warzonerat | 8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0

Analysis

max time kernel
16s
max time network
151s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddb25c6d3894be202a4ee4b061ce010d.exe
Size

893KB
MD5

ddb25c6d3894be202a4ee4b061ce010d
SHA1

5e87d177b7ca71c46f7c37d13a2de5e04b97549d
SHA256

8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0
SHA512

b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2

Score

10^/10

warzonerat evasion infostealer rat trojan

Malware Config

Extracted

Family

warzonerat

severdops.ddns.net:3311

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe1F44AD0C.exe

pid process

512 AdvancedRun.exe
2888 AdvancedRun.exe
1500 1F44AD0C.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ddb25c6d3894be202a4ee4b061ce010d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ddb25c6d3894be202a4ee4b061ce010d.exe

Drops startup file 2 IoCs

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe	ddb25c6d3894be202a4ee4b061ce010d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe	ddb25c6d3894be202a4ee4b061ce010d.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	ddb25c6d3894be202a4ee4b061ce010d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	ddb25c6d3894be202a4ee4b061ce010d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	ddb25c6d3894be202a4ee4b061ce010d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ddb25c6d3894be202a4ee4b061ce010d.exe = "0"	ddb25c6d3894be202a4ee4b061ce010d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	ddb25c6d3894be202a4ee4b061ce010d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	ddb25c6d3894be202a4ee4b061ce010d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe = "0"	ddb25c6d3894be202a4ee4b061ce010d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\A454A08C\svchost.exe = "0"	ddb25c6d3894be202a4ee4b061ce010d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	ddb25c6d3894be202a4ee4b061ce010d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	ddb25c6d3894be202a4ee4b061ce010d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	ddb25c6d3894be202a4ee4b061ce010d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	ddb25c6d3894be202a4ee4b061ce010d.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddb25c6d3894be202a4ee4b061ce010d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddb25c6d3894be202a4ee4b061ce010d.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	ddb25c6d3894be202a4ee4b061ce010d.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	ddb25c6d3894be202a4ee4b061ce010d.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exe

description pid process target process

PID 3732 set thread context of 3504 3732 ddb25c6d3894be202a4ee4b061ce010d.exe ngentask.exe
Drops file in Windows directory 1 IoCs

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exe

description ioc process

File created C:\Windows\Resources\Themes\A454A08C\svchost.exe ddb25c6d3894be202a4ee4b061ce010d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4044 3732 WerFault.exe ddb25c6d3894be202a4ee4b061ce010d.exe
4760 1500 WerFault.exe 1F44AD0C.exe

description	pid	process	target process
PID 3732 set thread context of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\A454A08C\svchost.exe	ddb25c6d3894be202a4ee4b061ce010d.exe

pid	pid_target	process	target process
4044	3732	WerFault.exe	ddb25c6d3894be202a4ee4b061ce010d.exe
4760	1500	WerFault.exe	1F44AD0C.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exe

pid	process
512	AdvancedRun.exe
512	AdvancedRun.exe
512	AdvancedRun.exe
512	AdvancedRun.exe
2888	AdvancedRun.exe
2888	AdvancedRun.exe
2888	AdvancedRun.exe
2888	AdvancedRun.exe
724	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeddb25c6d3894be202a4ee4b061ce010d.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	512	AdvancedRun.exe
Token: SeImpersonatePrivilege	512	AdvancedRun.exe
Token: SeDebugPrivilege	2888	AdvancedRun.exe
Token: SeImpersonatePrivilege	2888	AdvancedRun.exe
Token: SeDebugPrivilege	3732	ddb25c6d3894be202a4ee4b061ce010d.exe
Token: SeDebugPrivilege	724	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exeAdvancedRun.exe

