formbook | 1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986

Analysis

max time kernel
14s
max time network
113s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44696d252000850d3ea71d9ae238aedc.exe
Size

1.0MB
MD5

44696d252000850d3ea71d9ae238aedc
SHA1

1fb61a1df500f9025641526cb4013d555b129a84
SHA256

1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986
SHA512

e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314

Score

10^/10

formbook vtkz evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vtkz

http://www.luxuriousshoestop.com/vtkz/

Decoy

todaynewsbuzz.com

bootwish.com

michelleortegawrites.com

tutorialme.com

daretoplaygames.com

telefonepantalla.com

advisorsoncall.life

marketingloisirs.com

cremationmtzionil.com

lgbtsuccess.com

cassandrawind.com

globaltradepay.com

thecafeart.com

starmobilehome.com

ugotshot.com

c03eeniom.store

afcerd.com

eleyhexs.com

utmmarhitzfil.com

saudiisrael.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/916-171-0x000000000041EBC0-mapping.dmp	formbook
behavioral2/memory/916-167-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4388-256-0x0000000000760000-0x000000000078E000-memory.dmp	formbook
behavioral2/memory/4880-369-0x000000000041EBC0-mapping.dmp	formbook
behavioral2/memory/4608-598-0x0000000002700000-0x000000000272E000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe36C95A71.exe

pid process

348 AdvancedRun.exe
596 AdvancedRun.exe
2628 36C95A71.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44696d252000850d3ea71d9ae238aedc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44696d252000850d3ea71d9ae238aedc.exe

Drops startup file 2 IoCs

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe	44696d252000850d3ea71d9ae238aedc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe	44696d252000850d3ea71d9ae238aedc.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	44696d252000850d3ea71d9ae238aedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	44696d252000850d3ea71d9ae238aedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	44696d252000850d3ea71d9ae238aedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe = "0"	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	44696d252000850d3ea71d9ae238aedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe = "0"	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\2FDD6624\svchost.exe = "0"	44696d252000850d3ea71d9ae238aedc.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	44696d252000850d3ea71d9ae238aedc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44696d252000850d3ea71d9ae238aedc.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	44696d252000850d3ea71d9ae238aedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	44696d252000850d3ea71d9ae238aedc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description pid process target process

PID 3996 set thread context of 916 3996 44696d252000850d3ea71d9ae238aedc.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4224 3996 WerFault.exe 44696d252000850d3ea71d9ae238aedc.exe
3832 2628 WerFault.exe 36C95A71.exe

description	pid	process	target process
PID 3996 set thread context of 916	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe

pid	pid_target	process	target process
4224	3996	WerFault.exe	44696d252000850d3ea71d9ae238aedc.exe
3832	2628	WerFault.exe	36C95A71.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
348	AdvancedRun.exe
348	AdvancedRun.exe
348	AdvancedRun.exe
348	AdvancedRun.exe
596	AdvancedRun.exe
596	AdvancedRun.exe
596	AdvancedRun.exe
596	AdvancedRun.exe
3880	powershell.exe
872	powershell.exe
752	powershell.exe
1212	powershell.exe
1796	powershell.exe
700	powershell.exe
700	powershell.exe
692	powershell.exe
692	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe44696d252000850d3ea71d9ae238aedc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	348	AdvancedRun.exe
Token: SeImpersonatePrivilege	348	AdvancedRun.exe
Token: SeDebugPrivilege	596	AdvancedRun.exe
Token: SeImpersonatePrivilege	596	AdvancedRun.exe
Token: SeDebugPrivilege	3996	44696d252000850d3ea71d9ae238aedc.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

