formbook | 1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986

Analysis

max time kernel
12s
max time network
138s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44696d252000850d3ea71d9ae238aedc.exe
Size

1.0MB
MD5

44696d252000850d3ea71d9ae238aedc
SHA1

1fb61a1df500f9025641526cb4013d555b129a84
SHA256

1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986
SHA512

e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314

Score

10^/10

formbook vtkz evasion rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vtkz

http://www.luxuriousshoestop.com/vtkz/

Decoy

todaynewsbuzz.com

bootwish.com

michelleortegawrites.com

tutorialme.com

daretoplaygames.com

telefonepantalla.com

advisorsoncall.life

marketingloisirs.com

cremationmtzionil.com

lgbtsuccess.com

cassandrawind.com

globaltradepay.com

thecafeart.com

starmobilehome.com

ugotshot.com

c03eeniom.store

afcerd.com

eleyhexs.com

utmmarhitzfil.com

saudiisrael.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4392-178-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4392-181-0x000000000041EBC0-mapping.dmp	formbook
behavioral2/memory/4568-251-0x0000000000910000-0x000000000093E000-memory.dmp	formbook
behavioral2/memory/4904-923-0x000000000041EBC0-mapping.dmp	formbook
behavioral2/memory/4028-1076-0x0000000000C80000-0x0000000000CAE000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe36C95A71.exe

pid process

4768 AdvancedRun.exe
4820 AdvancedRun.exe
3492 36C95A71.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44696d252000850d3ea71d9ae238aedc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44696d252000850d3ea71d9ae238aedc.exe

Drops startup file 2 IoCs

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe	44696d252000850d3ea71d9ae238aedc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe	44696d252000850d3ea71d9ae238aedc.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\2FDD6624\svchost.exe = "0"	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe = "0"	44696d252000850d3ea71d9ae238aedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe = "0"	44696d252000850d3ea71d9ae238aedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	44696d252000850d3ea71d9ae238aedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	44696d252000850d3ea71d9ae238aedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	44696d252000850d3ea71d9ae238aedc.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44696d252000850d3ea71d9ae238aedc.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	44696d252000850d3ea71d9ae238aedc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	44696d252000850d3ea71d9ae238aedc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description pid process target process

PID 4652 set thread context of 4392 4652 44696d252000850d3ea71d9ae238aedc.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2824 4652 WerFault.exe 44696d252000850d3ea71d9ae238aedc.exe
2844 3492 WerFault.exe 36C95A71.exe

description	pid	process	target process
PID 4652 set thread context of 4392	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe

pid	pid_target	process	target process
2824	4652	WerFault.exe	44696d252000850d3ea71d9ae238aedc.exe
2844	3492	WerFault.exe	36C95A71.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exe

pid	process
4768	AdvancedRun.exe
4768	AdvancedRun.exe
4768	AdvancedRun.exe
4768	AdvancedRun.exe
4820	AdvancedRun.exe
4820	AdvancedRun.exe
4820	AdvancedRun.exe
4820	AdvancedRun.exe
4968	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exe44696d252000850d3ea71d9ae238aedc.exe

description	pid	process
Token: SeDebugPrivilege	4768	AdvancedRun.exe
Token: SeImpersonatePrivilege	4768	AdvancedRun.exe
Token: SeDebugPrivilege	4820	AdvancedRun.exe
Token: SeImpersonatePrivilege	4820	AdvancedRun.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4652	44696d252000850d3ea71d9ae238aedc.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