description	pid	process	target process
PID 3732 wrote to memory of 512	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	AdvancedRun.exe
PID 3732 wrote to memory of 512	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	AdvancedRun.exe
PID 3732 wrote to memory of 512	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	AdvancedRun.exe
PID 512 wrote to memory of 2888	512	AdvancedRun.exe	AdvancedRun.exe
PID 512 wrote to memory of 2888	512	AdvancedRun.exe	AdvancedRun.exe
PID 512 wrote to memory of 2888	512	AdvancedRun.exe	AdvancedRun.exe
PID 3732 wrote to memory of 724	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 724	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 724	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 3256	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 3256	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 3256	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 396	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 396	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 396	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 1164	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 1164	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 1164	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 1748	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 1748	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 1748	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 1500	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	1F44AD0C.exe
PID 3732 wrote to memory of 1500	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	1F44AD0C.exe
PID 3732 wrote to memory of 1500	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	1F44AD0C.exe
PID 3732 wrote to memory of 3888	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 3888	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 3888	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 2024	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 2024	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 2024	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 2200	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 2200	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 2200	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	powershell.exe
PID 3732 wrote to memory of 3376	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	DataSvcUtil.exe
PID 3732 wrote to memory of 3376	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	DataSvcUtil.exe
PID 3732 wrote to memory of 3464	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	CasPol.exe
PID 3732 wrote to memory of 3464	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	CasPol.exe
PID 3732 wrote to memory of 3464	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	CasPol.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe
PID 3732 wrote to memory of 3504	3732	ddb25c6d3894be202a4ee4b061ce010d.exe	ngentask.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

ddb25c6d3894be202a4ee4b061ce010d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ddb25c6d3894be202a4ee4b061ce010d.exe

C:\Users\Admin\AppData\Local\Temp\ddb25c6d3894be202a4ee4b061ce010d.exe
"C:\Users\Admin\AppData\Local\Temp\ddb25c6d3894be202a4ee4b061ce010d.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3732

C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe" /SpecialRun 4101d8 512
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ddb25c6d3894be202a4ee4b061ce010d.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ddb25c6d3894be202a4ee4b061ce010d.exe" -Force
2⤵
PID:3256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
2⤵
PID:396

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe"
2⤵
- Executes dropped EXE
PID:1500

C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe" /SpecialRun 4101d8 4652
4⤵
PID:4752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
3⤵
PID:5064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
3⤵
PID:5088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\A454A08C\svchost.exe" -Force
3⤵
PID:3432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
3⤵
PID:4204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\A454A08C\svchost.exe" -Force
3⤵
PID:4260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:4304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
3⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 1232
3⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ddb25c6d3894be202a4ee4b061ce010d.exe" -Force
2⤵
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\A454A08C\svchost.exe" -Force
2⤵
PID:2200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\A454A08C\svchost.exe" -Force
2⤵
PID:3888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ddb25c6d3894be202a4ee4b061ce010d.exe" -Force
2⤵
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
2⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
PID:3464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 2008
2⤵
- Program crash
PID:4044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f00ab92ea3a0f7b9289ccd99267d1b95

SHA1
68fc3bd2556df08bfcdc1d55c36946ed19a67104

SHA256
f1749cafb63b24dff555f0df02143ad37f4779764df7f523c4e94e225eed9bff

SHA512
e5e916901723eab4315045752934e1e5252143b18ccca0b42f8ee018d832625d69d80baa42c98d00c25ce9bfd96b1551d376d6a04b6723f2ab1ddfecbf5d8257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f00ab92ea3a0f7b9289ccd99267d1b95

SHA1
68fc3bd2556df08bfcdc1d55c36946ed19a67104

SHA256
f1749cafb63b24dff555f0df02143ad37f4779764df7f523c4e94e225eed9bff

SHA512
e5e916901723eab4315045752934e1e5252143b18ccca0b42f8ee018d832625d69d80baa42c98d00c25ce9bfd96b1551d376d6a04b6723f2ab1ddfecbf5d8257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1829893556f3faa05d2add1923dd8b26

SHA1
c92dab905767d1acf670a28b9bc6fddbdbee1591

SHA256
d3775fd226dfdf2ddcbb90a5f738d746731c435f0178aa1b76303aa8aec1b8a0

SHA512
6731deaa5b1da2130da24703e3bc60b88e1b614ef652f1d44b07847a7093c9307eddf76d21d381fbd8152ffa08d0a82398fb2df95a58f53934368984391cd4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ed539311eba0096d23056c2a5926059b

