Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 06:49
Static task
static1
Behavioral task
behavioral1
Sample
e9bb5824bdcb260753367e68abfa8fb5.exe
Resource
win7-en
General
-
Target
e9bb5824bdcb260753367e68abfa8fb5.exe
-
Size
1.4MB
-
MD5
e9bb5824bdcb260753367e68abfa8fb5
-
SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4
-
SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
-
SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
Malware Config
Signatures
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Nirsoft 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exe Nirsoft -
Executes dropped EXE 3 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeB2DAD187.exepid process 1464 AdvancedRun.exe 732 AdvancedRun.exe 2388 B2DAD187.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e9bb5824bdcb260753367e68abfa8fb5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e9bb5824bdcb260753367e68abfa8fb5.exe -
Drops startup file 2 IoCs
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe e9bb5824bdcb260753367e68abfa8fb5.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe e9bb5824bdcb260753367e68abfa8fb5.exe -
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" e9bb5824bdcb260753367e68abfa8fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" e9bb5824bdcb260753367e68abfa8fb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features e9bb5824bdcb260753367e68abfa8fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" e9bb5824bdcb260753367e68abfa8fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe = "0" e9bb5824bdcb260753367e68abfa8fb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions e9bb5824bdcb260753367e68abfa8fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" e9bb5824bdcb260753367e68abfa8fb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet e9bb5824bdcb260753367e68abfa8fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe = "0" e9bb5824bdcb260753367e68abfa8fb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths e9bb5824bdcb260753367e68abfa8fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe = "0" e9bb5824bdcb260753367e68abfa8fb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection e9bb5824bdcb260753367e68abfa8fb5.exe -
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e9bb5824bdcb260753367e68abfa8fb5.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e9bb5824bdcb260753367e68abfa8fb5.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum e9bb5824bdcb260753367e68abfa8fb5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 e9bb5824bdcb260753367e68abfa8fb5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exedescription pid process target process PID 996 set thread context of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe -
Drops file in Windows directory 2 IoCs
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exeWerFault.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe e9bb5824bdcb260753367e68abfa8fb5.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4048 996 WerFault.exe e9bb5824bdcb260753367e68abfa8fb5.exe 5900 2388 WerFault.exe B2DAD187.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exepid process 1464 AdvancedRun.exe 1464 AdvancedRun.exe 1464 AdvancedRun.exe 1464 AdvancedRun.exe 732 AdvancedRun.exe 732 AdvancedRun.exe 732 AdvancedRun.exe 732 AdvancedRun.exe 3944 powershell.exe 1784 powershell.exe 3196 powershell.exe 1652 powershell.exe 4008 powershell.exe 3824 powershell.exe 2712 powershell.exe 2712 powershell.exe 576 powershell.exe 576 powershell.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 4048 WerFault.exe 1784 powershell.exe 1784 powershell.exe 3196 powershell.exe 3196 powershell.exe 3944 powershell.exe 3944 powershell.exe 4008 powershell.exe 4008 powershell.exe 1652 powershell.exe 1652 powershell.exe 2712 powershell.exe 576 powershell.exe 3824 powershell.exe 3824 powershell.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exee9bb5824bdcb260753367e68abfa8fb5.exepowershell.exepowershell.exepowershell.exeWerFault.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1464 AdvancedRun.exe Token: SeImpersonatePrivilege 1464 AdvancedRun.exe Token: SeDebugPrivilege 732 AdvancedRun.exe Token: SeImpersonatePrivilege 732 AdvancedRun.exe Token: SeDebugPrivilege 996 e9bb5824bdcb260753367e68abfa8fb5.