warzonerat | 1315fb9110a9b6bcf1326af2be8438b1d47bc4b46815db1ab49bed4fa58b3f51

Analysis

max time kernel
19s
max time network
157s
platform
windows10_x64
resource
win10v20210408
submitted
15-09-2021 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759e32f34453405da59c9d75f8e2f544.exe
Size

893KB
MD5

759e32f34453405da59c9d75f8e2f544
SHA1

b5d265cd3d7203b46609b525762ebb40a503ae1b
SHA256

1315fb9110a9b6bcf1326af2be8438b1d47bc4b46815db1ab49bed4fa58b3f51
SHA512

7efbf142bc58a2e301fd7a8a9c3c27cee37b88f47a8269f311b616c15209272f57928ebcb6b2acbd6bdc79183d5ec8cd9138f4be0a3db5b69603f2645c82c2ed

Score

10^/10

warzonerat evasion infostealer rat trojan

Malware Config

Extracted

Family

warzonerat

severdops.ddns.net:3311

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe1F44AD0C.exe

pid process

1316 AdvancedRun.exe
1648 AdvancedRun.exe
3696 1F44AD0C.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

759e32f34453405da59c9d75f8e2f544.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	759e32f34453405da59c9d75f8e2f544.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	759e32f34453405da59c9d75f8e2f544.exe

Drops startup file 2 IoCs

Processes:

759e32f34453405da59c9d75f8e2f544.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe	759e32f34453405da59c9d75f8e2f544.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe	759e32f34453405da59c9d75f8e2f544.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

759e32f34453405da59c9d75f8e2f544.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\759e32f34453405da59c9d75f8e2f544.exe = "0"	759e32f34453405da59c9d75f8e2f544.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	759e32f34453405da59c9d75f8e2f544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	759e32f34453405da59c9d75f8e2f544.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	759e32f34453405da59c9d75f8e2f544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	759e32f34453405da59c9d75f8e2f544.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	759e32f34453405da59c9d75f8e2f544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	759e32f34453405da59c9d75f8e2f544.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	759e32f34453405da59c9d75f8e2f544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	759e32f34453405da59c9d75f8e2f544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe = "0"	759e32f34453405da59c9d75f8e2f544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\A454A08C\svchost.exe = "0"	759e32f34453405da59c9d75f8e2f544.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	759e32f34453405da59c9d75f8e2f544.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

759e32f34453405da59c9d75f8e2f544.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	759e32f34453405da59c9d75f8e2f544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	759e32f34453405da59c9d75f8e2f544.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

759e32f34453405da59c9d75f8e2f544.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	759e32f34453405da59c9d75f8e2f544.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	759e32f34453405da59c9d75f8e2f544.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

759e32f34453405da59c9d75f8e2f544.exe

description pid process target process

PID 656 set thread context of 1452 656 759e32f34453405da59c9d75f8e2f544.exe ilasm.exe
Drops file in Windows directory 1 IoCs

Processes:

759e32f34453405da59c9d75f8e2f544.exe

description ioc process

File created C:\Windows\Resources\Themes\A454A08C\svchost.exe 759e32f34453405da59c9d75f8e2f544.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4352 656 WerFault.exe 759e32f34453405da59c9d75f8e2f544.exe
4372 3696 WerFault.exe 1F44AD0C.exe

description	pid	process	target process
PID 656 set thread context of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\A454A08C\svchost.exe	759e32f34453405da59c9d75f8e2f544.exe

pid	pid_target	process	target process
4352	656	WerFault.exe	759e32f34453405da59c9d75f8e2f544.exe
4372	3696	WerFault.exe	1F44AD0C.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1316	AdvancedRun.exe
1316	AdvancedRun.exe
1316	AdvancedRun.exe
1316	AdvancedRun.exe
1648	AdvancedRun.exe
1648	AdvancedRun.exe
1648	AdvancedRun.exe
1648	AdvancedRun.exe
2728	powershell.exe
2760	powershell.exe
2388	powershell.exe
3504	powershell.exe
2148	powershell.exe
2116	powershell.exe
3772	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe759e32f34453405da59c9d75f8e2f544.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1316	AdvancedRun.exe
Token: SeImpersonatePrivilege	1316	AdvancedRun.exe
Token: SeDebugPrivilege	1648	AdvancedRun.exe
Token: SeImpersonatePrivilege	1648	AdvancedRun.exe
Token: SeDebugPrivilege	656	759e32f34453405da59c9d75f8e2f544.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

