51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

Analysis

max time kernel
24s
max time network
137s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8ce83b306dd68d1d7660919c9dd523.exe
Size

1.4MB
MD5

fa8ce83b306dd68d1d7660919c9dd523
SHA1

1a0c86251a0044d65915640a0042c492e19275a2
SHA256

51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d
SHA512

efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Score

10^/10

evasion trojan

Malware Config

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeB2DAD187.exe

pid process

4028 AdvancedRun.exe
644 AdvancedRun.exe
1444 B2DAD187.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fa8ce83b306dd68d1d7660919c9dd523.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fa8ce83b306dd68d1d7660919c9dd523.exe

Drops startup file 2 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fa8ce83b306dd68d1d7660919c9dd523.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	fa8ce83b306dd68d1d7660919c9dd523.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description pid process target process

PID 3220 set thread context of 672 3220 fa8ce83b306dd68d1d7660919c9dd523.exe fa8ce83b306dd68d1d7660919c9dd523.exe
Drops file in Windows directory 1 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe fa8ce83b306dd68d1d7660919c9dd523.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4124 3220 WerFault.exe fa8ce83b306dd68d1d7660919c9dd523.exe

description	pid	process	target process
PID 3220 set thread context of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

pid	pid_target	process	target process
4124	3220	WerFault.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exe

pid	process
4028	AdvancedRun.exe
4028	AdvancedRun.exe
4028	AdvancedRun.exe
4028	AdvancedRun.exe
644	AdvancedRun.exe
644	AdvancedRun.exe
644	AdvancedRun.exe
644	AdvancedRun.exe
3192	powershell.exe
3088	powershell.exe
3964	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exefa8ce83b306dd68d1d7660919c9dd523.exe

description	pid	process
Token: SeDebugPrivilege	4028	AdvancedRun.exe
Token: SeImpersonatePrivilege	4028	AdvancedRun.exe
Token: SeDebugPrivilege	644	AdvancedRun.exe
Token: SeImpersonatePrivilege	644	AdvancedRun.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	3088	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	3220	fa8ce83b306dd68d1d7660919c9dd523.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exeAdvancedRun.exe

description	pid	process	target process
PID 3220 wrote to memory of 4028	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 3220 wrote to memory of 4028	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 3220 wrote to memory of 4028	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 4028 wrote to memory of 644	4028	AdvancedRun.exe	AdvancedRun.exe
PID 4028 wrote to memory of 644	4028	AdvancedRun.exe	AdvancedRun.exe
PID 4028 wrote to memory of 644	4028	AdvancedRun.exe	AdvancedRun.exe
PID 3220 wrote to memory of 3192	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 3192	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 3192	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 3088	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 3088	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 3088	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 3964	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 3964	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 3964	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 596	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 596	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 596	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 1176	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 1176	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 1176	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 1444	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	B2DAD187.exe
PID 3220 wrote to memory of 1444	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	B2DAD187.exe
PID 3220 wrote to memory of 1444	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	B2DAD187.exe
PID 3220 wrote to memory of 1768	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 1768	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 1768	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 2368	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 2368	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 2368	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 2728	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 2728	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 2728	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
PID 3220 wrote to memory of 672	3220	fa8ce83b306dd68d1d7660919c9dd523.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe

C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe
"C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3220

C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe" /SpecialRun 4101d8 4028
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
2⤵
PID:596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
PID:1176

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
2⤵
- Executes dropped EXE
PID:1444

C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe" /SpecialRun 4101d8 2588
4⤵
PID:3748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:4756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
3⤵
PID:4928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
3⤵
PID:4292

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
PID:3748

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
PID:4384

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
PID:804

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
PID:5480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
2⤵
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
PID:2368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
2⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe
"C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe"
2⤵
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 1800
2⤵
- Program crash
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
42352a7aa788ddd8928bfca73b18d100

SHA1
550e3fd88f0afbf19c2fca917365df3c0c29a85e

SHA256
f6d6224131234cff584f6a22ffeffdf239bff755d026ff4646067ebf8b4621d1

SHA512
c5894508e186a5f50a8345cf329fa919efb699a0302cdd74e1d93610fc5759d138e1f9dbbff6b570dadce98f0892492d308e12a7931555b205a3507a1b898e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
219e42434f40f43d5cf452a197532455