44696d252000850d3ea71d9ae238aedc.exeAdvancedRun.exe

description	pid	process	target process
PID 3996 wrote to memory of 348	3996	44696d252000850d3ea71d9ae238aedc.exe	AdvancedRun.exe
PID 3996 wrote to memory of 348	3996	44696d252000850d3ea71d9ae238aedc.exe	AdvancedRun.exe
PID 3996 wrote to memory of 348	3996	44696d252000850d3ea71d9ae238aedc.exe	AdvancedRun.exe
PID 348 wrote to memory of 596	348	AdvancedRun.exe	AdvancedRun.exe
PID 348 wrote to memory of 596	348	AdvancedRun.exe	AdvancedRun.exe
PID 348 wrote to memory of 596	348	AdvancedRun.exe	AdvancedRun.exe
PID 3996 wrote to memory of 3880	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 3880	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 3880	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 752	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 752	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 752	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 872	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 872	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 872	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 692	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 692	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 692	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 1212	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 1212	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 1212	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 2628	3996	44696d252000850d3ea71d9ae238aedc.exe	36C95A71.exe
PID 3996 wrote to memory of 2628	3996	44696d252000850d3ea71d9ae238aedc.exe	36C95A71.exe
PID 3996 wrote to memory of 2628	3996	44696d252000850d3ea71d9ae238aedc.exe	36C95A71.exe
PID 3996 wrote to memory of 1796	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 1796	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 1796	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 700	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 700	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 700	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 2756	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 2756	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 2756	3996	44696d252000850d3ea71d9ae238aedc.exe	powershell.exe
PID 3996 wrote to memory of 424	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 424	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 424	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 2824	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 2824	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 2824	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 348	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 348	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 348	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 916	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 916	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 916	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 916	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 916	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe
PID 3996 wrote to memory of 916	3996	44696d252000850d3ea71d9ae238aedc.exe	aspnet_compiler.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

44696d252000850d3ea71d9ae238aedc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	44696d252000850d3ea71d9ae238aedc.exe

C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe
"C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3996

C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348

C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe" /SpecialRun 4101d8 348
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2FDD6624\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe"
2⤵
- Executes dropped EXE
PID:2628

C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe" /SpecialRun 4101d8 4836
4⤵
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
3⤵
PID:4444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
3⤵
PID:2232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2FDD6624\svchost.exe" -Force
3⤵
PID:4624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe" -Force
3⤵
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2FDD6624\svchost.exe" -Force
3⤵
PID:4652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1780
3⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\44696d252000850d3ea71d9ae238aedc.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\2FDD6624\svchost.exe" -Force
2⤵
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 2000
2⤵
- Program crash
PID:4224

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
1⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
1⤵
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbb8f89b428393287ff4a30424a0b6dd

SHA1
22ce47d0d3b9990e2de45dab63536954d12abc18

SHA256
5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

SHA512
cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbb8f89b428393287ff4a30424a0b6dd

SHA1
22ce47d0d3b9990e2de45dab63536954d12abc18

SHA256
5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

SHA512
cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fbb8f89b428393287ff4a30424a0b6dd

SHA1
22ce47d0d3b9990e2de45dab63536954d12abc18

SHA256
5dc2950743d5773246c189ac2318b714d91fdfd899e9e2bc8b7f472e2c84838f

SHA512
cc707a1b5cf24b07bbe92572658f97b0490b2e1d082109806d11b61bc359e3ad0ef9de536a9e62f9ae1240e8f26f0320d96dabfcc14f2fd3923740007e83f2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2abfae6f52d2d1af8d5ccb33fa092d98

SHA1
9e258298a0738960dc2019032eb8e1a628753129

SHA256
52c2e5eec51a22ed56aef474035c9250b12033eb252d93ffd3d10627f73a1cc8

SHA512
7a70f9207575394447bbff5192fc20e4a3afc494e1d18a940e9d0f3fc7a6c852d92334faff639e3d5bb02ac2a71deb75251ed5b4b6929e7fa5f4635fc97e34f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d5ef31cc313f0c93b488c429bee8ad79

SHA1
fdac0648adf6c74e5c1bf2bd31fb284061a29310

SHA256
b891bafaf73e470f09c43321b1bdf2d078df46438e06aacd94331d60545781f7

SHA512
add2aded6594888da684e714df39f93f3b07c16e94af8345419e0f2a952d68ad01686dad5eb045aadbc9faa907b253a843d920af68607c62d44bd581b00d228e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7eab473ae62b30c4e12dcf935b8022df

SHA1
edc65b1c28cb4c5419af067e98f94aa2836f05f8

SHA256
eb9cf7156f4d149a279528d0305dbcf034ef16e1ccc3e2e37b1a4e2cfc450d15

SHA512
57752f3e1064050d8e56284923887a616742088db87d2e95c45e647c41250cf4abf56c1dd9e7101a4b90aca8a0ddaace1ae2bd76347e1df1a94a6a7c71b726fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7eab473ae62b30c4e12dcf935b8022df

