njrat | 566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

Analysis

max time kernel
32s
max time network
144s
platform
windows10_x64
resource
win10-en-20211014
submitted
05-11-2021 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7355d1a43f1d438e09eebff0c90211b0.exe
Size

227KB
MD5

7355d1a43f1d438e09eebff0c90211b0
SHA1

4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a
SHA256

566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c
SHA512

867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Score

10^/10

njrat directx evasion suricata trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

DirectX

20.79.249.125:1604

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exeAdvancedRun.exeAdvancedRun.exe

pid process

2440 AdvancedRun.exe
1724 AdvancedRun.exe
1672 䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
1168 AdvancedRun.exe
2968 AdvancedRun.exe

Drops startup file 4 IoCs

Processes:

䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	7355d1a43f1d438e09eebff0c90211b0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	7355d1a43f1d438e09eebff0c90211b0.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	7355d1a43f1d438e09eebff0c90211b0.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

Drops file in Windows directory 1 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe	7355d1a43f1d438e09eebff0c90211b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exe

pid	process
2440	AdvancedRun.exe
2440	AdvancedRun.exe
2440	AdvancedRun.exe
2440	AdvancedRun.exe
1724	AdvancedRun.exe
1724	AdvancedRun.exe
1724	AdvancedRun.exe
1724	AdvancedRun.exe
1040	powershell.exe
2300	powershell.exe
956	powershell.exe
3672	powershell.exe
1344	powershell.exe
372	powershell.exe
3852	powershell.exe
3600	powershell.exe
1168	AdvancedRun.exe
1168	AdvancedRun.exe
1168	AdvancedRun.exe
1168	AdvancedRun.exe
3600	powershell.exe
1040	powershell.exe
372	powershell.exe
956	powershell.exe
3672	powershell.exe
2300	powershell.exe
1344	powershell.exe
3852	powershell.exe
2968	AdvancedRun.exe
2968	AdvancedRun.exe
2968	AdvancedRun.exe
2968	AdvancedRun.exe
3744	powershell.exe
3744	powershell.exe
2116	powershell.exe
2116	powershell.exe
2852	powershell.exe
2852	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exeAdvancedRun.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3368	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeDebugPrivilege	2440	AdvancedRun.exe
Token: SeImpersonatePrivilege	2440	AdvancedRun.exe
Token: SeDebugPrivilege	1724	AdvancedRun.exe
Token: SeImpersonatePrivilege	1724	AdvancedRun.exe
Token: SeDebugPrivilege	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	1168	AdvancedRun.exe
Token: SeImpersonatePrivilege	1168	AdvancedRun.exe
Token: SeDebugPrivilege	2968	AdvancedRun.exe
Token: SeImpersonatePrivilege	2968	AdvancedRun.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exeAdvancedRun.exe

description	pid	process	target process
PID 3368 wrote to memory of 2440	3368	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 3368 wrote to memory of 2440	3368	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 3368 wrote to memory of 2440	3368	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 2440 wrote to memory of 1724	2440	AdvancedRun.exe	AdvancedRun.exe
PID 2440 wrote to memory of 1724	2440	AdvancedRun.exe	AdvancedRun.exe
PID 2440 wrote to memory of 1724	2440	AdvancedRun.exe	AdvancedRun.exe
PID 3368 wrote to memory of 3672	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 3672	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 3672	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 372	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 372	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 372	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 1040	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 1040	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 1040	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 956	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 956	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 956	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 1344	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 1344	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 1344	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 1672	3368	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 3368 wrote to memory of 1672	3368	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 3368 wrote to memory of 1672	3368	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 3368 wrote to memory of 3600	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 3600	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 3600	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 2300	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 2300	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 2300	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 3852	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 3852	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 3368 wrote to memory of 3852	3368	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1672 wrote to memory of 1168	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	AdvancedRun.exe
PID 1672 wrote to memory of 1168	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	AdvancedRun.exe
PID 1672 wrote to memory of 1168	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	AdvancedRun.exe
PID 1168 wrote to memory of 2968	1168	AdvancedRun.exe	AdvancedRun.exe
PID 1168 wrote to memory of 2968	1168	AdvancedRun.exe	AdvancedRun.exe
PID 1168 wrote to memory of 2968	1168	AdvancedRun.exe	AdvancedRun.exe
PID 1672 wrote to memory of 3744	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 3744	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 3744	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2116	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2116	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2116	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2852	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2852	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2852	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2284	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2284	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 2284	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 4152	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 4152	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1672 wrote to memory of 4152	1672	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe
"C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe"
1⤵
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368

