8

SHA256
63aab2eee671c4bc9b0b4e81e8f933431779ee8678b69888ea63e782debf713a

SHA512
44fb3ce341e55c9dd00e55f2b7ba833d80c4089e37b03c27aed093e4167d6e42e1a115460284f89cb07fb1369f106f3c2fdabd1bc13ea1a51940411ca4a39f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4a4ed829b4da29ad7cdd33abb3ecc6f8

SHA1
330afdce3fe23cd31ef66289b0048b6ba6ce5d78

SHA256
baf41093f2ade1f8762c9da6020a2ca3c73143647344f06e5f868dd87e0ab58c

SHA512
58430bbc552241d8855a2877e8c521331bf489038158a6878b60acf0181ee3322a22a2203aabecb6911283ad277f9273e1c2b511ed694e033688a2b0fbf1469a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
485c1b96ce5ad35284c0da3d6296ead5

SHA1
1456b5afe808dd7b5735df303f04017af16e9199

SHA256
2af44ebe584f97c419e9c349f535016074f1e5fd2182abead8e0f9954905e0c7

SHA512
3d32124f2c0375788c4791687b42850bb48794a8b981e77830cff85238a3c80d9f24bc9e979a3159b1666df56e2c30756a25ee25c8ee0be47ee711b409883691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cbcc232a984f58ee006566707e01c78f

SHA1
2e004af5534c4d6caefe34087b609f5300328a67

SHA256
b8553de6ded9b60915cc2368f223feb190cc9eb4dfdebea07fb4bcdc6b8cd8b8

SHA512
877f0e140b2143cf818e1e6ca18b6b2853493a7eeb6e15f5894eb0de41e159753e82a60d6f67020c7308db617d78831773262d9ae995c931c95c24de836ea247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2a368a10e3596c877434381164f9cc11

SHA1
86ebd3e42cd69bc95242975d05af487328de3a70

SHA256
a267ecbab1d1aa6f987778ed4d3ca677c6aad1020f051409d2b9b81d25003661

SHA512
68c1ac8e123f839c1029d8cf4857a845ea096633f7b282e209d9ad67d5007401baf1005b6ebcd8f646c2988358bfe869b4e25a48d02d8c6b6c5026c63f4cf75d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
489247f20f026f0bef5c2fa211db79c7

SHA1
3d087e0341701fbdba44716be6695a2ab60422ea

SHA256
0ef5061824ac9e2b9f1f9ebb11fd9f8b2d008c743a2c38f1eb986d14ad2956af

SHA512
e59351ef708addf60bee3cc57273111d3579bac8b19c38260cb6d41c1f77167659c3f8bcb6aa8e9f86cbf21d6dc78eca9e9453c13c7a391757e3372d91e80c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fe241a7445008df4231388f263395135

SHA1
2cc38d9e698bccf5eb04a5c98f494bfe04661cb5

SHA256
73e1fe6a85b954cd48415cbb4dc93f08f10ee722b381a3f2ba66528ca62b58c8

SHA512
894bd69b1207901204ec1643d145c386ab5ce504f4e1ca55e5fee8f0dffb26391a22b56e9c3ae13c24493b6b5b9b70d794180687736d49c76c6d2fc1153d459e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f81ba6881341f1ebe5502cafe925fa20

SHA1
eb759043a144513c6091e30b17c68db79c2304a4

SHA256
2a8dfd05ba51f99bd5e105bd33ba2996af815ad8543ee2bc2cff71b39754398a

SHA512
3d7319e551b19dda1d66b72c9682c488699775e49964ce4be3aec8eb2309e23ca38d5dca6b4fb28d691dc8bb38202bf1e41ffd3adfc7af4ce2b29dcd72a987a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e0d0df60d19093af5b74ebc31a7d7ef4

SHA1
a012844c8041e89fa49324a8f72b87caf48e4795

SHA256
03b11828c4c32807901f1d9a0ff9f4e3fd5aa54a2a7b8e3a997445782d7d60e0

SHA512
79e0bde84c8c3e9267343f5cd9b5abf5fd64d4515c4bc060963bf44b1dd6fd251d9aa801c0f302a1f6ea912df998e71452959023b71ae56e1ca087f4d404d5f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
40c59b2160f720a2c8e1a117b5c7f693