SHA1
8ee44c860911c30f91fdafaaa2af5efc8fb91a83

SHA256
5742755d68edacd58df03332990168058f18d41f98230763a4e00afe5e7a892a

SHA512
eff14ee83dc061af60f81195e4ff2a351f4fbdb3955b4f6afe285a3ae7a31e44b317bd3d0aee55b601477cd06f5a2a9a62e32cc417ec46332601e0ce1e780d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ed539311eba0096d23056c2a5926059b

SHA1
8ee44c860911c30f91fdafaaa2af5efc8fb91a83

SHA256
5742755d68edacd58df03332990168058f18d41f98230763a4e00afe5e7a892a

SHA512
eff14ee83dc061af60f81195e4ff2a351f4fbdb3955b4f6afe285a3ae7a31e44b317bd3d0aee55b601477cd06f5a2a9a62e32cc417ec46332601e0ce1e780d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ed539311eba0096d23056c2a5926059b

SHA1
8ee44c860911c30f91fdafaaa2af5efc8fb91a83

SHA256
5742755d68edacd58df03332990168058f18d41f98230763a4e00afe5e7a892a

SHA512
eff14ee83dc061af60f81195e4ff2a351f4fbdb3955b4f6afe285a3ae7a31e44b317bd3d0aee55b601477cd06f5a2a9a62e32cc417ec46332601e0ce1e780d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ed539311eba0096d23056c2a5926059b

SHA1
8ee44c860911c30f91fdafaaa2af5efc8fb91a83

SHA256
5742755d68edacd58df03332990168058f18d41f98230763a4e00afe5e7a892a

SHA512
eff14ee83dc061af60f81195e4ff2a351f4fbdb3955b4f6afe285a3ae7a31e44b317bd3d0aee55b601477cd06f5a2a9a62e32cc417ec46332601e0ce1e780d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ea411b786de3f8b38ca61aeff09c0acc

SHA1
cffd52092afd023078b5c08c387690d1e39b55da

SHA256
edf9d2dca9ce4fa8aa63e604b6004af5de62ca761a690ebdaac24146ea1030f9

SHA512
e7502ccd9270561d946a0154b4a2a1bedb1ff494e342b9e25c5006f57993b3e5edc7f269d4b92b4f00154188cbece21e66a81e7b438859600a5c73ae775a9306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ff260b976ba854c7276b44ac526498e2

SHA1
85cfc2299d61b023991bedbc2e83c4558129972b

SHA256
8503e0173bc8b13a6837d40fe12782f9698052e32ac2e2894c1494d26bd70a9f

SHA512
cc5d139d721296b7b5097078a4759f17d245f50b7cbc56d8e73ef0dacc376234f2b2d1063c82b2906488dc8a2217faa3fabb75829fd93c2e2e02c1a45a442da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
452fab555df1435d9fc68bc1b8c983ed

SHA1
d4d5e1d4b06f07b0ed62ee4955a8b8caea12f563

SHA256
a7266e2f1c15448e3f890d2608920090e8ce28c03a685302de7e38e95414f5a5

SHA512
79279df176eecd5b3de88c99061f88176a607d1416e07ca42bd47a57b2b0614b7819d869a0e757ffa3c2a5928fc36ce37f406340f44d4c12aa8bedd719227156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ea411b786de3f8b38ca61aeff09c0acc

SHA1
cffd52092afd023078b5c08c387690d1e39b55da

SHA256
edf9d2dca9ce4fa8aa63e604b6004af5de62ca761a690ebdaac24146ea1030f9

SHA512
e7502ccd9270561d946a0154b4a2a1bedb1ff494e342b9e25c5006f57993b3e5edc7f269d4b92b4f00154188cbece21e66a81e7b438859600a5c73ae775a9306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ea411b786de3f8b38ca61aeff09c0acc

SHA1
cffd52092afd023078b5c08c387690d1e39b55da

SHA256
edf9d2dca9ce4fa8aa63e604b6004af5de62ca761a690ebdaac24146ea1030f9

SHA512
e7502ccd9270561d946a0154b4a2a1bedb1ff494e342b9e25c5006f57993b3e5edc7f269d4b92b4f00154188cbece21e66a81e7b438859600a5c73ae775a9306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
604041d82591ac921ec77407ea7df2d1