44696d252000850d3ea71d9ae238aedc.exeAdvancedRun.exe

description	pid	process	target process
PID 4652 wrote to memory of 4768	4652	44696d252000850d3ea71d9ae238aedc.exe	AdvancedRun.exe
PID 4652 wrote to memory of 4768	4652	44696d252000850d3ea71d9ae238aedc.exe	AdvancedRun.exe
PID 4652 wrote to memory of 4768	4652	44696d252000850d3ea71d9ae238aedc.exe	AdvancedRun.exe
PID 4768 wrote to memory of 4820	4768	AdvancedRun.exe	AdvancedRun.exe
PID 4768 wrote to memory of 4820	4768	AdvancedRun.exe	AdvancedRun.exe
PID 4768 wrote to memory of 4820	4768	AdvancedRun.exe	AdvancedRun.exe
PID 4652 wrote to memory of 4908	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4908	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4908	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4944	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4944	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4944	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4968	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4968	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4968	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 5108	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 5108	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 5108	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 2104	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 2104	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 2104	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3492	4652	44696d252000850d3ea71d9ae238aedc.exe	36C95A71.exe
PID 4652 wrote to memory of 3492	4652	44696d252000850d3ea71d9ae238aedc.exe	36C95A71.exe
PID 4652 wrote to memory of 3492	4652	44696d252000850d3ea71d9ae238aedc.exe	36C95A71.exe
PID 4652 wrote to memory of 3616	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3616	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3616	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3024	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3024	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3024	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3248	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3248	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 3248	4652	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 4652 wrote to memory of 4288	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4288	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4288	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4284	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4284	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4284	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4392	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4392	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4392	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4392	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4392	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 4652 wrote to memory of 4392	4652	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44696d252000850d3ea71d9ae238aedc.exe

C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe
"C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4652

C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe" /SpecialRun 4101d8 4768
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe" -Force
2⤵
PID:4908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe" -Force
2⤵
PID:4944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
2⤵
PID:5108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe" -Force
2⤵
PID:2104

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe"
2⤵
- Executes dropped EXE
PID:3492

C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe" /SpecialRun 4101d8 1320
4⤵
PID:3912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
3⤵
PID:4976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
3⤵
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2FDD6624\svchost.exe" -Force
3⤵
PID:2476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
3⤵
PID:2688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2FDD6624\svchost.exe" -Force
3⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 1996
3⤵
- Program crash
PID:2844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2FDD6624\svchost.exe" -Force
2⤵
PID:3616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe" -Force
2⤵
PID:3024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2FDD6624\svchost.exe" -Force
2⤵
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:4288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1892
2⤵
- Program crash
PID:2824

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
1⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:3028

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
1⤵
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbb8f89b428393287ff4a30424a0b6dd

SHA1
22ce47d0d3b9990e2de45dab63536954d12abc18

SHA256
5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

SHA512
cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbb8f89b428393287ff4a30424a0b6dd

SHA1
22ce47d0d3b9990e2de45dab63536954d12abc18

SHA256
5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

SHA512
cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbb8f89b428393287ff4a30424a0b6dd

SHA1
22ce47d0d3b9990e2de45dab63536954d12abc18

SHA256
5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

SHA512
cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f1ee15d9d7e813a07f420b9ff7217465

SHA1
eddb1c6167ff8e7cebdb42530f9aea20de9807e0

SHA256
f0cebcfa646f9b4552bcbac0e621479fa0eea8f0c242a072df7d6dca1655ca7c

SHA512
319eef01c861d43a5ba661ae350222f6b78e52e8dfeb54bf896aaf05aeec804685e066fdc8a6309be00ec786356c7fc327ef13bf0de58e305e7c7e7e486f7231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
08af0afe4ab6191a953b1413cd8dcef4

SHA1
bd1f5302e59e93805aaf172802c78a429b711086

SHA256
32e71ef53632224cb4a624d11b283668df6f0d1fb9f763823f77a6f94bc7df70

SHA512
5066ad5736218a635f7b3a8b3468e85267dd87144eff15d1d1d9b39832f554fb16e3b7ebb3dff98d1636c3d1cbd6fce4bfe2bbcaabfef819992e8110a5463f6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c9110240e100313599d42c509603f0ad

SHA1
5a263061f733056854027553c86ebb12e5ef33d1

SHA256
7564ec99ed81623f4980bf65845ce274133a08839443c9e8338621882911d056

SHA512
2963470c2c6604724bf801ddb7750b20f830722d673553904147394efddfb1b4617cf94ccc27af351006fa3479d32a1383ba0c417c122c5a4d41ec0f137f6103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbb8f89b428393287ff4a30424a0b6dd

SHA1
22ce47d0d3b9990e2de45dab63536954d12abc18

SHA256
5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

SHA512
cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c84dbed60d856724c0c2b1a3a59d8b0c