SHA1
dc1619601baaa96d5fda53b3d28d0481b0bf7cab

SHA256
899278cdf48005c2efd2d7d0f54ff4191343af22091631f4baa9d2ab832014e3

SHA512
064c52ddc1f4fa88f9fc1abf43db9347db2246563ad0c4da30b768d70331e8298b762c5f25355f05900a5ead9b08e0c947c6c34c37034dc80fe227c6884bb82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c0af24306a06ae4db81c732945552272

SHA1
6db7d319c9bab91694e056a43ab1da9c34421bde

SHA256
d86b33c2fc53f2e240fa33eedb2b80d7e394466f8e87bbda1f5f2864af4e47b6

SHA512
c3bd4723fee1897ff0a5315de6f2f715219c6bb6cbafed42db4261f592f25ea3b0bee80877c9705db500ebd48ee2c5b4793d6a60301ef6668a1025136adaee54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c0af24306a06ae4db81c732945552272

SHA1
6db7d319c9bab91694e056a43ab1da9c34421bde

SHA256
d86b33c2fc53f2e240fa33eedb2b80d7e394466f8e87bbda1f5f2864af4e47b6

SHA512
c3bd4723fee1897ff0a5315de6f2f715219c6bb6cbafed42db4261f592f25ea3b0bee80877c9705db500ebd48ee2c5b4793d6a60301ef6668a1025136adaee54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6d5b9e9c3bbffced49764e1e2a024005

SHA1
40173cb21a1e5effed198ac7cdb85b45c524070a

SHA256
4dc1d6d62ff847a8ab522b9b1fe8565a98dafaccf23a619e4f2ee562cc2e7b84

SHA512
17e4d69fba3dda3fba52f6fc4ab449f360007c20efd0d3ad6dde96c664ed54af3977a7e5602f0d87317a7d2cda88000d2b82ecad0f1358d3df37338188b04de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fe40692b6d9e6cfa830206a7af074d10

SHA1
99a9461ba6eb3630f17f6fe8b85d8db2e5c135fa

SHA256
304dda159292d91a184ebfa0a4c4eb67edc471fcb317ee1bf0322fb8a588b6ff

SHA512
4eaff3c380b4ba5b8931982f6b367754105131f2e6c9d9e702a0876717ef76d758ba7e115c0bdbab2825b0d8f29409e789cb45d6c1f813489e6ea5d652ecd468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cdd77c8b0a321eab6c448c9ef4f9b653

SHA1
556e8774eb6fe52db245fc4f66cc42a1df77b263

SHA256
98e95b7b843fea1c76a7c2a96041cd8d6bf62fc483e9baabee5f7be50ba6b5cc

SHA512
6682e6a4e9752b028572157085c3e090a8eebeb74d7423c9c70f7932f08605955e0cb186632deae06dadc39a3124d6aeaf74b8b515abfe3e3a7bd6def419696d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c3be77d829b32faf748772b8c408754e

SHA1
2ea461ae23b871c5fce0d3eee22b39c6cfbe1c2d

SHA256
3cd2c5b514bb36b8f7fb8aa5365374b89c2db68c45ddd4d5e01f90929f545302

SHA512
4341edb721ee00a300827ed1cac2708d367a0faedd01af6ec27179abddfde082ae8e66595e8baa435b80b7cf65ea39a751b846f4b7bbf4faff7d4f8f6da44831

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABE5.tmp\ABE6.tmp\ABE7.bat
MD5
befbbfdadeef80e445fdd152a121a6d1

SHA1
67019f2a12662f2ff92dc7977769b0debdbf564e

SHA256
0848f1ac65974856844e59ff3b8d492c88acf43f0fd64505d5bf3fd4e43d9da6

SHA512
867c4ee6cb22ba7ba0d5aa9c16d321f36013588b6057e3f3f0e6de670481ab1f7d46c1553b9410ff753de7e923d1b774db0c8297091fd9c852bdc96fee43ee32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC14.tmp\AC15.tmp\AC16.bat
MD5
4f4ecd10fc86be6be730390c06be67c8

SHA1
4c59c25907109fd48d8d94caaa8b8266ffa3c7c3

SHA256
a9bf329ec3514d7d5698851137d508b763b1a627747b1ce40ddd5c524538459c

SHA512
b4e89c807071e770b9327693032c8d1ebc06811dfeccfe0892e00deb449b75cb5d921ed2f7ae53d3fae00837bd6eed3fcb0bfc7168cad0f0c44997e51e4365f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
MD5
d1082e6ae11fecd45ebe0f2b3d32230d