759e32f34453405da59c9d75f8e2f544.exeAdvancedRun.exe

description	pid	process	target process
PID 656 wrote to memory of 1316	656	759e32f34453405da59c9d75f8e2f544.exe	AdvancedRun.exe
PID 656 wrote to memory of 1316	656	759e32f34453405da59c9d75f8e2f544.exe	AdvancedRun.exe
PID 656 wrote to memory of 1316	656	759e32f34453405da59c9d75f8e2f544.exe	AdvancedRun.exe
PID 1316 wrote to memory of 1648	1316	AdvancedRun.exe	AdvancedRun.exe
PID 1316 wrote to memory of 1648	1316	AdvancedRun.exe	AdvancedRun.exe
PID 1316 wrote to memory of 1648	1316	AdvancedRun.exe	AdvancedRun.exe
PID 656 wrote to memory of 2148	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2148	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2148	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2260	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2260	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2260	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2388	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2388	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2388	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2760	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2760	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2760	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 3772	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 3772	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 3772	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 3696	656	759e32f34453405da59c9d75f8e2f544.exe	1F44AD0C.exe
PID 656 wrote to memory of 3696	656	759e32f34453405da59c9d75f8e2f544.exe	1F44AD0C.exe
PID 656 wrote to memory of 3696	656	759e32f34453405da59c9d75f8e2f544.exe	1F44AD0C.exe
PID 656 wrote to memory of 3504	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 3504	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 3504	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2116	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2116	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2116	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2728	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2728	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 2728	656	759e32f34453405da59c9d75f8e2f544.exe	powershell.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe
PID 656 wrote to memory of 1452	656	759e32f34453405da59c9d75f8e2f544.exe	ilasm.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

759e32f34453405da59c9d75f8e2f544.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	759e32f34453405da59c9d75f8e2f544.exe

C:\Users\Admin\AppData\Local\Temp\759e32f34453405da59c9d75f8e2f544.exe
"C:\Users\Admin\AppData\Local\Temp\759e32f34453405da59c9d75f8e2f544.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:656

C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe" /SpecialRun 4101d8 1316
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\759e32f34453405da59c9d75f8e2f544.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\759e32f34453405da59c9d75f8e2f544.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\759e32f34453405da59c9d75f8e2f544.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe"
2⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe" /SpecialRun 4101d8 4748
4⤵
PID:4972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
3⤵
PID:4508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
3⤵
PID:1444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\A454A08C\svchost.exe" -Force
3⤵
PID:4836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe" -Force
3⤵
PID:5008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\A454A08C\svchost.exe" -Force
3⤵
PID:4748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
PID:4980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
4⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1496
3⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\A454A08C\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\759e32f34453405da59c9d75f8e2f544.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\A454A08C\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
2⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 656 -s 2008
2⤵
- Program crash
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
9b24276aef9d13958a28c3a55f850cc5

SHA1
16b42a22e34a3705df5800bdfd21fe0235994e55

SHA256
f189bd3c04c5a4836774dc76fc89b28d3a852010d78cb8ef55f6663a8017b00b

SHA512
c65e5ce1e6d29b1c1753a3a44dad55cbf307bba5b052dd3e2ce7e26aaec1f1da5f36a5e2d900daae38d2f5fb5d735b81b504045c5f45d365f9c51b4f807486fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ab9969f3498bba64ce4952af6263fba5