SHA1
edc65b1c28cb4c5419af067e98f94aa2836f05f8

SHA256
eb9cf7156f4d149a279528d0305dbcf034ef16e1ccc3e2e37b1a4e2cfc450d15

SHA512
57752f3e1064050d8e56284923887a616742088db87d2e95c45e647c41250cf4abf56c1dd9e7101a4b90aca8a0ddaace1ae2bd76347e1df1a94a6a7c71b726fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7eab473ae62b30c4e12dcf935b8022df

SHA1
edc65b1c28cb4c5419af067e98f94aa2836f05f8

SHA256
eb9cf7156f4d149a279528d0305dbcf034ef16e1ccc3e2e37b1a4e2cfc450d15

SHA512
57752f3e1064050d8e56284923887a616742088db87d2e95c45e647c41250cf4abf56c1dd9e7101a4b90aca8a0ddaace1ae2bd76347e1df1a94a6a7c71b726fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7eab473ae62b30c4e12dcf935b8022df

SHA1
edc65b1c28cb4c5419af067e98f94aa2836f05f8

SHA256
eb9cf7156f4d149a279528d0305dbcf034ef16e1ccc3e2e37b1a4e2cfc450d15

SHA512
57752f3e1064050d8e56284923887a616742088db87d2e95c45e647c41250cf4abf56c1dd9e7101a4b90aca8a0ddaace1ae2bd76347e1df1a94a6a7c71b726fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0805650e5bc4de437306e2f1c3c5c925

SHA1
198229bf34b99c2d6c999d47f2e30dfdb4d36dce

SHA256
99e46a77173ccfc11f042b7fe0f76142ea693511b2c371f5e2a0f07699eb9577

SHA512
a233b5b99091ec868820b5f56f63ae6b7b759944b82827f173dd9731d5425906cd66db75e3b06241e1aa947f7161a99abecf50e3eb568a0cd2876faedf1301d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5e1074571d95bf344e192c12a424d1c2

SHA1
b1c5afe6b6af0995afe55378a1a69719fc0277c5

SHA256
272538d30ed151a489455e7e6752a516111fcfe238c0d35ebb2df7dfd7e2906e

SHA512
40757369ebcabeb73e323a8fd829b2bd582938ddca7345141ae795c834780c3d652be76092bf7140e6f6fddd8da618e95ceca5b173d1666281558c1ec24fe1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5e1074571d95bf344e192c12a424d1c2

SHA1
b1c5afe6b6af0995afe55378a1a69719fc0277c5

SHA256
272538d30ed151a489455e7e6752a516111fcfe238c0d35ebb2df7dfd7e2906e

SHA512
40757369ebcabeb73e323a8fd829b2bd582938ddca7345141ae795c834780c3d652be76092bf7140e6f6fddd8da618e95ceca5b173d1666281558c1ec24fe1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5e1074571d95bf344e192c12a424d1c2

SHA1
b1c5afe6b6af0995afe55378a1a69719fc0277c5

SHA256
272538d30ed151a489455e7e6752a516111fcfe238c0d35ebb2df7dfd7e2906e

SHA512
40757369ebcabeb73e323a8fd829b2bd582938ddca7345141ae795c834780c3d652be76092bf7140e6f6fddd8da618e95ceca5b173d1666281558c1ec24fe1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5e1074571d95bf344e192c12a424d1c2

SHA1
b1c5afe6b6af0995afe55378a1a69719fc0277c5

SHA256
272538d30ed151a489455e7e6752a516111fcfe238c0d35ebb2df7dfd7e2906e

SHA512
40757369ebcabeb73e323a8fd829b2bd582938ddca7345141ae795c834780c3d652be76092bf7140e6f6fddd8da618e95ceca5b173d1666281558c1ec24fe1d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
654a6c2cd44e986ea0e02f7cf342df86

SHA1
02da9f5a998d2e47edad499e6656d31021cdf677

SHA256
54c3b96b1629433cfeedef658658e3de135d75bf32686affc831321fb5365b8b

SHA512
0a7fecef31de26536206ff71597cd72ab8f1b302dab18c63ee0b9769ab75a8e1dd1a7794dafafbcd7908ef613f92a4734eb170c512650d406f3d5faa7799c7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
456a198afa8a0826dcf237b0b70b662e