SHA1
257059d7b3c6dd824f61af8d0a1efbc98d8ce3fb

SHA256
cd084492ac18bb8b47fb270161077bb1e442a801d3b43652653f0054a3082a14

SHA512
47b164830f50104d114d1b9b3d3c1f07135c919960820bd8d883502e9e66c87ee888d71bbe3265f4a0e1c8a5b2677134b0cc87a1c4c53d580ba8a36c56f28286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5f4d7fb93c62d21d779ef2c754c3679a

SHA1
8caf46c7058a17abe24f40ab7718c138b94d3a9a

SHA256
3094bfd71e9d4e357c1955864b110135a2f9710ed2e4c33bc66209289e59c4ae

SHA512
f5d5cd25a67152a8f75fb09d3f9b53a7a6b675f08d65c4b841ce02c2a763bf445755cd2bd5d8f800a04d8b29b08ac85cd297fceae26f2331757f83f47ee5d75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
8babb65390aa2bbbc13891ab875129a6

SHA1
5c45e8c803cde48b66a38dd2f702fc8ef14afb99

SHA256
7ca70edbe38fb11eddcc7b5f3ee16ad63bad8642dee177f4d36946199cc62105

SHA512
1ffce12dd3c571d29246dd814cee2d53d1a4dbc77cb33cf7c780ffa4687d15fb75a85ce2e2f8ae4cda4d4b910deb1f1e132855c599432afa29b63fb8dff1edda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1b1607c2b8a762b1629f2734110806cb

SHA1
bdcca508fa4cae5979af48cdda4413c25d64ef96

SHA256
8e7a523fab1949e0c7adcada99174b7aeaaac996a314bad518b47d32ed626449

SHA512
3abe6c5eb1de5b51d57a3a81b10277bbe61e98a17e28a3b528fff98574d980c1ec38a0399e5fd04347b1fb4a9857f172e3742b5b40f8a8f4b5135bce552449c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
82996b23026690b6d573325bb2b1e58b

SHA1
5e4e96968e855e5058c4d338a88397a046dd3c72

SHA256
7e2e39ab8ccb4df9da717aa4af9b2b24e5eafb536ed174fff79b7d8cf331ac78

SHA512
fd76dd142a2f2a0128a8f74c06c1236b70a2f249c84a5f138389adde36f9638c3fc0e257b96a32ec35e5205c7e862b10ab78d3c88a9e0dfe5d2411107b210567

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
894b143f61326971d8419a5b1836e324

SHA1
ab7b6b9e974da624b317ccd99a933bb90bd7629f

SHA256
92d19978bef2f41bbff376c3f405e319a400a37be63718465a4b8bfe170a36b2

SHA512
08428c7cb5ec82c6fa7dcb108c5374343c83c9334441d5782c1ffb194c6fef6a863cd561bdad691bda2b3c20c658c93353742702bf9acb5c431db3d4b469b8d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
894b143f61326971d8419a5b1836e324

SHA1
ab7b6b9e974da624b317ccd99a933bb90bd7629f

SHA256
92d19978bef2f41bbff376c3f405e319a400a37be63718465a4b8bfe170a36b2

SHA512
08428c7cb5ec82c6fa7dcb108c5374343c83c9334441d5782c1ffb194c6fef6a863cd561bdad691bda2b3c20c658c93353742702bf9acb5c431db3d4b469b8d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
894b143f61326971d8419a5b1836e324

SHA1
ab7b6b9e974da624b317ccd99a933bb90bd7629f

SHA256
92d19978bef2f41bbff376c3f405e319a400a37be63718465a4b8bfe170a36b2

SHA512
08428c7cb5ec82c6fa7dcb108c5374343c83c9334441d5782c1ffb194c6fef6a863cd561bdad691bda2b3c20c658c93353742702bf9acb5c431db3d4b469b8d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
894b143f61326971d8419a5b1836e324