SHA1
ec53f924f9fbbbeed25e3c45beeac588225ce92c

SHA256
e61126c6965fa7de3ed3d6252ff12e51f74f39d767729dc6d47a8ce9ec9d928c

SHA512
95c5681559cf7fb0a4f187161fff7db057a6b0cb342c31e0ff4d9faf0df7d7e38daac07d10e278b51b4e307d3505c6ad716c9d00bac69d2fddf129d5341fd5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
452fab555df1435d9fc68bc1b8c983ed

SHA1
d4d5e1d4b06f07b0ed62ee4955a8b8caea12f563

SHA256
a7266e2f1c15448e3f890d2608920090e8ce28c03a685302de7e38e95414f5a5

SHA512
79279df176eecd5b3de88c99061f88176a607d1416e07ca42bd47a57b2b0614b7819d869a0e757ffa3c2a5928fc36ce37f406340f44d4c12aa8bedd719227156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
219e42434f40f43d5cf452a197532455

SHA1
ec53f924f9fbbbeed25e3c45beeac588225ce92c

SHA256
e61126c6965fa7de3ed3d6252ff12e51f74f39d767729dc6d47a8ce9ec9d928c

SHA512
95c5681559cf7fb0a4f187161fff7db057a6b0cb342c31e0ff4d9faf0df7d7e38daac07d10e278b51b4e307d3505c6ad716c9d00bac69d2fddf129d5341fd5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
9964f0422b7c522e6d5dda6604d587f4

SHA1
1cf16ac0d4abcf3c68f86b95b5311ccf39e27c34

SHA256
cbe3508089484e56933336e73caecd0fa73728067e1a786028fa375092b867c4

SHA512
63ebdddf9c1c40fc35294f509fe5b19a30a68e0a63f0d04cc9f7b5fb3395998f2b27bb03e2d504ab9337d9da5db3994571c18821916d4b521517ec35ac5df060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
219e42434f40f43d5cf452a197532455

SHA1
ec53f924f9fbbbeed25e3c45beeac588225ce92c

SHA256
e61126c6965fa7de3ed3d6252ff12e51f74f39d767729dc6d47a8ce9ec9d928c

SHA512
95c5681559cf7fb0a4f187161fff7db057a6b0cb342c31e0ff4d9faf0df7d7e38daac07d10e278b51b4e307d3505c6ad716c9d00bac69d2fddf129d5341fd5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
452fab555df1435d9fc68bc1b8c983ed

SHA1
d4d5e1d4b06f07b0ed62ee4955a8b8caea12f563

SHA256
a7266e2f1c15448e3f890d2608920090e8ce28c03a685302de7e38e95414f5a5

SHA512
79279df176eecd5b3de88c99061f88176a607d1416e07ca42bd47a57b2b0614b7819d869a0e757ffa3c2a5928fc36ce37f406340f44d4c12aa8bedd719227156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
67b2d048b94ee61b28be7e245c64a180

SHA1
efc9046d437806194e46c22823a0b04d95def179

SHA256
b569cc97e176d928f207ae644134f11d8a622a5484aa4be7392dff742e43a269

SHA512
76bc6e786077a20b6641b1cd4e4c0feb28e1e97ce80564d65f3096befddf410646a18c3cdef5eeb287070967d0a5ab6f733344a1fc97b51e5f678f209bc98c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
219e42434f40f43d5cf452a197532455

SHA1
ec53f924f9fbbbeed25e3c45beeac588225ce92c

SHA256
e61126c6965fa7de3ed3d6252ff12e51f74f39d767729dc6d47a8ce9ec9d928c

SHA512
95c5681559cf7fb0a4f187161fff7db057a6b0cb342c31e0ff4d9faf0df7d7e38daac07d10e278b51b4e307d3505c6ad716c9d00bac69d2fddf129d5341fd5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
deea6eda5ba6dccfadc32922cfbaa16e

SHA1
949742cf59445f35500645c730785bab8cac586f

SHA256
921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0

SHA512
4240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
deea6eda5ba6dccfadc32922cfbaa16e

SHA1
949742cf59445f35500645c730785bab8cac586f

SHA256
921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0

SHA512
4240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
deea6eda5ba6dccfadc32922cfbaa16e