SHA1
79a9a049be77fb0ce4bbaeaa851ee0a0bb6c2a1b

SHA256
5141d22692d7235d340ff265650417d363bef455d8b562e68b72d8802d189bd8

SHA512
92023663112d89cc887b46fe4887be53f2960f582747df95d61605982555b1824b43e880faf36dffb23c6b30a4d259aa909c3b5c001bdbf3f56c0b366ef8ecfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ab9969f3498bba64ce4952af6263fba5

SHA1
79a9a049be77fb0ce4bbaeaa851ee0a0bb6c2a1b

SHA256
5141d22692d7235d340ff265650417d363bef455d8b562e68b72d8802d189bd8

SHA512
92023663112d89cc887b46fe4887be53f2960f582747df95d61605982555b1824b43e880faf36dffb23c6b30a4d259aa909c3b5c001bdbf3f56c0b366ef8ecfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ab9969f3498bba64ce4952af6263fba5

SHA1
79a9a049be77fb0ce4bbaeaa851ee0a0bb6c2a1b

SHA256
5141d22692d7235d340ff265650417d363bef455d8b562e68b72d8802d189bd8

SHA512
92023663112d89cc887b46fe4887be53f2960f582747df95d61605982555b1824b43e880faf36dffb23c6b30a4d259aa909c3b5c001bdbf3f56c0b366ef8ecfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
ab9969f3498bba64ce4952af6263fba5

SHA1
79a9a049be77fb0ce4bbaeaa851ee0a0bb6c2a1b

SHA256
5141d22692d7235d340ff265650417d363bef455d8b562e68b72d8802d189bd8

SHA512
92023663112d89cc887b46fe4887be53f2960f582747df95d61605982555b1824b43e880faf36dffb23c6b30a4d259aa909c3b5c001bdbf3f56c0b366ef8ecfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
54b389a19d2d06a6b9ae17ba1c96fc5e

SHA1
1970cf5bf46da7bef8305ad3f8543cc310354c92

SHA256
e87b38fc3f390a8b430c92ae83f5294c94208ca235aea8ee5762aac39740991b

SHA512
4c76fdbe3be1f8b46c099689bcb9edc4da848c542301052b49c313ad3721a0cdb176568bb77f78a2adf5c389184705fa0e4ffe0e6e728c67f27f8f8f384da1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
54b389a19d2d06a6b9ae17ba1c96fc5e

SHA1
1970cf5bf46da7bef8305ad3f8543cc310354c92

SHA256
e87b38fc3f390a8b430c92ae83f5294c94208ca235aea8ee5762aac39740991b

SHA512
4c76fdbe3be1f8b46c099689bcb9edc4da848c542301052b49c313ad3721a0cdb176568bb77f78a2adf5c389184705fa0e4ffe0e6e728c67f27f8f8f384da1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
fb695308b404187628362c72c548c690

SHA1
545ff845a6c149c0bcb087af9e0ceb71e6201f28

SHA256
1cf18ac05afaa2e9b09562e5992d2e1f2ba914f28fa785be6f652ce33457c2ce

SHA512
ce1f7887492b3617bbefcc18aa8c012db14875a3c571cf1c6df2428357a124ca0ecc43ffab78c2af0bebefd1c33ffbe918f64f2fddd79c398cf0f51c153cb2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
2abfae6f52d2d1af8d5ccb33fa092d98

SHA1
9e258298a0738960dc2019032eb8e1a628753129

SHA256
52c2e5eec51a22ed56aef474035c9250b12033eb252d93ffd3d10627f73a1cc8

SHA512
7a70f9207575394447bbff5192fc20e4a3afc494e1d18a940e9d0f3fc7a6c852d92334faff639e3d5bb02ac2a71deb75251ed5b4b6929e7fa5f4635fc97e34f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5cf46769234601ad2f475cce6492df02