SHA1
be1796ef19342aeb4d64e8831aae2d967a72bc92

SHA256
173280e399b60783a1219af5b331a1f1e8be7907be47baaa078fd70216b2fd4a

SHA512
0bdf346bdea515dc8206f653867f145d2263f05553e8f0dc12f634723a9d33ce450eb69b3023b30402b479944037f15ca55e7cacff84178bcf68b731548bbd71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
456a198afa8a0826dcf237b0b70b662e

SHA1
be1796ef19342aeb4d64e8831aae2d967a72bc92

SHA256
173280e399b60783a1219af5b331a1f1e8be7907be47baaa078fd70216b2fd4a

SHA512
0bdf346bdea515dc8206f653867f145d2263f05553e8f0dc12f634723a9d33ce450eb69b3023b30402b479944037f15ca55e7cacff84178bcf68b731548bbd71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
456a198afa8a0826dcf237b0b70b662e

SHA1
be1796ef19342aeb4d64e8831aae2d967a72bc92

SHA256
173280e399b60783a1219af5b331a1f1e8be7907be47baaa078fd70216b2fd4a

SHA512
0bdf346bdea515dc8206f653867f145d2263f05553e8f0dc12f634723a9d33ce450eb69b3023b30402b479944037f15ca55e7cacff84178bcf68b731548bbd71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
456a198afa8a0826dcf237b0b70b662e

SHA1
be1796ef19342aeb4d64e8831aae2d967a72bc92

SHA256
173280e399b60783a1219af5b331a1f1e8be7907be47baaa078fd70216b2fd4a

SHA512
0bdf346bdea515dc8206f653867f145d2263f05553e8f0dc12f634723a9d33ce450eb69b3023b30402b479944037f15ca55e7cacff84178bcf68b731548bbd71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
456a198afa8a0826dcf237b0b70b662e

SHA1
be1796ef19342aeb4d64e8831aae2d967a72bc92

SHA256
173280e399b60783a1219af5b331a1f1e8be7907be47baaa078fd70216b2fd4a

SHA512
0bdf346bdea515dc8206f653867f145d2263f05553e8f0dc12f634723a9d33ce450eb69b3023b30402b479944037f15ca55e7cacff84178bcf68b731548bbd71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
83c16d543a775786a787c052fb21253f

SHA1
9b61b9f2888cd99a3d526e72165c0faa88fe6eef

SHA256
3ece7fdc8a4fd8de29b9fd682392e1f8e8a7471d3e68e915b1ebeb54d1fe9abb

SHA512
9dd94baebd92772f293dbe20dee4e9d43d8424a51afdde2657ec5d909736dc643730df2f56c02f5298eb40828132bc5bb2e550c126c6ea361f80cea1ec5864d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
83c16d543a775786a787c052fb21253f

SHA1
9b61b9f2888cd99a3d526e72165c0faa88fe6eef

SHA256
3ece7fdc8a4fd8de29b9fd682392e1f8e8a7471d3e68e915b1ebeb54d1fe9abb

SHA512
9dd94baebd92772f293dbe20dee4e9d43d8424a51afdde2657ec5d909736dc643730df2f56c02f5298eb40828132bc5bb2e550c126c6ea361f80cea1ec5864d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c658efcd1735f1507282ea406831b7ce

SHA1
fc30969a2304f354897ddb4d94bea16364583bf9

SHA256
a276cdae62ff59814c10ce2cd059b73fdb25023b1dcd5cf885b8ee8e0c783044

SHA512
69a60343f0dfe41ad3ab23420409ad30278186cae02ba74c422529c7558afd785dd3fb08c9d16c9082667eb972fc8de23377cd1a33ec2f13c545c805e4a93fe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f8fd06d1d56c0ff09b29134fa03ae9b5

SHA1
7a28746d2f46e26abdff0e9c7c98c062afe18b57

SHA256
dcf409e03ce5d8cd6769469bc3b1a091d6feba28a44357308f72d2d1e8bdb611

SHA512
1ee86fc4ee446e316a7e7abd6188248acaf8456089ea7c8f8f51058fd53e3e6874ac08c73ff1327ae22f7337015a2a3682945f4182f7878136caf471416cab5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f8fd06d1d56c0ff09b29134fa03ae9b5