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 3196 powershell.exe Token: SeRestorePrivilege 4048 WerFault.exe Token: SeBackupPrivilege 4048 WerFault.exe Token: SeBackupPrivilege 4048 WerFault.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 4008 powershell.exe Token: SeDebugPrivilege 3824 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 4048 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exepid process 2092 e9bb5824bdcb260753367e68abfa8fb5.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exepid process 2092 e9bb5824bdcb260753367e68abfa8fb5.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exeAdvancedRun.exedescription pid process target process PID 996 wrote to memory of 1464 996 e9bb5824bdcb260753367e68abfa8fb5.exe AdvancedRun.exe PID 996 wrote to memory of 1464 996 e9bb5824bdcb260753367e68abfa8fb5.exe AdvancedRun.exe PID 996 wrote to memory of 1464 996 e9bb5824bdcb260753367e68abfa8fb5.exe AdvancedRun.exe PID 1464 wrote to memory of 732 1464 AdvancedRun.exe AdvancedRun.exe PID 1464 wrote to memory of 732 1464 AdvancedRun.exe AdvancedRun.exe PID 1464 wrote to memory of 732 1464 AdvancedRun.exe AdvancedRun.exe PID 996 wrote to memory of 3944 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 3944 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 3944 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 1784 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 1784 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 1784 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 3196 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 3196 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 3196 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 1652 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 1652 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 1652 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 4008 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 4008 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 4008 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 2388 996 e9bb5824bdcb260753367e68abfa8fb5.exe B2DAD187.exe PID 996 wrote to memory of 2388 996 e9bb5824bdcb260753367e68abfa8fb5.exe B2DAD187.exe PID 996 wrote to memory of 2388 996 e9bb5824bdcb260753367e68abfa8fb5.exe B2DAD187.exe PID 996 wrote to memory of 2712 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 2712 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 2712 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 3824 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 3824 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 3824 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 576 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 576 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 576 996 e9bb5824bdcb260753367e68abfa8fb5.exe powershell.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe PID 996 wrote to memory of 2092 996 e9bb5824bdcb260753367e68abfa8fb5.exe e9bb5824bdcb260753367e68abfa8fb5.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
e9bb5824bdcb260753367e68abfa8fb5.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" e9bb5824bdcb260753367e68abfa8fb5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe"C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exe" /SpecialRun 4101d8 14643⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run3⤵
-
C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exe" /SpecialRun 4101d8 21964⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 19483⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe"C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 18562⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
fbb8f89b428393287ff4a30424a0b6dd
SHA122ce47d0d3b9990e2de45dab63536954d12abc18
SHA2565dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f
SHA512cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
fbb8f89b428393287ff4a30424a0b6dd
SHA122ce47d0d3b9990e2de45dab63536954d12abc18
SHA2565dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f
SHA512cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
fbb8f89b428393287ff4a30424a0b6dd
SHA122ce47d0d3b9990e2de45dab63536954d12abc18
SHA2565dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f
SHA512cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
ccd2c8d2728cd1b4fa0c98727a42610f
SHA191e88177f419fd7f68039df31f180c4c1c8914c5
SHA25636cd8833faf0c205e580dac36d5356b897eddbeb5bd2a1cc47180ca0cdaf1e40