SHA1
0f88b7c50a5b6650b60adcc1eb1daece6348a805

SHA256
3853078c4eb88e7cc4136a3395f96ba3446ab5515823280ca043c4d829fb3fe4

SHA512
89454065ff8d23ac8b4676de75c118fa4510b54da783472dc20971f148fd794ebf2d467a94d45bb14f3e7b11e580ecc49d7245bb9880af43a36a51323662ca5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5cf46769234601ad2f475cce6492df02

SHA1
0f88b7c50a5b6650b60adcc1eb1daece6348a805

SHA256
3853078c4eb88e7cc4136a3395f96ba3446ab5515823280ca043c4d829fb3fe4

SHA512
89454065ff8d23ac8b4676de75c118fa4510b54da783472dc20971f148fd794ebf2d467a94d45bb14f3e7b11e580ecc49d7245bb9880af43a36a51323662ca5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5cf46769234601ad2f475cce6492df02

SHA1
0f88b7c50a5b6650b60adcc1eb1daece6348a805

SHA256
3853078c4eb88e7cc4136a3395f96ba3446ab5515823280ca043c4d829fb3fe4

SHA512
89454065ff8d23ac8b4676de75c118fa4510b54da783472dc20971f148fd794ebf2d467a94d45bb14f3e7b11e580ecc49d7245bb9880af43a36a51323662ca5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7eab473ae62b30c4e12dcf935b8022df

SHA1
edc65b1c28cb4c5419af067e98f94aa2836f05f8

SHA256
eb9cf7156f4d149a279528d0305dbcf034ef16e1ccc3e2e37b1a4e2cfc450d15

SHA512
57752f3e1064050d8e56284923887a616742088db87d2e95c45e647c41250cf4abf56c1dd9e7101a4b90aca8a0ddaace1ae2bd76347e1df1a94a6a7c71b726fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c25926a4c2708b5f640ffd3f251afb84

SHA1
f8c0af2a6d0e825bde300c77d6df60529a5c1d82

SHA256
520825159a5b63361bb1b5763e683a02449a2b6f087bf81e246e2e423cb91b18

SHA512
23a7ddcff04508d600011ff77b76bfaa122c6eb1aaa1e5043e721affcb250aea333800a0356eb42bddd318ca1d26874c68f780f08b29c3122b2432fdd6ed0ade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6cc5fcc-9143-4ec0-905e-951f179d1dad\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f084fe87-d772-4f91-bf25-91ed84087348\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe
MD5
759e32f34453405da59c9d75f8e2f544

SHA1
b5d265cd3d7203b46609b525762ebb40a503ae1b

SHA256
1315fb9110a9b6bcf1326af2be8438b1d47bc4b46815db1ab49bed4fa58b3f51

SHA512
7efbf142bc58a2e301fd7a8a9c3c27cee37b88f47a8269f311b616c15209272f57928ebcb6b2acbd6bdc79183d5ec8cd9138f4be0a3db5b69603f2645c82c2ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1F44AD0C.exe
MD5
759e32f34453405da59c9d75f8e2f544

SHA1
b5d265cd3d7203b46609b525762ebb40a503ae1b

SHA256
1315fb9110a9b6bcf1326af2be8438b1d47bc4b46815db1ab49bed4fa58b3f51

SHA512
7efbf142bc58a2e301fd7a8a9c3c27cee37b88f47a8269f311b616c15209272f57928ebcb6b2acbd6bdc79183d5ec8cd9138f4be0a3db5b69603f2645c82c2ed

Download Submit
memory/656-120-0x00000000090F0000-0x00000000090F1000-memory.dmp

Filesize
4KB

Download
memory/656-116-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/656-119-0x00000000051A0000-0x000000000569E000-memory.dmp

Filesize
5.0MB

Download
memory/656-117-0x00000000051A0000-0x000000000569E000-memory.dmp

Filesize
5.0MB

Download
memory/656-118-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/656-121-0x0000000009050000-0x00000000090B2000-memory.dmp