SHA1
c3cb4767a2c460abbf4248f21d2a3c7e19cfa293

SHA256
5863400aa35251f1b4274ab3ca586d178eaf148e7761ac7e5f359777feb7fbd2

SHA512
6c106ea9793992a88b8582a51e18ae24497229eb39fcf289bfd1fb1e41e6584fba988a3667d2d1bf67ba5b5f3cd7413721a11cc10a5431df0d2e540cc41d61e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
604041d82591ac921ec77407ea7df2d1

SHA1
c3cb4767a2c460abbf4248f21d2a3c7e19cfa293

SHA256
5863400aa35251f1b4274ab3ca586d178eaf148e7761ac7e5f359777feb7fbd2

SHA512
6c106ea9793992a88b8582a51e18ae24497229eb39fcf289bfd1fb1e41e6584fba988a3667d2d1bf67ba5b5f3cd7413721a11cc10a5431df0d2e540cc41d61e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f2d93b8a58e6defc7af6a11c09367f47

SHA1
10780c48748ab518bceee346d4e77a77e7791e97

SHA256
2829dc6d4385b58cb40d9272d804599c366d0e86dd95bdf9b2e09d60539ac871

SHA512
08eed0ab073659bc383096e2864a7705aa06856172ec69e1919a25e0ab924a28dccf4216947f8112863004d566cadacefe781615ba86586ab39667ac70eeae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c00556333ad4b22202c1f9a9aee49243

SHA1
1b1ba2bc0aeeed7529a03a56f42c53cbaa653c53

SHA256
271464a207701fa8bfdaa815734b2f24327f17313acac4f31bdc1986c8c2352d

SHA512
dab67f4b62627d926e8756f36ef5cb380f4b1c89a78537dada418646769271836e16eece48a32121d18c0dd4a4fe30486a5c3811c88d755dd3d65b4371b1236b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
b0774bb0e00e21366bd7b45fa49735c8

SHA1
8a233ae8ae98a07b1205c263d13c616013a9af14

SHA256
9e2c5b2ca7ab03a90754d7549f72bf88396141046953d83f7abf2727d49fbb0e

SHA512
297e07e14f13e1dd92a1fe7f25d2e80d8654705b312f54eca812da9e291084bd5ed9471b37d0e8e8d4fa48c180f631c63d226f41b4a23468cd3a5b193df26c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d42791620e347e7439e55749a0d3b88d

SHA1
f395d7770831c91ca5e511337f0f86bf786f60f4

SHA256
f7ee60a7d5a1561debf8ea7cf5d4e1fc83674bc9dccdb8e574203c4380d68e0f

SHA512
b1d87ab97aad1c1ac0d00d58d0900a8b8b94a15b050988a402bfcc3d6ac08c273316322ce07b8b2cd8106a3682e6ecc5fabd5dab1533e6dd077a580d9c9cf920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d42791620e347e7439e55749a0d3b88d

SHA1
f395d7770831c91ca5e511337f0f86bf786f60f4

SHA256
f7ee60a7d5a1561debf8ea7cf5d4e1fc83674bc9dccdb8e574203c4380d68e0f

SHA512
b1d87ab97aad1c1ac0d00d58d0900a8b8b94a15b050988a402bfcc3d6ac08c273316322ce07b8b2cd8106a3682e6ecc5fabd5dab1533e6dd077a580d9c9cf920

Download Submit
C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b901cf85-3cd9-4725-a75a-b36ed5c8b3a7\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d90afb68-f6c7-4be8-a1a8-45090d075c27\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe
MD5
ddb25c6d3894be202a4ee4b061ce010d

SHA1
5e87d177b7ca71c46f7c37d13a2de5e04b97549d

SHA256
8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0

SHA512
b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe
MD5
ddb25c6d3894be202a4ee4b061ce010d