SHA512c9f73ab538a2e0ddae0376ed54a311fae6180b0e0bf41595c5f02d8dbf3e0e6ce46decb7ba7b0756449e73f29396539c0112fd5831445eecc2d2b158160b8d2d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
fbb8f89b428393287ff4a30424a0b6dd
SHA122ce47d0d3b9990e2de45dab63536954d12abc18
SHA2565dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f
SHA512cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
71f1cd7681a0b887f835e3aadeea7767
SHA1f784f0ff4b999ddfa59633e592aba8736763bf50
SHA256f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42
SHA512450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f
SHA1cc38cfcd0b4265eb2200f105c9ae46b3809beb72
SHA256b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a
SHA512ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f
SHA1cc38cfcd0b4265eb2200f105c9ae46b3809beb72
SHA256b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a
SHA512ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
fe622a76aead0c5a6074ffbd89dc3911
SHA1f6a771a51d9453036d46040416c952e6c9a2cfe4
SHA256d37014a7c7ef0f60c888698a07feb4e7570ffdd17f4bc2d1642053d63403c365
SHA512037c825cd5ad7525c34713aea38741f446fd4bdc408cffb16097e3136667de8378d683108aad6b2c304d815646b0da2adab675554756c2cfa5b2d773c861395d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
44f7a45c7cfdab540ce19428f93aa98f
SHA1ee8ef760ddbbdf69f8abd57ae9152839e192f88f
SHA2568d07a8fd1abe3a4d2db42caf850599871c6703f57b7db717e857932b5a8f8a09
SHA5123f0d7f4849fed96a981a2093e7f9709c6a7c85b7f91e60646d7b0ca2e3f2407b9da4cd8af8d76816463d22e46567afc97b1891708c989241ddee427f1fc0e09b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
54b389a19d2d06a6b9ae17ba1c96fc5e
SHA11970cf5bf46da7bef8305ad3f8543cc310354c92
SHA256e87b38fc3f390a8b430c92ae83f5294c94208ca235aea8ee5762aac39740991b
SHA5124c76fdbe3be1f8b46c099689bcb9edc4da848c542301052b49c313ad3721a0cdb176568bb77f78a2adf5c389184705fa0e4ffe0e6e728c67f27f8f8f384da1ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
54b389a19d2d06a6b9ae17ba1c96fc5e
SHA11970cf5bf46da7bef8305ad3f8543cc310354c92
SHA256e87b38fc3f390a8b430c92ae83f5294c94208ca235aea8ee5762aac39740991b
SHA5124c76fdbe3be1f8b46c099689bcb9edc4da848c542301052b49c313ad3721a0cdb176568bb77f78a2adf5c389184705fa0e4ffe0e6e728c67f27f8f8f384da1ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
fb695308b404187628362c72c548c690
SHA1545ff845a6c149c0bcb087af9e0ceb71e6201f28
SHA2561cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce
SHA512ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
94abf236041096b3785f27dbba33da58
SHA1ae8b2161a9f0e012d68919d7197f53e32c28e945
SHA25650f7c8137d5abb6525220bd5eaa0e4a9e96de6801bf92de24b4f9a05d1b10409
SHA512f433935d2149cbaa32fa789c364aa53b8680a12f388acc4d8773a06112582df5b68ec30faf2254a7c5488f06d69793a70c64717bd11dbac3473d6c559ef4a86b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
d231baaad297b09e7194fc089e9dbf27
SHA132068844ee5a606246f026cfa832e7e72b6ea83d
SHA256ed94133729ddefd83501f9f449403486f88746c2c2560a596b6b5e4dec55c0cc
SHA512741e3f89ce93df9320a2b22c1070ea0c479080f85a1c1b3507b5a0d869456cb85796314d82e97061049a2d94a036078f8e9382c87b9fec1c38f01734e6d9a5e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
67798dcd41842b9415eb0e5bc2308e88
SHA1d71b93cfaaf383d10e27e75a33aeb82a2c10b1cb
SHA25656cf979659b3aae519b65041422ebb3c7e28e0686e3abbb142ac538f0b9d5f1a
SHA5122d37de094df2352345720294fb90c52938585faebbe481a095cd8bc29c5a00ad6428748b63e84794e1fa31591c961c9fc1871aac700a21aebadf69565891be7e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
8a482813981ad1760fa36635b0e63dbe
SHA16b51430c42631bd88db251daa797538d03c6e867
SHA25624ec75a7a807b5a0a2d848cd37c940facd5092523fe7767da1f75f5ee93e4496
SHA512c073321641b2e8d50af0773ad963bbb97baf959e05f464cd0f9d406751a08f43d2d0d4a13a8a46f61fc3a192a9fa0c2a537054a7c11f8295d369c1c2db686794
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
d8eb5a24a7d3fe922ca66320889aef82
SHA1b1ef56bd86256207dde99e19c3e576346cae71d6
SHA25696f916e0955493da1f5aca9a182251623d1976517bdd5b48957ae4973b498741
SHA51287ce6123c3ead5092ea1e1c6d5ff990b61ad3bff575f9907aa60990e316f26532051052f87594b6c7d6a53b6a9499659684f2dac7f96d7eb11972ab299945ac0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
101343244d619fd29dc007b34351865b
SHA1a721bf0ee99f24b3e6c263033cfa02a63d4175cc
SHA256286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043
SHA5121a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