SHA1
949742cf59445f35500645c730785bab8cac586f

SHA256
921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0

SHA512
4240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
deea6eda5ba6dccfadc32922cfbaa16e

SHA1
949742cf59445f35500645c730785bab8cac586f

SHA256
921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0

SHA512
4240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
deea6eda5ba6dccfadc32922cfbaa16e

SHA1
949742cf59445f35500645c730785bab8cac586f

SHA256
921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0

SHA512
4240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d360920c4ccd5ae682bd292ef2dbcb27

SHA1
d43a29460b485cb45805174561d4ca148ee08368

SHA256
1e135e165fe70a60c601cf275425ab7d7640d77def16dadfdf1f02262ec89a27

SHA512
9e9bfcdd169103077546990cdf0087553ffb5e0a3f7b981305dace3dc309f9193733976d9193d8366045c9aaf868b676b26d9b733cb3813c047c0589479935c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
420012788be94a897e6878a21dfd3fc8

SHA1
2b6e1e033eb3d7e6490b76eae6c4569ee30bb4e7

SHA256
a05075b0f4c4e8a2f28a1650bd46e98950a88c05d5cb6ac7acdfe0ae1e8d9c8e

SHA512
624f56b9c7f70ac804978310fce1b3da6876ae60dbd56a5389eb6d6844e364c7ce3648f16fefb2a6ec841cdb62cfc3c8d3451a6456c178eff8148193a75c8c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
66a4e8b77f55ea9496ec2156040b3feb

SHA1
e92ef4ea8d9fab2da0547e378532649bd52316e7

SHA256
86c088b788846b39d4b0205a40359f5fca2d6a4d752b6846e26abf9449e2ce13

SHA512
5fe98c2a59a3fa39a7adefc20004f0720dcaf37e0a551d481c7789d11973cfe426d142ae17da74584911a03929527574b4e91d0610c1f9018a1db50192492a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c3a3519c6668df827a362488db013921

SHA1
9805987a318f0942b2e5a45340d9a27e49cee894

SHA256
ae3c773a02ae24afff6886092a8b84f2bac137d752632f70774d968500156563

SHA512
85177b7888b1d02a1221a6a0d6cf35fb2ca827672f9bdb4faafdaa94f04000d54d8ef03e81716aabcbaadff4e47f0a16213bcdbe6d495c5422b8652b36983e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c3a3519c6668df827a362488db013921

SHA1
9805987a318f0942b2e5a45340d9a27e49cee894

SHA256
ae3c773a02ae24afff6886092a8b84f2bac137d752632f70774d968500156563

SHA512
85177b7888b1d02a1221a6a0d6cf35fb2ca827672f9bdb4faafdaa94f04000d54d8ef03e81716aabcbaadff4e47f0a16213bcdbe6d495c5422b8652b36983e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
270a40924f26a21c205d187f6ea03760

SHA1
e4627ddbea5e14b56a495fa0be0796789378a923

SHA256
fc6d20bec146e8237f1fc2fc563904588b0ce208df650238ee516c85c007b787

SHA512
1693aee7c89db02214397f5afcd9a858673a4dde8a323ec676b80b3f92ba52631da0a20318d1f359309b4fd15374a6f8f7cc4449fa252c09c9be8c3416ecd4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
270a40924f26a21c205d187f6ea03760

SHA1
e4627ddbea5e14b56a495fa0be0796789378a923

SHA256
fc6d20bec146e8237f1fc2fc563904588b0ce208df650238ee516c85c007b787

SHA512
1693aee7c89db02214397f5afcd9a858673a4dde8a323ec676b80b3f92ba52631da0a20318d1f359309b4fd15374a6f8f7cc4449fa252c09c9be8c3416ecd4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
270a40924f26a21c205d187f6ea03760

SHA1
e4627ddbea5e14b56a495fa0be0796789378a923

SHA256
fc6d20bec146e8237f1fc2fc563904588b0ce208df650238ee516c85c007b787

SHA512
1693aee7c89db02214397f5afcd9a858673a4dde8a323ec676b80b3f92ba52631da0a20318d1f359309b4fd15374a6f8f7cc4449fa252c09c9be8c3416ecd4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
270a40924f26a21c205d187f6ea03760

SHA1
e4627ddbea5e14b56a495fa0be0796789378a923

SHA256
fc6d20bec146e8237f1fc2fc563904588b0ce208df650238ee516c85c007b787

SHA512
1693aee7c89db02214397f5afcd9a858673a4dde8a323ec676b80b3f92ba52631da0a20318d1f359309b4fd15374a6f8f7cc4449fa252c09c9be8c3416ecd4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
270a40924f26a21c205d187f6ea03760

SHA1
e4627ddbea5e14b56a495fa0be0796789378a923

SHA256
fc6d20bec146e8237f1fc2fc563904588b0ce208df650238ee516c85c007b787

SHA512
1693aee7c89db02214397f5afcd9a858673a4dde8a323ec676b80b3f92ba52631da0a20318d1f359309b4fd15374a6f8f7cc4449fa252c09c9be8c3416ecd4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
270a40924f26a21c205d187f6ea03760

SHA1
e4627ddbea5e14b56a495fa0be0796789378a923

SHA256
fc6d20bec146e8237f1fc2fc563904588b0ce208df650238ee516c85c007b787

SHA512
1693aee7c89db02214397f5afcd9a858673a4dde8a323ec676b80b3f92ba52631da0a20318d1f359309b4fd15374a6f8f7cc4449fa252c09c9be8c3416ecd4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
270a40924f26a21c205d187f6ea03760

SHA1
e4627ddbea5e14b56a495fa0be0796789378a923

SHA256
fc6d20bec146e8237f1fc2fc563904588b0ce208df650238ee516c85c007b787

SHA512
1693aee7c89db02214397f5afcd9a858673a4dde8a323ec676b80b3f92ba52631da0a20318d1f359309b4fd15374a6f8f7cc4449fa252c09c9be8c3416ecd4ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\716e2dc3-33ec-4faf-bfd0-479e06c8ba96\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\856800d8-3265-40d7-9935-8472046dc8cf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
memory/596-130-0x0000000000000000-mapping.dmp

Download
memory/596-203-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/596-335-0x000000007ED40000-0x000000007ED41000-memory.dmp

Filesize
4KB

Download
memory/596-204-0x0000000004A82000-0x0000000004A83000-memory.dmp

Filesize
4KB

Download
memory/596-452-0x0000000004A83000-0x0000000004A84000-memory.dmp

Filesize
4KB

Download
memory/644-125-0x0000000000000000-mapping.dmp

Download
memory/672-188-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/672-168-0x00000000004080EF-mapping.dmp

Download
memory/672-165-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/804-2348-0x00000000004080EF-mapping.dmp

Download
memory/1176-205-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1176-510-0x0000000000F83000-0x0000000000F84000-memory.dmp

Filesize
4KB

Download
memory/1176-381-0x000000007E450000-0x000000007E451000-memory.dmp

Filesize
4KB

Download
memory/1176-209-0x0000000000F82000-0x0000000000F83000-memory.dmp

Filesize
4KB

Download
memory/1176-131-0x0000000000000000-mapping.dmp

Download
memory/1444-135-0x0000000000000000-mapping.dmp

Download
memory/1444-201-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/1476-2635-0x0000000006CC3000-0x0000000006CC4000-memory.dmp

Filesize
4KB

Download
memory/1476-1176-0x0000000006CC2000-0x0000000006CC3000-memory.dmp

Filesize
4KB

Download
memory/1476-1181-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/1476-2210-0x000000007EA00000-0x000000007EA01000-memory.dmp

Filesize
4KB

Download
memory/1476-1109-0x0000000000000000-mapping.dmp

Download
memory/1768-515-0x0000000006EA3000-0x0000000006EA4000-memory.dmp

Filesize
4KB

Download
memory/1768-429-0x000000007E820000-0x000000007E821000-memory.dmp

Filesize
4KB

Download
memory/1768-206-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/1768-175-0x0000000006EA2000-0x0000000006EA3000-memory.dmp

Filesize
4KB

Download
memory/1768-141-0x0000000000000000-mapping.dmp

Download
memory/2368-147-0x0000000000000000-mapping.dmp

Download
memory/2368-178-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2368-183-0x0000000000C82000-0x0000000000C83000-memory.dmp

Filesize
4KB

Download
memory/2368-460-0x000000007E7C0000-0x000000007E7C1000-memory.dmp

Filesize
4KB

Download
memory/2368-579-0x0000000000C83000-0x0000000000C84000-memory.dmp

Filesize
4KB

Download
memory/2588-870-0x0000000000000000-mapping.dmp

Download
memory/2728-181-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/2728-186-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/2728-153-0x0000000000000000-mapping.dmp

Download
memory/2728-436-0x000000007E270000-0x000000007E271000-memory.dmp

Filesize
4KB

Download
memory/2728-520-0x0000000007463000-0x0000000007464000-memory.dmp

Filesize
4KB

Download
memory/3088-307-0x0000000006A93000-0x0000000006A94000-memory.dmp

Filesize
4KB

Download
memory/3088-228-0x0000000008360000-0x0000000008361000-memory.dmp

Filesize
4KB

Download
memory/3088-195-0x0000000006A92000-0x0000000006A93000-memory.dmp

Filesize
4KB

Download
memory/3088-227-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/3088-266-0x000000007E850000-0x000000007E851000-memory.dmp

Filesize
4KB

Download
memory/3088-171-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/3088-189-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/3088-128-0x0000000000000000-mapping.dmp

Download
memory/3088-184-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/3096-1199-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/3096-1163-0x00000000044F2000-0x00000000044F3000-memory.dmp

Filesize
4KB

Download
memory/3096-2218-0x000000007F400000-0x000000007F401000-memory.dmp

Filesize
4KB

Download
memory/3096-2621-0x00000000044F3000-0x00000000044F4000-memory.dmp

Filesize
4KB

Download
memory/3096-1096-0x0000000000000000-mapping.dmp

Download
memory/3192-444-0x00000000048A3000-0x00000000048A4000-memory.dmp

Filesize
4KB

Download
memory/3192-177-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/3192-137-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/3192-191-0x00000000048A2000-0x00000000048A3000-memory.dmp

Filesize
4KB

Download
memory/3192-167-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/3192-127-0x0000000000000000-mapping.dmp

Download
memory/3192-145-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/3192-330-0x000000007E870000-0x000000007E871000-memory.dmp

Filesize
4KB

Download
memory/3220-120-0x0000000005290000-0x00000000052E6000-memory.dmp

Filesize
344KB

Download
memory/3220-119-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3220-117-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3220-118-0x0000000005300000-0x00000000057FE000-memory.dmp

Filesize
5.0MB

Download
memory/3220-121-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/3220-159-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3220-116-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3220-173-0x00000000067F0000-0x00000000067F3000-memory.dmp

Filesize
12KB

Download
memory/3220-115-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3748-933-0x0000000000000000-mapping.dmp

Download
memory/3748-1159-0x00000000004080EF-mapping.dmp

Download
memory/3964-198-0x0000000000F62000-0x0000000000F63000-memory.dmp

Filesize
4KB

Download
memory/3964-326-0x0000000000F63000-0x0000000000F64000-memory.dmp

Filesize
4KB

Download
memory/3964-192-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3964-286-0x000000007F480000-0x000000007F481000-memory.dmp

Filesize
4KB

Download
memory/3964-129-0x0000000000000000-mapping.dmp

Download
memory/4028-122-0x0000000000000000-mapping.dmp

Download
memory/4292-1116-0x0000000000000000-mapping.dmp

Download
memory/4292-1187-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/4292-2270-0x000000007F280000-0x000000007F281000-memory.dmp

Filesize
4KB

Download
memory/4292-1194-0x0000000004862000-0x0000000004863000-memory.dmp

Filesize
4KB

Download
memory/4384-1735-0x00000000004080EF-mapping.dmp

Download
memory/4756-1157-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/4756-1152-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/4756-2201-0x000000007E5C0000-0x000000007E5C1000-memory.dmp

Filesize
4KB

Download
memory/4756-1090-0x0000000000000000-mapping.dmp

Download
memory/4928-1103-0x0000000000000000-mapping.dmp

Download
memory/4928-2264-0x000000007E830000-0x000000007E831000-memory.dmp

Filesize
4KB

Download
memory/4928-1206-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/4928-1170-0x0000000003732000-0x0000000003733000-memory.dmp

Filesize
4KB

Download
memory/5480-2585-0x00000000004080EF-mapping.dmp

Download