SHA1
7a28746d2f46e26abdff0e9c7c98c062afe18b57

SHA256
dcf409e03ce5d8cd6769469bc3b1a091d6feba28a44357308f72d2d1e8bdb611

SHA512
1ee86fc4ee446e316a7e7abd6188248acaf8456089ea7c8f8f51058fd53e3e6874ac08c73ff1327ae22f7337015a2a3682945f4182f7878136caf471416cab5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef1eccc6-5ccb-4a50-a15f-45d500ac35f6\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9009172-79cf-4c75-9815-5264927d8222\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
MD5
44696d252000850d3ea71d9ae238aedc

SHA1
1fb61a1df500f9025641526cb4013d555b129a84

SHA256
1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986

SHA512
e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\36C95A71.exe
MD5
44696d252000850d3ea71d9ae238aedc

SHA1
1fb61a1df500f9025641526cb4013d555b129a84

SHA256
1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986

SHA512
e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314

Download Submit
memory/348-124-0x0000000000000000-mapping.dmp

Download
memory/596-127-0x0000000000000000-mapping.dmp

Download
memory/692-196-0x0000000004A52000-0x0000000004A53000-memory.dmp

Filesize
4KB

Download
memory/692-190-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/692-132-0x0000000000000000-mapping.dmp

Download
memory/692-197-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/692-413-0x0000000004A53000-0x0000000004A54000-memory.dmp

Filesize
4KB

Download
memory/692-189-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/692-187-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/692-336-0x000000007F830000-0x000000007F831000-memory.dmp

Filesize
4KB

Download
memory/700-610-0x0000000006603000-0x0000000006604000-memory.dmp

Filesize
4KB

Download
memory/700-436-0x000000007F5A0000-0x000000007F5A1000-memory.dmp

Filesize
4KB

Download
memory/700-142-0x0000000000000000-mapping.dmp

Download
memory/700-177-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download
memory/700-183-0x0000000006602000-0x0000000006603000-memory.dmp

Filesize
4KB

Download
memory/752-201-0x0000000006712000-0x0000000006713000-memory.dmp

Filesize
4KB

Download
memory/752-292-0x000000007F4A0000-0x000000007F4A1000-memory.dmp

Filesize
4KB

Download
memory/752-184-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/752-342-0x0000000006713000-0x0000000006714000-memory.dmp

Filesize
4KB

Download
memory/752-130-0x0000000000000000-mapping.dmp

Download
memory/872-131-0x0000000000000000-mapping.dmp

Download
memory/872-290-0x000000007E3D0000-0x000000007E3D1000-memory.dmp

Filesize
4KB

Download
memory/872-205-0x00000000073C2000-0x00000000073C3000-memory.dmp

Filesize
4KB

Download
memory/872-198-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/872-338-0x00000000073C3000-0x00000000073C4000-memory.dmp

Filesize
4KB

Download
memory/916-171-0x000000000041EBC0-mapping.dmp

Download
memory/916-199-0x0000000001100000-0x0000000001420000-memory.dmp

Filesize
3.1MB

Download
memory/916-213-0x0000000000FC0000-0x0000000000FD4000-memory.dmp

Filesize
80KB

Download
memory/916-167-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1212-220-0x0000000004612000-0x0000000004613000-memory.dmp

Filesize
4KB

Download
memory/1212-133-0x0000000000000000-mapping.dmp

Download
memory/1212-577-0x0000000004613000-0x0000000004614000-memory.dmp

Filesize
4KB

Download
memory/1212-216-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/1212-419-0x000000007E9E0000-0x000000007E9E1000-memory.dmp

Filesize
4KB

Download
memory/1796-224-0x00000000045D0000-0x00000000045D1000-memory.dmp

Filesize
4KB

Download
memory/1796-479-0x000000007E0F0000-0x000000007E0F1000-memory.dmp

Filesize
4KB

Download
memory/1796-139-0x0000000000000000-mapping.dmp

Download
memory/1796-530-0x00000000045D3000-0x00000000045D4000-memory.dmp

Filesize
4KB

Download
memory/1796-180-0x00000000045D2000-0x00000000045D3000-memory.dmp

Filesize
4KB

Download
memory/2232-503-0x0000000005012000-0x0000000005013000-memory.dmp

Filesize
4KB

Download
memory/2232-398-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2232-330-0x0000000000000000-mapping.dmp

Download
memory/2232-1262-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/2628-135-0x0000000000000000-mapping.dmp