00fd502d9affb78c109eb41109a7d9d3
SHA1d39475002ee0253d78ada6a6658e4a29ec385216
SHA256731348f7defc8959e0272ada5276c8755f45833628d61fe560eb85d914230920
SHA512907bc1e430d62fd3151dffed84cf76aacd615b1331b1ea2b23b23abaa76dae7fd6ecd383ad511220ecde5b14abb436296ca0ddad4fc2c96e00d9dc675afa0da8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
00fd502d9affb78c109eb41109a7d9d3
SHA1d39475002ee0253d78ada6a6658e4a29ec385216
SHA256731348f7defc8959e0272ada5276c8755f45833628d61fe560eb85d914230920
SHA512907bc1e430d62fd3151dffed84cf76aacd615b1331b1ea2b23b23abaa76dae7fd6ecd383ad511220ecde5b14abb436296ca0ddad4fc2c96e00d9dc675afa0da8
-
C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\01399def-fa70-49b6-82b2-4de6d3b05d27\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\263236b4-67fe-4e3b-9af9-62aede0a58e4\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exeMD5
e9bb5824bdcb260753367e68abfa8fb5
SHA1956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exeMD5
e9bb5824bdcb260753367e68abfa8fb5
SHA1956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exeMD5
e9bb5824bdcb260753367e68abfa8fb5
SHA1956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exeMD5
e9bb5824bdcb260753367e68abfa8fb5
SHA1956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exeMD5
e9bb5824bdcb260753367e68abfa8fb5
SHA1956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exeMD5
e9bb5824bdcb260753367e68abfa8fb5
SHA1956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exeMD5
e9bb5824bdcb260753367e68abfa8fb5
SHA1956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exeMD5
e9bb5824bdcb260753367e68abfa8fb5
SHA1956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f
-
memory/576-149-0x0000000000000000-mapping.dmp
-
memory/576-533-0x0000000006583000-0x0000000006584000-memory.dmpFilesize
4KB
-
memory/576-427-0x000000007E270000-0x000000007E271000-memory.dmpFilesize
4KB
-
memory/576-187-0x0000000006582000-0x0000000006583000-memory.dmpFilesize
4KB
-
memory/576-185-0x0000000006580000-0x0000000006581000-memory.dmpFilesize
4KB
-
memory/732-124-0x0000000000000000-mapping.dmp
-
memory/800-2944-0x00000000004080EF-mapping.dmp
-
memory/996-159-0x0000000006BC0000-0x0000000006BC1000-memory.dmpFilesize
4KB
-
memory/996-119-0x0000000005650000-0x00000000056A6000-memory.dmpFilesize
344KB
-
memory/996-115-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/996-114-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/996-116-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/996-117-0x0000000005500000-0x0000000005592000-memory.dmpFilesize
584KB
-
memory/996-118-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/996-120-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/996-173-0x0000000006BB0000-0x0000000006BB3000-memory.dmpFilesize
12KB
-
memory/1464-121-0x0000000000000000-mapping.dmp
-
memory/1536-1013-0x00000000004080EF-mapping.dmp
-
memory/1652-480-0x00000000003B3000-0x00000000003B4000-memory.dmpFilesize
4KB
-
memory/1652-192-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1652-162-0x00000000003B2000-0x00000000003B3000-memory.dmpFilesize
4KB
-
memory/1652-360-0x000000007F580000-0x000000007F581000-memory.dmpFilesize
4KB
-
memory/1652-129-0x0000000000000000-mapping.dmp
-
memory/1784-127-0x0000000000000000-mapping.dmp
-
memory/1784-190-0x0000000004B72000-0x0000000004B73000-memory.dmpFilesize
4KB
-
memory/1784-353-0x0000000004B73000-0x0000000004B74000-memory.dmpFilesize
4KB
-
memory/1784-293-0x000000007EC40000-0x000000007EC41000-memory.dmpFilesize
4KB
-
memory/1784-170-0x0000000004B70000-0x0000000004B71000-memory.dmpFilesize
4KB
-
memory/2092-166-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2092-167-0x00000000004080EF-mapping.dmp
-
memory/2092-181-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2196-719-0x0000000000000000-mapping.dmp
-
memory/2388-135-0x0000000000000000-mapping.dmp
-
memory/2388-193-0x00000000054A0000-0x000000000599E000-memory.dmpFilesize
5.0MB
-
memory/2712-175-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/2712-188-0x0000000004952000-0x0000000004953000-memory.dmpFilesize
4KB
-
memory/2712-473-0x0000000004953000-0x0000000004954000-memory.dmpFilesize
4KB
-
memory/2712-380-0x000000007EC80000-0x000000007EC81000-memory.dmpFilesize
4KB
-
memory/2712-139-0x0000000000000000-mapping.dmp
-
memory/3196-189-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/3196-191-0x0000000007522000-0x0000000007523000-memory.dmpFilesize