SHA1
5e87d177b7ca71c46f7c37d13a2de5e04b97549d

SHA256
8035847afc188fc0c7f878b148ffae82d22f6594386539255cdfc4b5d5deb8c0

SHA512
b8e5caeb723f259c30cb34f2049e4051e0b7f3b4b4cd599a8729501875adf97b0c600e694c811f0909d2af84eb240cd6f01fd55a368a698f70dced6f410d78f2

Download Submit
memory/396-164-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/396-167-0x0000000004682000-0x0000000004683000-memory.dmp

Filesize
4KB

Download
memory/396-496-0x0000000004683000-0x0000000004684000-memory.dmp

Filesize
4KB

Download
memory/396-447-0x000000007F290000-0x000000007F291000-memory.dmp

Filesize
4KB

Download
memory/396-131-0x0000000000000000-mapping.dmp

Download
memory/512-124-0x0000000000000000-mapping.dmp

Download
memory/724-176-0x0000000006632000-0x0000000006633000-memory.dmp

Filesize
4KB

Download
memory/724-370-0x000000007E720000-0x000000007E721000-memory.dmp

Filesize
4KB

Download
memory/724-472-0x0000000006633000-0x0000000006634000-memory.dmp

Filesize
4KB

Download
memory/724-129-0x0000000000000000-mapping.dmp

Download
memory/724-205-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/724-192-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/724-140-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/724-196-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/724-145-0x0000000006C70000-0x0000000006C71000-memory.dmp

Filesize
4KB

Download
memory/724-154-0x0000000006630000-0x0000000006631000-memory.dmp

Filesize
4KB

Download
memory/1164-173-0x0000000004C42000-0x0000000004C43000-memory.dmp

Filesize
4KB

Download
memory/1164-132-0x0000000000000000-mapping.dmp

Download
memory/1164-414-0x000000007F160000-0x000000007F161000-memory.dmp

Filesize
4KB

Download
memory/1164-197-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1164-477-0x0000000004C43000-0x0000000004C44000-memory.dmp

Filesize
4KB

Download
memory/1500-180-0x00000000051A0000-0x000000000569E000-memory.dmp

Filesize
5.0MB

Download
memory/1500-195-0x00000000051A0000-0x000000000569E000-memory.dmp

Filesize
5.0MB

Download
memory/1500-134-0x0000000000000000-mapping.dmp

Download
memory/1748-203-0x0000000006D92000-0x0000000006D93000-memory.dmp

Filesize
4KB

Download
memory/1748-499-0x000000007F4C0000-0x000000007F4C1000-memory.dmp

Filesize
4KB

Download
memory/1748-553-0x0000000006D93000-0x0000000006D94000-memory.dmp

Filesize
4KB

Download
memory/1748-133-0x0000000000000000-mapping.dmp

Download
memory/1748-198-0x0000000006D90000-0x0000000006D91000-memory.dmp

Filesize
4KB

Download
memory/2024-183-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2024-207-0x00000000040C2000-0x00000000040C3000-memory.dmp

Filesize
4KB

Download
memory/2024-141-0x0000000000000000-mapping.dmp

Download
memory/2024-406-0x000000007EC00000-0x000000007EC01000-memory.dmp

Filesize
4KB

Download
memory/2024-563-0x00000000040C3000-0x00000000040C4000-memory.dmp

Filesize
4KB

Download
memory/2200-190-0x0000000004DB2000-0x0000000004DB3000-memory.dmp

Filesize
4KB

Download
memory/2200-143-0x0000000000000000-mapping.dmp

Download
memory/2200-559-0x0000000004DB3000-0x0000000004DB4000-memory.dmp

Filesize
4KB

Download
memory/2200-517-0x000000007F690000-0x000000007F691000-memory.dmp

Filesize
4KB

Download
memory/2200-188-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2784-316-0x0000000000405E28-mapping.dmp

Download
memory/2888-127-0x0000000000000000-mapping.dmp

Download
memory/3032-509-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3032-293-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3032-459-0x00007FFE49D80000-0x00007FFE49D90000-memory.dmp

Filesize
64KB

Download
memory/3032-466-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3032-290-0x00007FFE49D70000-0x00007FFE49D80000-memory.dmp