SHA1
ab7b6b9e974da624b317ccd99a933bb90bd7629f

SHA256
92d19978bef2f41bbff376c3f405e319a400a37be63718465a4b8bfe170a36b2

SHA512
08428c7cb5ec82c6fa7dcb108c5374343c83c9334441d5782c1ffb194c6fef6a863cd561bdad691bda2b3c20c658c93353742702bf9acb5c431db3d4b469b8d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2a49e438750c79b24d9bfd13620b6264

SHA1
0389574a5a54380945ef655323d0e7093b8ccc26

SHA256
542ddd972caaed1d9418d68ae029a703005b0d23acd01c7921ae7128c9bac1f0

SHA512
7dac005ef1ff83eb6f6e1b717a3e4713c0bd8946b660b1764baf4ac9101ccfafa6f8749cf32b9a7c34aea54312d1d841806c4c8a67042a1254e15512a3f9c67a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
99fd50333e2927a14b186b43d285d03e

SHA1
9e1d0a5b7efc1b38413cc9ac94ac50d56b3c9d2a

SHA256
713ad202e4d731c42631951c2817f90db26337f66830bd447dca3ad0cc315423

SHA512
a1a6160b3fe339fe28a65962c832c41007944da6537594fbb2c3f2d52ea8424ae762e622ed38eacd3543ad629afb8054c7fc3825c802137b2fe56f4e8e3e38fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
9876495dfae0222770e541cb46b4e40c

SHA1
de75ea9b4e0932cee22725aa051fc607d6555667

SHA256
4c6655c8add04d1fabc783c7765f350cf907ffb7ab23dbf0ce743d4f6f3ff713

SHA512
a41e6277302d4e5004366a79da8f1bbe6662f363470b972060cb4b4e0db192c9c05422d9216f9da1a62163ebb03690f7ebd7d04d9e1581175c707896e09733f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2d3fd2d7eaef899cc16b710915504912

SHA1
c62e2f2c965d44f822c2a708194397116993e9f1

SHA256
1e41fa00f43490e3c7e820e4d254a95195750af9aed027e5ae8367e8c065d08b

SHA512
28125343bd2c5b076823c9f6b0550ab5f13f488b518d1f66d043d73451d67e71935c159da8fcac673461907868ce0f09684c67d4b3b4ca0ef9f30ede0373a42d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2d3fd2d7eaef899cc16b710915504912

SHA1
c62e2f2c965d44f822c2a708194397116993e9f1

SHA256
1e41fa00f43490e3c7e820e4d254a95195750af9aed027e5ae8367e8c065d08b

SHA512
28125343bd2c5b076823c9f6b0550ab5f13f488b518d1f66d043d73451d67e71935c159da8fcac673461907868ce0f09684c67d4b3b4ca0ef9f30ede0373a42d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
dbc25f2e7e358975843590d51a908597

SHA1
05dc0740e042aed1b91eb27f1cc5f1729cd61b22

SHA256
09f27a5c93db81ad28a4df0eeee0424ee46426fa6e478871cda449a438aff82d

SHA512
2fc7c4dc5539bc42591899238f08effbe697fe6550cd0bcc8f49ae9c1782839fbc3a4ef1bde0684d5625dcf1c4e2cd9ad536094db6e6fbe5d0cff170b75788f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
64af3a1ec8f091069ea74253ad217864

SHA1
e1aeb6410ede0912274782723afb6bf8e2966626

SHA256
dca6cf047390bd29903fc810a93342273ddd1ea93a43bd1d3b664e14c0c432b4

SHA512
d5bc3b1b48655b42a9c7eebf9415bc7a135f24e78f10e3aaf18562fa0ef1d3cea8eb9b3bc9e3653be66b59472ad098f9372e35c515e7c050b1eaeef84595dfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
64af3a1ec8f091069ea74253ad217864

SHA1
e1aeb6410ede0912274782723afb6bf8e2966626

SHA256
dca6cf047390bd29903fc810a93342273ddd1ea93a43bd1d3b664e14c0c432b4

SHA512
d5bc3b1b48655b42a9c7eebf9415bc7a135f24e78f10e3aaf18562fa0ef1d3cea8eb9b3bc9e3653be66b59472ad098f9372e35c515e7c050b1eaeef84595dfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
64af3a1ec8f091069ea74253ad217864

