7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd

Analysis

max time kernel
11s
max time network
11s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fads_Gercekler.exe
Size

2.0MB
MD5

e0fcc6006b8db87d96c047775ca5c598
SHA1

9429e298482ea5d8f2802353a4b97544e7bc0949
SHA256

7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd
SHA512

20651b60b623daddda4d2b5a2f33971121d85a0c0e57357d65c29a00b931003ed72f1a669d3671d2088cb689bc69ac243dcf47ab906d11206c90d549f01a2ee0

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 28 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe

pid process

908 AdvancedRun.exe
572 AdvancedRun.exe
1580 5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
908	AdvancedRun.exe
572	AdvancedRun.exe
1580	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Fads_Gercekler.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fads_Gercekler.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fads_Gercekler.exe

Drops startup file 2 IoCs

Processes:

Fads_Gercekler.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	Fads_Gercekler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe	Fads_Gercekler.exe

Loads dropped DLL 5 IoCs

Processes:

Fads_Gercekler.exeAdvancedRun.exe

pid process

1652 Fads_Gercekler.exe
1652 Fads_Gercekler.exe
908 AdvancedRun.exe
908 AdvancedRun.exe
1652 Fads_Gercekler.exe

pid	process
1652	Fads_Gercekler.exe
1652	Fads_Gercekler.exe
908	AdvancedRun.exe
908	AdvancedRun.exe
1652	Fads_Gercekler.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Fads_Gercekler.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe = "0"	Fads_Gercekler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Fads_Gercekler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	Fads_Gercekler.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	Fads_Gercekler.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe = "0"	Fads_Gercekler.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Fads_Gercekler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Fads_Gercekler.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Fads_Gercekler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

908 AdvancedRun.exe
908 AdvancedRun.exe
572 AdvancedRun.exe
572 AdvancedRun.exe

pid	process
908	AdvancedRun.exe
908	AdvancedRun.exe
572	AdvancedRun.exe
572	AdvancedRun.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	908	AdvancedRun.exe
Token: SeImpersonatePrivilege	908	AdvancedRun.exe
Token: SeDebugPrivilege	572	AdvancedRun.exe
Token: SeImpersonatePrivilege	572	AdvancedRun.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

Fads_Gercekler.exeAdvancedRun.exe

description	pid	process	target process
PID 1652 wrote to memory of 908	1652	Fads_Gercekler.exe	AdvancedRun.exe
PID 1652 wrote to memory of 908	1652	Fads_Gercekler.exe	AdvancedRun.exe
PID 1652 wrote to memory of 908	1652	Fads_Gercekler.exe	AdvancedRun.exe
PID 1652 wrote to memory of 908	1652	Fads_Gercekler.exe	AdvancedRun.exe
PID 908 wrote to memory of 572	908	AdvancedRun.exe	AdvancedRun.exe
PID 908 wrote to memory of 572	908	AdvancedRun.exe	AdvancedRun.exe
PID 908 wrote to memory of 572	908	AdvancedRun.exe	AdvancedRun.exe
PID 908 wrote to memory of 572	908	AdvancedRun.exe	AdvancedRun.exe
PID 1652 wrote to memory of 996	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 996	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 996	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 996	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1160	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1160	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1160	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1160	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1316	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1316	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1316	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1316	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1876	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1876	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1876	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1876	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 764	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 764	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 764	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 764	1652	Fads_Gercekler.exe	powershell.exe
PID 1652 wrote to memory of 1580	1652	Fads_Gercekler.exe	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
PID 1652 wrote to memory of 1580	1652	Fads_Gercekler.exe	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
PID 1652 wrote to memory of 1580	1652	Fads_Gercekler.exe	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
PID 1652 wrote to memory of 1580	1652	Fads_Gercekler.exe	5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe

C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe
"C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe" /SpecialRun 4101d8 908
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
PID:996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
2⤵
PID:1316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
2⤵
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
PID:764

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe"
2⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe" /SpecialRun 4101d8 2220
4⤵
PID:2268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
PID:2332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" -Force
3⤵
PID:2416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:2456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
3⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
"C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe" /EXEFilename "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
"C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe" /SpecialRun 4101d8 2852
4⤵
PID:2900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" -Force
2⤵
PID:572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\949b01bf0UhXMa34yp537ahK0r4\svchost.exe" -Force
2⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
"C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\Fads_Gercekler.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
"C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe" /SpecialRun 4101d8 2628
3⤵
PID:2716

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_263b5dba-6418-446a-9940-15f93a387352
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_cbff30d4-38db-4dc2-998a-d6c81276ab62
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e16b5503332b353e9d603ad0cf9a290f

SHA1
e82f98043f3e4e246d4fca2173c54c7e90fb0744

SHA256
b22a13bd9caa4fd7a8415f474fb042de4a4b017ac2243ab7e0060cd7fa068b30

SHA512
6a9257e65bc9f9d196ba3ff460ca65ce09fa789da1684652e3bad6864e1d06205eb7ffdc90cea2616ad2a4805aebac9b56dfe79443412567f95ae25ffbbb23d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
b00c398d2e84ce1c8eba78f4d24dba7b