Filesize
392KB

Download
memory/656-122-0x0000000009300000-0x0000000009301000-memory.dmp

Filesize
4KB

Download
memory/656-115-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/656-185-0x0000000006CC0000-0x0000000006CC3000-memory.dmp

Filesize
12KB

Download
memory/656-114-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1316-123-0x0000000000000000-mapping.dmp

Download
memory/1444-1293-0x000000007F440000-0x000000007F441000-memory.dmp

Filesize
4KB

Download
memory/1444-508-0x0000000004702000-0x0000000004703000-memory.dmp

Filesize
4KB

Download
memory/1444-487-0x0000000004700000-0x0000000004701000-memory.dmp

Filesize
4KB

Download
memory/1444-320-0x0000000000000000-mapping.dmp

Download
memory/1452-179-0x0000000000405E28-mapping.dmp

Download
memory/1452-176-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1452-187-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1648-126-0x0000000000000000-mapping.dmp

Download
memory/2116-194-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download
memory/2116-221-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/2116-147-0x0000000000000000-mapping.dmp

Download
memory/2116-198-0x0000000006A22000-0x0000000006A23000-memory.dmp

Filesize
4KB

Download
memory/2116-514-0x0000000006A23000-0x0000000006A24000-memory.dmp

Filesize
4KB

Download
memory/2116-319-0x000000007F000000-0x000000007F001000-memory.dmp

Filesize
4KB

Download
memory/2148-128-0x0000000000000000-mapping.dmp

Download
memory/2148-338-0x000000007EE20000-0x000000007EE21000-memory.dmp

Filesize
4KB

Download
memory/2148-175-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/2148-190-0x0000000006A72000-0x0000000006A73000-memory.dmp

Filesize
4KB

Download
memory/2148-528-0x0000000006A73000-0x0000000006A74000-memory.dmp

Filesize
4KB

Download
memory/2260-207-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/2260-184-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/2260-490-0x0000000002F63000-0x0000000002F64000-memory.dmp

Filesize
4KB

Download
memory/2260-345-0x000000007F060000-0x000000007F061000-memory.dmp

Filesize
4KB

Download
memory/2260-129-0x0000000000000000-mapping.dmp

Download
memory/2260-199-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/2260-191-0x0000000002F62000-0x0000000002F63000-memory.dmp

Filesize
4KB

Download
memory/2388-186-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/2388-156-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/2388-481-0x0000000006663000-0x0000000006664000-memory.dmp

Filesize
4KB

Download
memory/2388-130-0x0000000000000000-mapping.dmp

Download
memory/2388-188-0x0000000006662000-0x0000000006663000-memory.dmp

Filesize
4KB

Download
memory/2388-331-0x000000007E730000-0x000000007E731000-memory.dmp

Filesize
4KB

Download
memory/2728-177-0x0000000006C42000-0x0000000006C43000-memory.dmp

Filesize
4KB

Download
memory/2728-148-0x0000000000000000-mapping.dmp

Download
memory/2728-197-0x0000000006C40000-0x0000000006C41000-memory.dmp

Filesize
4KB

Download
memory/2728-471-0x0000000006C43000-0x0000000006C44000-memory.dmp

Filesize
4KB

Download
memory/2728-325-0x000000007F1B0000-0x000000007F1B1000-memory.dmp

Filesize
4KB

Download
memory/2760-352-0x000000007EA70000-0x000000007EA71000-memory.dmp

Filesize
4KB

Download
memory/2760-150-0x0000000006640000-0x0000000006641000-memory.dmp

Filesize
4KB

Download
memory/2760-192-0x0000000006712000-0x0000000006713000-memory.dmp

Filesize
4KB

Download
memory/2760-131-0x0000000000000000-mapping.dmp

Download
memory/2760-174-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/2760-484-0x0000000006713000-0x0000000006714000-memory.dmp