SHA1
e1aeb6410ede0912274782723afb6bf8e2966626

SHA256
dca6cf047390bd29903fc810a93342273ddd1ea93a43bd1d3b664e14c0c432b4

SHA512
d5bc3b1b48655b42a9c7eebf9415bc7a135f24e78f10e3aaf18562fa0ef1d3cea8eb9b3bc9e3653be66b59472ad098f9372e35c515e7c050b1eaeef84595dfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
64af3a1ec8f091069ea74253ad217864

SHA1
e1aeb6410ede0912274782723afb6bf8e2966626

SHA256
dca6cf047390bd29903fc810a93342273ddd1ea93a43bd1d3b664e14c0c432b4

SHA512
d5bc3b1b48655b42a9c7eebf9415bc7a135f24e78f10e3aaf18562fa0ef1d3cea8eb9b3bc9e3653be66b59472ad098f9372e35c515e7c050b1eaeef84595dfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
64af3a1ec8f091069ea74253ad217864

SHA1
e1aeb6410ede0912274782723afb6bf8e2966626

SHA256
dca6cf047390bd29903fc810a93342273ddd1ea93a43bd1d3b664e14c0c432b4

SHA512
d5bc3b1b48655b42a9c7eebf9415bc7a135f24e78f10e3aaf18562fa0ef1d3cea8eb9b3bc9e3653be66b59472ad098f9372e35c515e7c050b1eaeef84595dfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
64af3a1ec8f091069ea74253ad217864

SHA1
e1aeb6410ede0912274782723afb6bf8e2966626

SHA256
dca6cf047390bd29903fc810a93342273ddd1ea93a43bd1d3b664e14c0c432b4

SHA512
d5bc3b1b48655b42a9c7eebf9415bc7a135f24e78f10e3aaf18562fa0ef1d3cea8eb9b3bc9e3653be66b59472ad098f9372e35c515e7c050b1eaeef84595dfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7665fd1a98f94ea10d4e1e9b2e547b7b

SHA1
fc4ce3a6e12ec07942af6eaa68827358f2f87ede

SHA256
c237086379d68008e7629933e4618ace11efccd770d2a66f178bc82d562c1878

SHA512
dec315cbd23cc2f5986058a147bf5b4aebdb96929a7993c4874bfd4c80f9da7658e26c48ab9ccd91d51ea7a9d72858912c511564f6705edf6d982153119c4fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bd4458eed52923b07ce59dcd11472ae9

SHA1
15d4ad7d129e42553fe23480e85f2cd4c1c1c7e9

SHA256
f6e021a851abd99a3a646bb3dd600c5a11e759f967530926db88ed619e3a3f18

SHA512
aa12cfe35c5dee72d81a0b88baea28759586b6694333958cbff83ee0692f13829695098a09413d4a89d31331fc7084563f9554727febdbefd1da410fd5fcb72b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bd4458eed52923b07ce59dcd11472ae9

SHA1
15d4ad7d129e42553fe23480e85f2cd4c1c1c7e9

SHA256
f6e021a851abd99a3a646bb3dd600c5a11e759f967530926db88ed619e3a3f18

SHA512
aa12cfe35c5dee72d81a0b88baea28759586b6694333958cbff83ee0692f13829695098a09413d4a89d31331fc7084563f9554727febdbefd1da410fd5fcb72b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
bd4458eed52923b07ce59dcd11472ae9

SHA1
15d4ad7d129e42553fe23480e85f2cd4c1c1c7e9

SHA256
f6e021a851abd99a3a646bb3dd600c5a11e759f967530926db88ed619e3a3f18

SHA512
aa12cfe35c5dee72d81a0b88baea28759586b6694333958cbff83ee0692f13829695098a09413d4a89d31331fc7084563f9554727febdbefd1da410fd5fcb72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b92e265-6403-4f09-a35f-40e80c75712a\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7cf75af-8551-453a-9997-35f56d2c07a3\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
MD5
44696d252000850d3ea71d9ae238aedc

SHA1
1fb61a1df500f9025641526cb4013d555b129a84

SHA256
1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986

SHA512
e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
MD5
44696d252000850d3ea71d9ae238aedc