Filesize
64KB

Download
memory/3032-274-0x0000000002D90000-0x0000000002E90000-memory.dmp

Filesize
1024KB

Download
memory/3032-392-0x00007FFE49D90000-0x00007FFE49D96000-memory.dmp

Filesize
24KB

Download
memory/3256-193-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3256-489-0x0000000004A93000-0x0000000004A94000-memory.dmp

Filesize
4KB

Download
memory/3256-159-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/3256-296-0x000000007EDD0000-0x000000007EDD1000-memory.dmp

Filesize
4KB

Download
memory/3256-130-0x0000000000000000-mapping.dmp

Download
memory/3432-494-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/3432-1265-0x000000007F4D0000-0x000000007F4D1000-memory.dmp

Filesize
4KB

Download
memory/3432-453-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/3432-298-0x0000000000000000-mapping.dmp

Download
memory/3504-169-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3504-160-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3504-165-0x0000000000405E28-mapping.dmp

Download
memory/3732-121-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/3732-168-0x0000000006EE0000-0x0000000006EE3000-memory.dmp

Filesize
12KB

Download
memory/3732-116-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/3732-117-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3732-119-0x00000000054E0000-0x00000000059DE000-memory.dmp

Filesize
5.0MB

Download
memory/3732-120-0x00000000054E0000-0x00000000059DE000-memory.dmp

Filesize
5.0MB

Download
memory/3732-118-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3732-123-0x00000000093E0000-0x00000000093E1000-memory.dmp

Filesize
4KB

Download
memory/3732-115-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/3732-122-0x0000000009130000-0x0000000009192000-memory.dmp

Filesize
392KB

Download
memory/3888-137-0x0000000000000000-mapping.dmp

Download
memory/3888-505-0x000000007F120000-0x000000007F121000-memory.dmp

Filesize
4KB

Download
memory/3888-556-0x0000000006FA3000-0x0000000006FA4000-memory.dmp

Filesize
4KB

Download
memory/3888-185-0x0000000006FA2000-0x0000000006FA3000-memory.dmp

Filesize
4KB

Download
memory/3888-191-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/4204-1273-0x000000007E8C0000-0x000000007E8C1000-memory.dmp

Filesize
4KB

Download
memory/4204-513-0x0000000003702000-0x0000000003703000-memory.dmp

Filesize
4KB

Download
memory/4204-301-0x0000000000000000-mapping.dmp

Download
memory/4204-377-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/4260-305-0x0000000000000000-mapping.dmp

Download
memory/4260-385-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/4260-399-0x0000000006DC2000-0x0000000006DC3000-memory.dmp

Filesize
4KB

Download
memory/4260-1250-0x000000007F730000-0x000000007F731000-memory.dmp

Filesize
4KB

Download
memory/4304-547-0x0000000000000000-mapping.dmp

Download
memory/4304-824-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/4652-250-0x0000000000000000-mapping.dmp

Download
memory/4736-255-0x0000000000000000-mapping.dmp

Download
memory/4736-320-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4752-258-0x0000000000000000-mapping.dmp

Download
memory/5064-439-0x0000000006672000-0x0000000006673000-memory.dmp

Filesize
4KB

Download
memory/5064-1189-0x000000007E830000-0x000000007E831000-memory.dmp

Filesize
4KB

Download
memory/5064-292-0x0000000000000000-mapping.dmp

Download
memory/5064-1484-0x0000000006673000-0x0000000006674000-memory.dmp

Filesize
4KB

Download
memory/5064-421-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/5064-1485-0x0000000006674000-0x0000000006676000-memory.dmp

Filesize
8KB

Download
memory/5088-295-0x0000000000000000-mapping.dmp

Download
memory/5088-483-0x0000000004122000-0x0000000004123000-memory.dmp

Filesize
4KB

Download
memory/5088-1260-0x000000007EC50000-0x000000007EC51000-memory.dmp

Filesize
4KB

Download
memory/5088-430-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/5088-1486-0x0000000004123000-0x0000000004124000-memory.dmp

Filesize
4KB

Download