SHA1
810a680be83b49238a37e09544c6b8127f7ec3ae

SHA256
84d302315e643afcd355064991beaffeb7477fd611230a0a3df8e407bc028e0a

SHA512
0b16ca9eb2f9186e5051ace6ece50d695d983e6c61062120fcb4235d9aac8814ff00ddb0f391f3b58a389dffd5824cdeb21cba3bb40a72c36356537dae97baa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
bd5ad1a05d8f414e47f00c603ca817dd

SHA1
c06bbfe9f4ae2254ccc46cba95031569863ddbda

SHA256
db39d1631e7e5dfe38e13b3aded4f5ed69762bcf810042f367c2599eae99199a

SHA512
e06af1968fdbde3616a926d96e98e858ddb2da9ff8651238a482dcc5a7279aa1c35db9ba5d6bcf6731b92500dbeff8ed72f3e5208194361b5bb68d5655ce7c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
703da3c3e18ed0cdeabb97a9fba90a58

SHA1
8b98610486c996b59c160270179ffdcd15d8d3e4

SHA256
858accf98428a74e7c7cea82d58a98de58fc9cc396f39b31f884b64525339874

SHA512
5bf3c70b2cf56c9793bb5ce77146646a60b02c428eba4cf7d29832a6d274914e85898dc3bc837184d103a11ad29c7c5e155c2ad92ea784719af20bc194017ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
22731a1f9f6ca5f4d234b93ce0210156

SHA1
c6b7d8c39cd8fabacd07d13a6bc4d1223c147203

SHA256
86414495474f1f845476abdcdaba667287fbb1d99a96f6cacc5764bf0ba831b2

SHA512
8e0e2eb4e2c322872083eb9ef25fdf9e4bf36c0da21884015f4917ef9949bfe6cc655733f203e0af02fb3495d8b59bd9a5218b9ff3f4650ebfda56f31ad79db5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
50301cea86c84466c3d79763f939776b

SHA1
2cf594b432c6d7287c4bfd9e141c93d27b79c034

SHA256
d161d9adafd40f84315006d6f96dcbd6264466b1b11ffc73c6a2dc5f364c039a

SHA512
03aa6a656ce1fa88a9f880837619222be835cdc4e16dcab70af41142a1010f260ff68c512b008344b5c7d25d9aee623dc0ed953864861306f07081e560b89587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
c7586e5f6087366bfb342c34c72b1ec6

SHA1
f5e55427cc3505beaff12976729a7bc7a3f83be9

SHA256
8719427c58c365b38f7abead8805060304031a4c510ba770ddd766502f5298ed

SHA512
f46689f055025dafbc814b262ebb6d44ef4bc499b0c13bc26e5e043a9977db8805e53440c94271dc692d21aee689f755d3540d73f573ce98bab4b0660849de79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
283768d5668856f59498f4c9f3a6b072

SHA1
c783c8871589212f3ab735e228aae3200e4f0607

SHA256
0489b42dcc22ea473dee3ff27c54bfe5e41d2257400feaca4c67383c78e63a5f

SHA512
4e7389f5e8d8deb8fddeb21f913696bf342ea2c2a6a2ed9b145e5a5b4ffee74ee9652da5dab0558269bf18a3e7f19f285a8dc4890d193918803fe79af0437e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
a05c50a0614a3fa8f0d67a907120c173

SHA1
e66f94e5a98fa056943f589a5b7569709f0fdc2b

SHA256
8fb8e3a1979b2b9b33aa996fdb832e310f2ba14ee11e8a5193fe40bc08644af4

SHA512
3ed5a26dd54ad91187cc749be63e1bc1b73dedbd4f076acffa07afbbdff31341aa0c6e0cbdd25640f39c5c4750c79c87d3eb611fefab9bbe2d98ab75f9cddceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
905dc35d9a16076ca159d38dd9e01bb0

SHA1
2b773755c331115b0896352cee6edfc481a391ae

SHA256
2601639dc1d24021350309cfd8dbbd8a1620058d9e4d305e74746641ff4306d6

SHA512
e3cadb4b54a7507eb2f3df29621ab92c4b2f538d511093d6d310d8f893c82e208480c7d41bb6c63116694e5a153992e48139db0b397f774e7f7ee02e3bbd6c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
aacea5b99fcec662d0271baabaab19a7

SHA1
3152bbd841ceac6ad1406c0e3516596b6684af6a

SHA256
0fd03d7bac50d82427f4e31fd7425bf8452638fc7306c4d11ab496d5fc11fb50

SHA512
9d0bba0107347b46a31d464233e9d20d03a2a4177df9a02f3cef06577237a0105daa2bba209f4d855657aeb2b659a3b1a4c873826a5fa1728e0f7eed4b996340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
aacea5b99fcec662d0271baabaab19a7

SHA1
3152bbd841ceac6ad1406c0e3516596b6684af6a

SHA256
0fd03d7bac50d82427f4e31fd7425bf8452638fc7306c4d11ab496d5fc11fb50

SHA512
9d0bba0107347b46a31d464233e9d20d03a2a4177df9a02f3cef06577237a0105daa2bba209f4d855657aeb2b659a3b1a4c873826a5fa1728e0f7eed4b996340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
aacea5b99fcec662d0271baabaab19a7