SHA1
1fb61a1df500f9025641526cb4013d555b129a84

SHA256
1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986

SHA512
e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314

Download Submit
memory/1320-361-0x0000000000000000-mapping.dmp

Download
memory/1712-1221-0x000000007F040000-0x000000007F041000-memory.dmp

Filesize
4KB

Download
memory/1712-837-0x0000000000000000-mapping.dmp

Download
memory/1712-1504-0x0000000001014000-0x0000000001016000-memory.dmp

Filesize
8KB

Download
memory/1712-958-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1712-1501-0x0000000001013000-0x0000000001014000-memory.dmp

Filesize
4KB

Download
memory/1712-949-0x0000000001012000-0x0000000001013000-memory.dmp

Filesize
4KB

Download
memory/2104-447-0x0000000006613000-0x0000000006614000-memory.dmp

Filesize
4KB

Download
memory/2104-351-0x000000007F180000-0x000000007F181000-memory.dmp

Filesize
4KB

Download
memory/2104-139-0x0000000000000000-mapping.dmp

Download
memory/2104-173-0x0000000006612000-0x0000000006613000-memory.dmp

Filesize
4KB

Download
memory/2104-171-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/2476-854-0x0000000000000000-mapping.dmp

Download
memory/2476-954-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2476-1276-0x000000007EC10000-0x000000007EC11000-memory.dmp

Filesize
4KB

Download
memory/2476-992-0x0000000000E62000-0x0000000000E63000-memory.dmp

Filesize
4KB

Download
memory/2688-976-0x0000000001022000-0x0000000001023000-memory.dmp

Filesize
4KB

Download
memory/2688-866-0x0000000000000000-mapping.dmp

Download
memory/2688-964-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2688-1328-0x000000007E9D0000-0x000000007E9D1000-memory.dmp

Filesize
4KB

Download
memory/3024-150-0x0000000000000000-mapping.dmp

Download
memory/3024-453-0x000000007EA80000-0x000000007EA81000-memory.dmp

Filesize
4KB

Download
memory/3024-183-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3024-187-0x0000000000FB2000-0x0000000000FB3000-memory.dmp

Filesize
4KB

Download
memory/3024-562-0x0000000000FB3000-0x0000000000FB4000-memory.dmp

Filesize
4KB

Download
memory/3040-1031-0x00000000059D0000-0x0000000005AB2000-memory.dmp

Filesize
904KB

Download
memory/3040-218-0x0000000007A50000-0x0000000007B2A000-memory.dmp

Filesize
872KB

Download
memory/3248-610-0x0000000001053000-0x0000000001054000-memory.dmp

Filesize
4KB

Download
memory/3248-158-0x0000000000000000-mapping.dmp

Download
memory/3248-194-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3248-504-0x000000007E430000-0x000000007E431000-memory.dmp

Filesize
4KB

Download
memory/3248-198-0x0000000001052000-0x0000000001053000-memory.dmp

Filesize
4KB

Download
memory/3492-163-0x0000000005490000-0x000000000598E000-memory.dmp

Filesize
5.0MB

Download
memory/3492-144-0x0000000000000000-mapping.dmp

Download
memory/3616-512-0x0000000000DB3000-0x0000000000DB4000-memory.dmp

Filesize
4KB

Download
memory/3616-400-0x000000007ECF0000-0x000000007ECF1000-memory.dmp

Filesize
4KB

Download
memory/3616-179-0x0000000000DB2000-0x0000000000DB3000-memory.dmp

Filesize
4KB

Download
memory/3616-148-0x0000000000000000-mapping.dmp

Download
memory/3616-176-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3912-601-0x0000000000000000-mapping.dmp

Download
memory/4028-1076-0x0000000000C80000-0x0000000000CAE000-memory.dmp

Filesize
184KB

Download
memory/4028-1077-0x0000000004CD0000-0x0000000004FF0000-memory.dmp

Filesize
3.1MB

Download
memory/4028-1074-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/4028-1067-0x0000000000000000-mapping.dmp