4KB
-
memory/3196-315-0x000000007FD80000-0x000000007FD81000-memory.dmpFilesize
4KB
-
memory/3196-421-0x0000000007523000-0x0000000007524000-memory.dmpFilesize
4KB
-
memory/3196-128-0x0000000000000000-mapping.dmp
-
memory/3824-178-0x0000000004410000-0x0000000004411000-memory.dmpFilesize
4KB
-
memory/3824-183-0x0000000004412000-0x0000000004413000-memory.dmpFilesize
4KB
-
memory/3824-483-0x0000000004413000-0x0000000004414000-memory.dmpFilesize
4KB
-
memory/3824-376-0x000000007EBB0000-0x000000007EBB1000-memory.dmpFilesize
4KB
-
memory/3824-145-0x0000000000000000-mapping.dmp
-
memory/3944-195-0x0000000007660000-0x0000000007661000-memory.dmpFilesize
4KB
-
memory/3944-144-0x0000000006ED0000-0x0000000006ED1000-memory.dmpFilesize
4KB
-
memory/3944-369-0x00000000044F3000-0x00000000044F4000-memory.dmpFilesize
4KB
-
memory/3944-198-0x00000000077E0000-0x00000000077E1000-memory.dmpFilesize
4KB
-
memory/3944-126-0x0000000000000000-mapping.dmp
-
memory/3944-226-0x0000000006A80000-0x0000000006A81000-memory.dmpFilesize
4KB
-
memory/3944-172-0x00000000044F2000-0x00000000044F3000-memory.dmpFilesize
4KB
-
memory/3944-229-0x0000000007F50000-0x0000000007F51000-memory.dmpFilesize
4KB
-
memory/3944-270-0x000000007E970000-0x000000007E971000-memory.dmpFilesize
4KB
-
memory/3944-194-0x0000000007630000-0x0000000007631000-memory.dmpFilesize
4KB
-
memory/3944-140-0x00000000043D0000-0x00000000043D1000-memory.dmpFilesize
4KB
-
memory/3944-157-0x00000000044F0000-0x00000000044F1000-memory.dmpFilesize
4KB
-
memory/4008-130-0x0000000000000000-mapping.dmp
-
memory/4008-165-0x0000000004782000-0x0000000004783000-memory.dmpFilesize
4KB
-
memory/4008-432-0x0000000004783000-0x0000000004784000-memory.dmpFilesize
4KB
-
memory/4008-160-0x0000000004780000-0x0000000004781000-memory.dmpFilesize
4KB
-
memory/4008-373-0x000000007F620000-0x000000007F621000-memory.dmpFilesize
4KB
-
memory/4256-846-0x0000000000000000-mapping.dmp
-
memory/4356-1824-0x0000000000384000-0x0000000000386000-memory.dmpFilesize
8KB
-
memory/4356-1264-0x000000007F7A0000-0x000000007F7A1000-memory.dmpFilesize
4KB
-
memory/4356-1814-0x0000000000383000-0x0000000000384000-memory.dmpFilesize
4KB
-
memory/4356-994-0x0000000000000000-mapping.dmp
-
memory/4356-1036-0x0000000000382000-0x0000000000383000-memory.dmpFilesize
4KB
-
memory/4356-1033-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/4596-2763-0x00000000004080EF-mapping.dmp
-
memory/4704-1096-0x00000000004080EF-mapping.dmp
-
memory/4960-2016-0x00000000046E4000-0x00000000046E6000-memory.dmpFilesize
8KB
-
memory/4960-1398-0x000000007F2F0000-0x000000007F2F1000-memory.dmpFilesize
4KB
-
memory/4960-1024-0x00000000046E2000-0x00000000046E3000-memory.dmpFilesize
4KB
-
memory/4960-2009-0x00000000046E3000-0x00000000046E4000-memory.dmpFilesize
4KB
-
memory/4960-995-0x0000000000000000-mapping.dmp
-
memory/4960-1037-0x00000000046E0000-0x00000000046E1000-memory.dmpFilesize
4KB
-
memory/4980-1803-0x00000000067B4000-0x00000000067B6000-memory.dmpFilesize
8KB
-
memory/4980-1790-0x00000000067B3000-0x00000000067B4000-memory.dmpFilesize
4KB
-
memory/4980-1218-0x000000007F130000-0x000000007F131000-memory.dmpFilesize
4KB
-
memory/4980-1034-0x00000000067B2000-0x00000000067B3000-memory.dmpFilesize
4KB
-
memory/4980-1020-0x00000000067B0000-0x00000000067B1000-memory.dmpFilesize
4KB
-
memory/4980-993-0x0000000000000000-mapping.dmp
-
memory/5004-2112-0x0000000007494000-0x0000000007496000-memory.dmpFilesize
8KB
-
memory/5004-1484-0x000000007E490000-0x000000007E491000-memory.dmpFilesize
4KB
-
memory/5004-2103-0x0000000007493000-0x0000000007494000-memory.dmpFilesize
4KB
-
memory/5004-1026-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/5004-1030-0x0000000007492000-0x0000000007493000-memory.dmpFilesize
4KB
-
memory/5004-996-0x0000000000000000-mapping.dmp
-
memory/5076-1963-0x0000000006DF3000-0x0000000006DF4000-memory.dmpFilesize
4KB
-
memory/5076-1028-0x0000000006DF0000-0x0000000006DF1000-memory.dmpFilesize
4KB
-
memory/5076-998-0x0000000000000000-mapping.dmp
-
memory/5076-1971-0x0000000006DF4000-0x0000000006DF6000-memory.dmpFilesize
8KB
-
memory/5076-1032-0x0000000006DF2000-0x0000000006DF3000-memory.dmpFilesize
4KB
-
memory/5076-1346-0x000000007F0C0000-0x000000007F0C1000-memory.dmpFilesize
4KB
-
memory/5240-2242-0x00000000004080EF-mapping.dmp
-
memory/5920-1631-0x00000000004080EF-mapping.dmp