Filesize
4KB

Download
memory/3060-314-0x00007FFB192F0000-0x00007FFB19300000-memory.dmp

Filesize
64KB

Download
memory/3060-496-0x00000000015E0000-0x00000000015E1000-memory.dmp

Filesize
4KB

Download
memory/3060-423-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/3060-310-0x00000000059C0000-0x0000000005AC0000-memory.dmp

Filesize
1024KB

Download
memory/3060-414-0x00007FFB19300000-0x00007FFB19310000-memory.dmp

Filesize
64KB

Download
memory/3060-369-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/3060-453-0x00007FFB19310000-0x00007FFB19316000-memory.dmp

Filesize
24KB

Download
memory/3504-477-0x0000000006A03000-0x0000000006A04000-memory.dmp

Filesize
4KB

Download
memory/3504-140-0x0000000000000000-mapping.dmp

Download
memory/3504-196-0x0000000006A02000-0x0000000006A03000-memory.dmp

Filesize
4KB

Download
memory/3504-195-0x0000000006A00000-0x0000000006A01000-memory.dmp

Filesize
4KB

Download
memory/3696-180-0x0000000005600000-0x0000000005AFE000-memory.dmp

Filesize
5.0MB

Download
memory/3696-193-0x0000000005600000-0x0000000005AFE000-memory.dmp

Filesize
5.0MB

Download
memory/3696-135-0x0000000000000000-mapping.dmp

Download
memory/3772-359-0x000000007F300000-0x000000007F301000-memory.dmp

Filesize
4KB

Download
memory/3772-132-0x0000000000000000-mapping.dmp

Download
memory/3772-182-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/3772-189-0x0000000004E12000-0x0000000004E13000-memory.dmp

Filesize
4KB

Download
memory/3772-488-0x0000000004E13000-0x0000000004E14000-memory.dmp

Filesize
4KB

Download
memory/4508-433-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download
memory/4508-313-0x0000000000000000-mapping.dmp

Download
memory/4508-474-0x0000000006B92000-0x0000000006B93000-memory.dmp

Filesize
4KB

Download
memory/4508-1243-0x000000007EA30000-0x000000007EA31000-memory.dmp

Filesize
4KB

Download
memory/4748-252-0x0000000000000000-mapping.dmp

Download
memory/4748-501-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/4748-339-0x0000000000000000-mapping.dmp

Download
memory/4748-1248-0x000000007E6C0000-0x000000007E6C1000-memory.dmp

Filesize
4KB

Download
memory/4748-1495-0x0000000004103000-0x0000000004104000-memory.dmp

Filesize
4KB

Download
memory/4748-467-0x0000000004102000-0x0000000004103000-memory.dmp

Filesize
4KB

Download
memory/4748-1496-0x0000000004104000-0x0000000004106000-memory.dmp

Filesize
8KB

Download
memory/4800-254-0x0000000000000000-mapping.dmp

Download
memory/4800-280-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4836-1237-0x000000007EE00000-0x000000007EE01000-memory.dmp

Filesize
4KB

Download
memory/4836-1490-0x0000000007383000-0x0000000007384000-memory.dmp

Filesize
4KB

Download
memory/4836-326-0x0000000000000000-mapping.dmp

Download
memory/4836-1493-0x0000000007384000-0x0000000007386000-memory.dmp

Filesize
8KB

Download
memory/4836-504-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/4836-445-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/4972-262-0x0000000000000000-mapping.dmp

Download
memory/4980-364-0x0000000000405E28-mapping.dmp

Download
memory/5008-521-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/5008-332-0x0000000000000000-mapping.dmp

Download
memory/5008-462-0x0000000004880000-0x0000000004881000-memory.dmp

Filesize
4KB

Download
memory/5008-1340-0x000000007F830000-0x000000007F831000-memory.dmp

Filesize
4KB

Download
memory/5052-885-0x0000000000000000-mapping.dmp

Download
memory/5052-1077-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download