C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe" /SpecialRun 4101d8 2440
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672

C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe" /SpecialRun 4101d8 1168
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
3⤵
PID:2284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
3⤵
PID:4152

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\065c5c3b-a732-4d94-ab0c-24b909c26a68\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\17af5ed3-a3b3-483c-bc94-77396800620e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
MD5
f39dc7f3fcd45c5b85654093a9be1cd7

SHA1
e6b05f26f3912fece3019976b30f8a45ce62dc56

SHA256
9fbf8e6e7e4c29da69ae34498caa6a622990eda06105fdc30b5bbdfc7a5916ce

SHA512
6d849f5f113a33297b6e2bdac82aa5c3b843c39c8430003881a0d74052b90359a864018f80414c38f23cd99da6eccf6efc153bba1954fab2df036cd1f724cd17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
MD5
7355d1a43f1d438e09eebff0c90211b0

SHA1
4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a

SHA256
566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

SHA512
867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
MD5
7355d1a43f1d438e09eebff0c90211b0

SHA1
4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a

SHA256
566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

SHA512
867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
290cd837d2a0d0e96a19d0881c8b20aa

SHA1
d2499dfe5e480e7297f7356dbf8d4dedcf623c9a

SHA256
c7f2f4c8a97c65e74645dc1c63dc46a9a463968de209f0132c462a56a24a5b5d

SHA512
c786161057cbc27b49faf9348cfb1359ee4df668ef784a8794860dedfc69db130ff9d1c60d300caf666c7a21b2da4628d3958f8b3a69ce252850ec47e6ec3e7c

Download Submit
memory/372-180-0x00000000047A2000-0x00000000047A3000-memory.dmp

Filesize
4KB

Download
memory/372-173-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/372-139-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/372-431-0x000000007E9E0000-0x000000007E9E1000-memory.dmp

Filesize
4KB

Download
memory/372-138-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/372-544-0x00000000047A3000-0x00000000047A4000-memory.dmp

Filesize
4KB

Download
memory/372-134-0x0000000000000000-mapping.dmp

Download
memory/956-140-0x0000000000000000-mapping.dmp

Download
memory/956-197-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/956-462-0x000000007EE60000-0x000000007EE61000-memory.dmp

Filesize
4KB

Download
memory/956-157-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/956-156-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/956-555-0x0000000001213000-0x0000000001214000-memory.dmp

Filesize
4KB

Download
memory/956-169-0x0000000001212000-0x0000000001213000-memory.dmp

Filesize
4KB

Download
memory/1040-142-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1040-562-0x0000000001193000-0x0000000001194000-memory.dmp

Filesize
4KB

Download
memory/1040-135-0x0000000000000000-mapping.dmp

Download
memory/1040-183-0x0000000001192000-0x0000000001193000-memory.dmp

Filesize
4KB

Download
memory/1040-141-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1040-411-0x000000007F5D0000-0x000000007F5D1000-memory.dmp

Filesize
4KB

Download
memory/1040-174-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/1168-239-0x0000000000000000-mapping.dmp

Download
memory/1344-160-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1344-565-0x0000000004943000-0x0000000004944000-memory.dmp

Filesize
4KB

Download
memory/1344-212-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/1344-146-0x0000000000000000-mapping.dmp

Download
memory/1344-172-0x0000000004942000-0x0000000004943000-memory.dmp

Filesize
4KB

Download
memory/1344-447-0x000000007F7C0000-0x000000007F7C1000-memory.dmp

Filesize
4KB

Download
memory/1344-167-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1344-161-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/1672-150-0x0000000000000000-mapping.dmp

Download
memory/1672-195-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/1724-131-0x0000000000000000-mapping.dmp

Download
memory/2116-552-0x000000007EFE0000-0x000000007EFE1000-memory.dmp

Filesize
4KB

Download
memory/2116-665-0x00000000074C3000-0x00000000074C4000-memory.dmp

Filesize
4KB

Download
memory/2116-261-0x0000000000000000-mapping.dmp

Download
memory/2116-295-0x00000000074C2000-0x00000000074C3000-memory.dmp

Filesize
4KB

Download
memory/2116-293-0x00000000074C0000-0x00000000074C1000-memory.dmp

Filesize
4KB

Download
memory/2284-620-0x000000007EBD0000-0x000000007EBD1000-memory.dmp

Filesize
4KB

Download
memory/2284-264-0x0000000000000000-mapping.dmp

Download
memory/2284-301-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2284-309-0x0000000000E32000-0x0000000000E33000-memory.dmp

Filesize
4KB

Download
memory/2284-764-0x0000000000E33000-0x0000000000E34000-memory.dmp

Filesize
4KB

Download
memory/2300-456-0x000000007E010000-0x000000007E011000-memory.dmp

Filesize
4KB

Download
memory/2300-185-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2300-190-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/2300-182-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2300-193-0x00000000010D2000-0x00000000010D3000-memory.dmp

Filesize
4KB

Download
memory/2300-575-0x00000000010D3000-0x00000000010D4000-memory.dmp

Filesize
4KB

Download
memory/2300-159-0x0000000000000000-mapping.dmp

Download
memory/2440-128-0x0000000000000000-mapping.dmp

Download
memory/2852-297-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/2852-262-0x0000000000000000-mapping.dmp

Download
memory/2852-573-0x000000007F4F0000-0x000000007F4F1000-memory.dmp

Filesize
4KB

Download
memory/2852-680-0x00000000071E3000-0x00000000071E4000-memory.dmp

Filesize
4KB

Download
memory/2852-305-0x00000000071E2000-0x00000000071E3000-memory.dmp

Filesize
4KB

Download
memory/2968-242-0x0000000000000000-mapping.dmp

Download
memory/3368-115-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3368-117-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3368-118-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3368-121-0x0000000005020000-0x0000000005023000-memory.dmp

Filesize
12KB

Download
memory/3368-125-0x0000000001160000-0x00000000011B2000-memory.dmp

Filesize
328KB

Download
memory/3368-126-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/3368-199-0x00000000083F0000-0x00000000083F1000-memory.dmp

Filesize
4KB

Download
memory/3368-127-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/3368-201-0x0000000008400000-0x0000000008407000-memory.dmp

Filesize
28KB

Download
memory/3600-191-0x00000000067C2000-0x00000000067C3000-memory.dmp

Filesize
4KB

Download
memory/3600-179-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3600-559-0x00000000067C3000-0x00000000067C4000-memory.dmp

Filesize
4KB

Download
memory/3600-187-0x00000000067C0000-0x00000000067C1000-memory.dmp

Filesize
4KB

Download
memory/3600-153-0x0000000000000000-mapping.dmp

Download
memory/3600-424-0x000000007ECD0000-0x000000007ECD1000-memory.dmp

Filesize
4KB

Download
memory/3600-176-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3672-177-0x0000000007112000-0x0000000007113000-memory.dmp

Filesize
4KB

Download
memory/3672-204-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/3672-133-0x0000000000000000-mapping.dmp

Download
memory/3672-136-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/3672-137-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/3672-164-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/3672-439-0x000000007FC10000-0x000000007FC11000-memory.dmp

Filesize
4KB

Download
memory/3672-143-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3672-548-0x0000000007113000-0x0000000007114000-memory.dmp

Filesize
4KB

Download
memory/3672-147-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/3744-288-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/3744-260-0x0000000000000000-mapping.dmp

Download
memory/3744-673-0x0000000001113000-0x0000000001114000-memory.dmp

Filesize
4KB

Download
memory/3744-292-0x0000000001112000-0x0000000001113000-memory.dmp

Filesize
4KB

Download
memory/3852-168-0x0000000000000000-mapping.dmp

Download
memory/3852-194-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/3852-419-0x000000007E4A0000-0x000000007E4A1000-memory.dmp

Filesize
4KB

Download
memory/3852-196-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/3852-200-0x00000000068C0000-0x00000000068C1000-memory.dmp

Filesize
4KB

Download
memory/3852-203-0x00000000068C2000-0x00000000068C3000-memory.dmp

Filesize
4KB

Download
memory/3852-569-0x00000000068C3000-0x00000000068C4000-memory.dmp

Filesize
4KB

Download
memory/4152-311-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/4152-291-0x0000000007282000-0x0000000007283000-memory.dmp

Filesize
4KB

Download
memory/4152-269-0x0000000000000000-mapping.dmp

Download
memory/4152-758-0x0000000007283000-0x0000000007284000-memory.dmp

Filesize
4KB

Download
memory/4152-618-0x000000007ED20000-0x000000007ED21000-memory.dmp

Filesize
4KB

Download