SHA1
c070a8395ccb984f5bcd8f22629ffa1b41ea14c1

SHA256
dce696122649ef915c08645cf53e6b118977ce476b076f72d00e3b6f3e309c77

SHA512
d712276a263e77617838a709e4a8d6b18a676832e909f0ab5547d22a128c309c92dc0f1044c62c0782c3f9f3e2103c08dd9eaf6166f17fd7f0165490e17c0ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
MD5
5303046dacbdfcb013ff016a72311e22

SHA1
deaef4843f0bfcb1bf57a93a9e5ed1c4a7a1e009

SHA256
46618b299010b375a3be43493d14de102180a042f03bdfa1d3290d04feba587a

SHA512
261f76a0c02366ca31ec4e964bb414bf6c42587eea79079beb4b6c66875f565ff925d45722b40c84fdd6ac844dad1d878381f87d8b28af75a98310f534af2b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UacTest.exe
MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UacTest.exe
MD5
7c011f0ea2387f0124c959e3f663cb4d

SHA1
12e668079661c557963236786bb821af4628ee1b

SHA256
6b69a8fd83ca150642a20128f84cdd2e91aaa6852e705e55e4116caa487903c4

SHA512
f5770246c943a997c96713a721d512fc0eaf530f3b7d22abe56f50d35b582af4b9f86a65113dee0f09aa7766d257ac0b29a9a56348891339399a2923b399925e

Download Submit
C:\Users\Admin\AppData\Local\Temp\furz.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\furz.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
MD5
b72d429d1d690165c7b0de4a074c4a58

SHA1
f0704d227482a80f2f90dab79ed4acd9770fe565

SHA256
b30eebf734354f55373978e395c912393f3c674aaa4717748ae449b09832f6ae

SHA512
f3b565e67d5a15d5305982701bd5f0d37eec0bfe2d152556584fa1d01faf1def6e616d0addea91e0663be084450b49f99e2108cc06a9b50c9e1482f9290b6c5c

Download Submit
memory/184-221-0x0000000000000000-mapping.dmp

Download
memory/184-643-0x000002956F1D8000-0x000002956F1D9000-memory.dmp

Filesize
4KB

Download
memory/184-253-0x000002956F1D0000-0x000002956F1D2000-memory.dmp

Filesize
8KB

Download
memory/184-255-0x000002956F1D3000-0x000002956F1D5000-memory.dmp

Filesize
8KB

Download
memory/184-333-0x000002956F1D6000-0x000002956F1D8000-memory.dmp

Filesize
8KB

Download
memory/188-394-0x000000001F1C6000-0x000000001F1C9000-memory.dmp

Filesize
12KB

Download
memory/188-353-0x000000001F1C0000-0x000000001F1C3000-memory.dmp

Filesize
12KB

Download
memory/188-425-0x000000001F1C9000-0x000000001F1CC000-memory.dmp

Filesize
12KB

Download
memory/188-344-0x000000001B1E5000-0x000000001B1E7000-memory.dmp

Filesize
8KB

Download
memory/188-129-0x0000000000000000-mapping.dmp

Download
memory/188-132-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/188-347-0x000000001B1E7000-0x000000001B1E8000-memory.dmp

Filesize
4KB

Download
memory/188-155-0x000000001B1E2000-0x000000001B1E3000-memory.dmp

Filesize
4KB

Download
memory/188-153-0x000000001B1E3000-0x000000001B1E4000-memory.dmp

Filesize
4KB

Download
memory/188-385-0x000000001F1C3000-0x000000001F1C6000-memory.dmp

Filesize
12KB

Download
memory/188-356-0x000000001B1E8000-0x000000001B1EA000-memory.dmp

Filesize
8KB

Download
memory/188-497-0x000000001F1D1000-0x000000001F1D6000-memory.dmp

Filesize
20KB

Download
memory/188-359-0x000000001B1EA000-0x000000001B1EF000-memory.dmp

Filesize
20KB

Download
memory/188-145-0x000000001B1E0000-0x000000001B1E2000-memory.dmp

Filesize
8KB

Download
memory/188-448-0x000000001F1CC000-0x000000001F1D1000-memory.dmp

Filesize
20KB

Download
memory/364-161-0x0000000000000000-mapping.dmp

Download
memory/416-149-0x0000000000000000-mapping.dmp

Download
memory/628-439-0x0000022AE89F6000-0x0000022AE89F8000-memory.dmp

Filesize
8KB

Download
memory/628-278-0x0000022AE89F0000-0x0000022AE89F2000-memory.dmp

Filesize
8KB

Download
memory/628-205-0x0000000000000000-mapping.dmp

Download
memory/628-279-0x0000022AE89F3000-0x0000022AE89F5000-memory.dmp

Filesize
8KB

Download
memory/688-721-0x0000000000000000-mapping.dmp

Download
memory/732-192-0x000001AAA8246000-0x000001AAA8248000-memory.dmp

Filesize
8KB

Download
memory/732-162-0x0000000000000000-mapping.dmp

Download
memory/732-167-0x000001AAA8180000-0x000001AAA8181000-memory.dmp

Filesize
4KB

Download
memory/732-170-0x000001AAA8240000-0x000001AAA8242000-memory.dmp

Filesize
8KB

Download
memory/732-171-0x000001AAA8243000-0x000001AAA8245000-memory.dmp

Filesize
8KB

Download
memory/732-172-0x000001AAA8250000-0x000001AAA8251000-memory.dmp

Filesize
4KB

Download
memory/852-684-0x0000000000000000-mapping.dmp

Download
memory/992-275-0x0000021ACB603000-0x0000021ACB605000-memory.dmp

Filesize
8KB

Download
memory/992-116-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/992-120-0x0000000000B20000-0x0000000000B23000-memory.dmp

Filesize
12KB

Download
memory/992-118-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/992-114-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/992-119-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/992-117-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/992-264-0x0000021ACB600000-0x0000021ACB602000-memory.dmp

Filesize
8KB

Download
memory/992-202-0x0000000000000000-mapping.dmp

Download
memory/992-392-0x0000021ACB606000-0x0000021ACB608000-memory.dmp

Filesize
8KB

Download
memory/1272-143-0x0000000000000000-mapping.dmp

Download
memory/1444-147-0x0000000000000000-mapping.dmp

Download
memory/1508-144-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/1508-137-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1508-146-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1508-134-0x0000000000000000-mapping.dmp

Download
memory/1532-138-0x0000000000000000-mapping.dmp

Download
memory/1824-198-0x0000000000000000-mapping.dmp

Download
memory/1824-261-0x000002583A833000-0x000002583A835000-memory.dmp

Filesize
8KB

Download
memory/1824-260-0x000002583A830000-0x000002583A832000-memory.dmp

Filesize
8KB

Download
memory/1824-389-0x000002583A836000-0x000002583A838000-memory.dmp

Filesize
8KB

Download
memory/2240-268-0x00000131497C0000-0x00000131497C2000-memory.dmp

Filesize
8KB

Download
memory/2240-269-0x00000131497C3000-0x00000131497C5000-memory.dmp

Filesize
8KB

Download
memory/2240-225-0x0000000000000000-mapping.dmp

Download
memory/2240-451-0x00000131497C6000-0x00000131497C8000-memory.dmp

Filesize
8KB

Download
memory/2524-158-0x0000000000000000-mapping.dmp

Download
memory/2796-242-0x0000022134423000-0x0000022134425000-memory.dmp

Filesize
8KB

Download
memory/2796-434-0x0000022134426000-0x0000022134428000-memory.dmp

Filesize
8KB

Download
memory/2796-211-0x0000000000000000-mapping.dmp

Download
memory/2796-238-0x0000022134420000-0x0000022134422000-memory.dmp

Filesize
8KB

Download
memory/3164-154-0x0000000000000000-mapping.dmp

Download
memory/3168-160-0x0000000000000000-mapping.dmp

Download
memory/3200-121-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3200-122-0x000000000042C00E-mapping.dmp

Download
memory/3200-128-0x0000000002C23000-0x0000000002C25000-memory.dmp

Filesize
8KB

Download
memory/3200-127-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/3692-142-0x0000000000000000-mapping.dmp

Download
memory/3928-339-0x00000215C8926000-0x00000215C8928000-memory.dmp

Filesize
8KB

Download
memory/3928-197-0x0000000000000000-mapping.dmp

Download
memory/3928-230-0x00000215C8920000-0x00000215C8922000-memory.dmp

Filesize
8KB

Download
memory/3928-232-0x00000215C8923000-0x00000215C8925000-memory.dmp

Filesize
8KB

Download
memory/3928-641-0x00000215C8928000-0x00000215C8929000-memory.dmp

Filesize
4KB

Download
memory/3956-248-0x0000025DB7910000-0x0000025DB7912000-memory.dmp

Filesize
8KB

Download
memory/3956-218-0x0000000000000000-mapping.dmp

Download
memory/3956-250-0x0000025DB7913000-0x0000025DB7915000-memory.dmp

Filesize
8KB

Download
memory/3956-444-0x0000025DB7916000-0x0000025DB7918000-memory.dmp

Filesize
8KB

Download
memory/4028-156-0x0000000000000000-mapping.dmp

Download
memory/4088-235-0x000002E655FF0000-0x000002E655FF2000-memory.dmp

Filesize
8KB

Download
memory/4088-336-0x000002E655FF6000-0x000002E655FF8000-memory.dmp

Filesize
8KB

Download
memory/4088-244-0x000002E655FF3000-0x000002E655FF5000-memory.dmp

Filesize
8KB

Download
memory/4088-199-0x0000000000000000-mapping.dmp

Download
memory/4188-733-0x0000000000000000-mapping.dmp

Download
memory/4192-233-0x0000000000000000-mapping.dmp

Download
memory/4192-272-0x0000020555630000-0x0000020555632000-memory.dmp

Filesize
8KB

Download
memory/4192-274-0x0000020555633000-0x0000020555635000-memory.dmp

Filesize
8KB

Download
memory/4192-350-0x0000020555636000-0x0000020555638000-memory.dmp

Filesize
8KB

Download
memory/4300-678-0x0000000000000000-mapping.dmp

Download
memory/4352-487-0x000001EBE2A06000-0x000001EBE2A08000-memory.dmp

Filesize
8KB

Download
memory/4352-283-0x000001EBE2A00000-0x000001EBE2A02000-memory.dmp

Filesize
8KB

Download
memory/4352-285-0x000001EBE2A03000-0x000001EBE2A05000-memory.dmp

Filesize
8KB

Download
memory/4352-245-0x0000000000000000-mapping.dmp

Download
memory/4436-680-0x0000000000000000-mapping.dmp

Download
memory/4440-687-0x0000000000000000-mapping.dmp

Download
memory/4504-429-0x000001D49CFD6000-0x000001D49CFD8000-memory.dmp

Filesize
8KB

Download
memory/4504-316-0x000001D49CFD3000-0x000001D49CFD5000-memory.dmp

Filesize
8KB

Download
memory/4504-315-0x000001D49CFD0000-0x000001D49CFD2000-memory.dmp

Filesize
8KB

Download
memory/4504-257-0x0000000000000000-mapping.dmp

Download
memory/4520-695-0x0000000000000000-mapping.dmp

Download
memory/4544-679-0x0000000000000000-mapping.dmp

Download
memory/4616-704-0x0000000000000000-mapping.dmp

Download
memory/4732-689-0x0000000000000000-mapping.dmp

Download
memory/4880-459-0x0000000000000000-mapping.dmp

Download
memory/5004-501-0x000000001BB83000-0x000000001BB84000-memory.dmp

Filesize
4KB

Download
memory/5004-505-0x000000001BB82000-0x000000001BB83000-memory.dmp

Filesize
4KB

Download
memory/5004-453-0x0000000000000000-mapping.dmp

Download
memory/5004-492-0x000000001BB80000-0x000000001BB82000-memory.dmp

Filesize
8KB

Download
memory/5048-635-0x000001C767670000-0x000001C767672000-memory.dmp

Filesize
8KB

Download
memory/5048-645-0x000001C767676000-0x000001C767678000-memory.dmp

Filesize
8KB

Download
memory/5048-636-0x000001C767673000-0x000001C767675000-memory.dmp

Filesize
8KB

Download
memory/5048-583-0x0000000000000000-mapping.dmp

Download
memory/5048-300-0x0000000000000000-mapping.dmp

Download
memory/5124-742-0x0000000000000000-mapping.dmp

Download
memory/5284-752-0x0000000000000000-mapping.dmp

Download
memory/5516-773-0x0000000000000000-mapping.dmp

Download
memory/6040-835-0x0000000000000000-mapping.dmp

Download