Download
memory/4392-216-0x0000000001340000-0x0000000001660000-memory.dmp

Filesize
3.1MB

Download
memory/4392-181-0x000000000041EBC0-mapping.dmp

Download
memory/4392-217-0x00000000012E0000-0x00000000012F4000-memory.dmp

Filesize
80KB

Download
memory/4392-178-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4568-251-0x0000000000910000-0x000000000093E000-memory.dmp

Filesize
184KB

Download
memory/4568-250-0x0000000001230000-0x0000000001237000-memory.dmp

Filesize
28KB

Download
memory/4568-246-0x0000000000000000-mapping.dmp

Download
memory/4620-970-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/4620-881-0x0000000000000000-mapping.dmp

Download
memory/4620-1322-0x000000007EC50000-0x000000007EC51000-memory.dmp

Filesize
4KB

Download
memory/4620-983-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/4652-120-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/4652-184-0x0000000007020000-0x0000000007023000-memory.dmp

Filesize
12KB

Download
memory/4652-121-0x0000000005990000-0x0000000005E8E000-memory.dmp

Filesize
5.0MB

Download
memory/4652-123-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-119-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/4652-115-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4652-118-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/4652-117-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/4652-116-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/4652-122-0x0000000005CF0000-0x0000000005D62000-memory.dmp

Filesize
456KB

Download
memory/4768-124-0x0000000000000000-mapping.dmp

Download
memory/4820-127-0x0000000000000000-mapping.dmp

Download
memory/4904-988-0x0000000001870000-0x0000000001B90000-memory.dmp

Filesize
3.1MB

Download
memory/4904-923-0x000000000041EBC0-mapping.dmp

Download
memory/4904-1027-0x0000000001810000-0x0000000001824000-memory.dmp

Filesize
80KB

Download
memory/4908-129-0x0000000000000000-mapping.dmp

Download
memory/4908-157-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/4908-142-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/4908-140-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4908-363-0x0000000007253000-0x0000000007254000-memory.dmp

Filesize
4KB

Download
memory/4908-190-0x0000000007252000-0x0000000007253000-memory.dmp

Filesize
4KB

Download
memory/4908-309-0x000000007ECE0000-0x000000007ECE1000-memory.dmp

Filesize
4KB

Download
memory/4944-185-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/4944-314-0x000000007E9E0000-0x000000007E9E1000-memory.dmp

Filesize
4KB

Download
memory/4944-355-0x0000000004573000-0x0000000004574000-memory.dmp

Filesize
4KB

Download
memory/4944-195-0x0000000004572000-0x0000000004573000-memory.dmp

Filesize
4KB

Download
memory/4944-130-0x0000000000000000-mapping.dmp

Download
memory/4968-201-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/4968-203-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/4968-359-0x0000000000F73000-0x0000000000F74000-memory.dmp

Filesize
4KB

Download
memory/4968-318-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/4968-226-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/4968-189-0x0000000006B50000-0x0000000006B51000-memory.dmp

Filesize
4KB

Download
memory/4968-192-0x0000000000F72000-0x0000000000F73000-memory.dmp

Filesize
4KB

Download
memory/4968-224-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/4968-131-0x0000000000000000-mapping.dmp

Download
memory/4968-160-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/4976-1226-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

Filesize
4KB

Download
memory/4976-995-0x0000000004BB2000-0x0000000004BB3000-memory.dmp

Filesize
4KB

Download
memory/4976-1508-0x0000000004BB3000-0x0000000004BB4000-memory.dmp

Filesize
4KB

Download
memory/4976-1513-0x0000000004BB4000-0x0000000004BB6000-memory.dmp

Filesize
8KB

Download
memory/4976-943-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4976-823-0x0000000000000000-mapping.dmp

Download
memory/5108-200-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/5108-134-0x0000000000000000-mapping.dmp

Download
memory/5108-348-0x000000007EA20000-0x000000007EA21000-memory.dmp

Filesize
4KB

Download
memory/5108-168-0x0000000007112000-0x0000000007113000-memory.dmp

Filesize
4KB

Download
memory/5108-396-0x0000000007113000-0x0000000007114000-memory.dmp

Filesize
4KB

Download