Download
memory/2628-209-0x0000000005250000-0x000000000574E000-memory.dmp

Filesize
5.0MB

Download
memory/2756-186-0x0000000006A32000-0x0000000006A33000-memory.dmp

Filesize
4KB

Download
memory/2756-149-0x0000000000000000-mapping.dmp

Download
memory/2756-228-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/2756-427-0x000000007ED00000-0x000000007ED01000-memory.dmp

Filesize
4KB

Download
memory/2756-606-0x0000000006A33000-0x0000000006A34000-memory.dmp

Filesize
4KB

Download
memory/3008-217-0x00000000077A0000-0x00000000078B8000-memory.dmp

Filesize
1.1MB

Download
memory/3008-471-0x0000000009330000-0x0000000009485000-memory.dmp

Filesize
1.3MB

Download
memory/3008-602-0x00000000033E0000-0x000000000347F000-memory.dmp

Filesize
636KB

Download
memory/3880-147-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/3880-173-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/3880-193-0x0000000006D42000-0x0000000006D43000-memory.dmp

Filesize
4KB

Download
memory/3880-403-0x000000007F500000-0x000000007F501000-memory.dmp

Filesize
4KB

Download
memory/3880-569-0x0000000006D43000-0x0000000006D44000-memory.dmp

Filesize
4KB

Download
memory/3880-152-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/3880-129-0x0000000000000000-mapping.dmp

Download
memory/3996-117-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3996-118-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/3996-119-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3996-116-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3996-174-0x00000000064F0000-0x00000000064F3000-memory.dmp

Filesize
12KB

Download
memory/3996-115-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3996-123-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/3996-120-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3996-121-0x00000000050F0000-0x0000000005162000-memory.dmp

Filesize
456KB

Download
memory/3996-122-0x0000000004E20000-0x000000000531E000-memory.dmp

Filesize
5.0MB

Download
memory/4388-585-0x00000000012B0000-0x0000000001343000-memory.dmp

Filesize
588KB

Download
memory/4388-254-0x00000000013E0000-0x00000000013F3000-memory.dmp

Filesize
76KB

Download
memory/4388-251-0x0000000000000000-mapping.dmp

Download
memory/4388-256-0x0000000000760000-0x000000000078E000-memory.dmp

Filesize
184KB

Download
memory/4388-255-0x00000000049A0000-0x0000000004CC0000-memory.dmp

Filesize
3.1MB

Download
memory/4444-327-0x0000000000000000-mapping.dmp

Download
memory/4444-1246-0x000000007EEC0000-0x000000007EEC1000-memory.dmp

Filesize
4KB

Download
memory/4444-381-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/4444-1479-0x0000000007203000-0x0000000007204000-memory.dmp

Filesize
4KB

Download
memory/4444-389-0x0000000007202000-0x0000000007203000-memory.dmp

Filesize
4KB

Download
memory/4608-652-0x0000000004490000-0x00000000047B0000-memory.dmp

Filesize
3.1MB

Download
memory/4608-576-0x0000000000000000-mapping.dmp

Download
memory/4608-592-0x0000000000180000-0x00000000001A7000-memory.dmp

Filesize
156KB

Download
memory/4608-598-0x0000000002700000-0x000000000272E000-memory.dmp

Filesize
184KB

Download
memory/4624-510-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/4624-487-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4624-333-0x0000000000000000-mapping.dmp

Download
memory/4624-1250-0x000000007DF90000-0x000000007DF91000-memory.dmp

Filesize
4KB

Download
memory/4652-454-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/4652-445-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/4652-348-0x0000000000000000-mapping.dmp

Download
memory/4652-1310-0x000000007F890000-0x000000007F891000-memory.dmp

Filesize
4KB

Download
memory/4664-339-0x0000000000000000-mapping.dmp

Download
memory/4664-496-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/4664-517-0x0000000006632000-0x0000000006633000-memory.dmp

Filesize
4KB

Download
memory/4664-1255-0x000000007E7A0000-0x000000007E7A1000-memory.dmp

Filesize
4KB

Download
memory/4760-257-0x0000000000000000-mapping.dmp

Download
memory/4836-262-0x0000000000000000-mapping.dmp

Download
memory/4880-369-0x000000000041EBC0-mapping.dmp

Download
memory/4880-462-0x0000000001120000-0x0000000001134000-memory.dmp

Filesize
80KB

Download
memory/4880-524-0x0000000001610000-0x0000000001930000-memory.dmp

Filesize
3.1MB

Download
memory/4904-266-0x0000000000000000-mapping.dmp

Download