SHA1
3152bbd841ceac6ad1406c0e3516596b6684af6a

SHA256
0fd03d7bac50d82427f4e31fd7425bf8452638fc7306c4d11ab496d5fc11fb50

SHA512
9d0bba0107347b46a31d464233e9d20d03a2a4177df9a02f3cef06577237a0105daa2bba209f4d855657aeb2b659a3b1a4c873826a5fa1728e0f7eed4b996340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
aacea5b99fcec662d0271baabaab19a7

SHA1
3152bbd841ceac6ad1406c0e3516596b6684af6a

SHA256
0fd03d7bac50d82427f4e31fd7425bf8452638fc7306c4d11ab496d5fc11fb50

SHA512
9d0bba0107347b46a31d464233e9d20d03a2a4177df9a02f3cef06577237a0105daa2bba209f4d855657aeb2b659a3b1a4c873826a5fa1728e0f7eed4b996340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
aacea5b99fcec662d0271baabaab19a7

SHA1
3152bbd841ceac6ad1406c0e3516596b6684af6a

SHA256
0fd03d7bac50d82427f4e31fd7425bf8452638fc7306c4d11ab496d5fc11fb50

SHA512
9d0bba0107347b46a31d464233e9d20d03a2a4177df9a02f3cef06577237a0105daa2bba209f4d855657aeb2b659a3b1a4c873826a5fa1728e0f7eed4b996340

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
MD5
e0fcc6006b8db87d96c047775ca5c598

SHA1
9429e298482ea5d8f2802353a4b97544e7bc0949

SHA256
7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd

SHA512
20651b60b623daddda4d2b5a2f33971121d85a0c0e57357d65c29a00b931003ed72f1a669d3671d2088cb689bc69ac243dcf47ab906d11206c90d549f01a2ee0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
MD5
e0fcc6006b8db87d96c047775ca5c598

SHA1
9429e298482ea5d8f2802353a4b97544e7bc0949

SHA256
7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd

SHA512
20651b60b623daddda4d2b5a2f33971121d85a0c0e57357d65c29a00b931003ed72f1a669d3671d2088cb689bc69ac243dcf47ab906d11206c90d549f01a2ee0

Download Submit
\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\042b35ed-a1f3-47ce-b009-93df2557ed50\24c2bc6d-24db-46eb-bd97-9ecb39f23e55.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\246395e7-7146-4000-8eb7-3fdff8c9b58b\31d45d27-e835-4d8e-94c9-2b82cd122fae.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\4b46b298-6c52-4303-85fb-fb66c23759c9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\b3d8baa7-3751-4316-9112-4cf46e177ccf\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5aVewv8O35f631e04L5cN0375Y195HY5dshCd6a9bDo.exe
MD5
e0fcc6006b8db87d96c047775ca5c598

SHA1
9429e298482ea5d8f2802353a4b97544e7bc0949

SHA256
7b187ffdf087fa28e04f239ba10f031bcc73518f4126e75ead32145ad83f51fd

SHA512
20651b60b623daddda4d2b5a2f33971121d85a0c0e57357d65c29a00b931003ed72f1a669d3671d2088cb689bc69ac243dcf47ab906d11206c90d549f01a2ee0

Download Submit
memory/364-94-0x0000000000000000-mapping.dmp

Download
memory/572-71-0x0000000000000000-mapping.dmp

Download
memory/572-91-0x0000000000000000-mapping.dmp

Download
memory/764-81-0x0000000000000000-mapping.dmp

Download
memory/908-67-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/908-65-0x0000000000000000-mapping.dmp

Download
memory/996-74-0x0000000000000000-mapping.dmp

Download
memory/1160-75-0x0000000000000000-mapping.dmp

Download
memory/1316-98-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1316-99-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1316-124-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1316-77-0x0000000000000000-mapping.dmp

Download
memory/1580-96-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/1580-87-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1580-83-0x0000000000000000-mapping.dmp

Download
memory/1648-90-0x0000000000000000-mapping.dmp

Download
memory/1652-61-0x0000000000320000-0x000000000037C000-memory.dmp

Filesize
368KB

Download
memory/1652-62-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1652-59-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1876-80-0x0000000000000000-mapping.dmp

Download
memory/1876-167-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/2220-115-0x0000000000000000-mapping.dmp

Download
memory/2268-121-0x0000000000000000-mapping.dmp

Download
memory/2332-130-0x0000000000000000-mapping.dmp

Download
memory/2348-131-0x0000000000000000-mapping.dmp

Download
memory/2376-132-0x0000000000000000-mapping.dmp

Download
memory/2416-133-0x0000000000000000-mapping.dmp

Download
memory/2456-136-0x0000000000000000-mapping.dmp

Download
memory/2628-151-0x0000000000000000-mapping.dmp

Download
memory/2716-163-0x0000000000000000-mapping.dmp

Download
memory/2852-176-0x0000000000000000-mapping.dmp

Download
memory/2900-181-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads