04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24

Analysis

max time kernel
150s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
18-07-2021 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

app.exe
Size

2.2MB
MD5

a884e0d194f7d29fea32dbde54726df5
SHA1

518270967edd75a8d48327d34152a42410973286
SHA256

04605e558a017e333a2dc6d15253bdd66f119e034bf81ebebdf796d101bdae24
SHA512

528a0e65af5c0ae049e9febb79209efe84440439a96e4c920cc1943d7a35a4aad0b14380cd6f6329c8994b7b183ef75d898e51fbfb7da4e787cc58c7afe9fa6d

Score

9^/10

Malware Config

Signatures

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

6812 AdvancedRun.exe
6296 AdvancedRun.exe
3880 AdvancedRun.exe
4028 AdvancedRun.exe

pid	process
6812	AdvancedRun.exe
6296	AdvancedRun.exe
3880	AdvancedRun.exe
4028	AdvancedRun.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

app.exeapp.exe

description	pid	process	target process
PID 632 set thread context of 3848	632	app.exe	app.exe
PID 3848 set thread context of 2352	3848	app.exe	notepad.exe
PID 3848 set thread context of 5020	3848	app.exe	notepad.exe
PID 3848 set thread context of 6504	3848	app.exe	notepad.exe
PID 3848 set thread context of 4684	3848	app.exe	notepad.exe
PID 3848 set thread context of 6068	3848	app.exe	notepad.exe
PID 3848 set thread context of 6600	3848	app.exe	notepad.exe
PID 3848 set thread context of 2708	3848	app.exe	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4732	2352	WerFault.exe	notepad.exe
4348	5020	WerFault.exe	notepad.exe
6552	6504	WerFault.exe	notepad.exe
5788	4684	WerFault.exe	notepad.exe
6616	6068	WerFault.exe	notepad.exe
6592	6600	WerFault.exe	notepad.exe
2748	2708	WerFault.exe	notepad.exe

Modifies registry class 1 IoCs

Processes:

app.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings app.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	app.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3832	powershell.exe
2044	powershell.exe
2044	powershell.exe
3832	powershell.exe
640	powershell.exe
2044	powershell.exe
3832	powershell.exe
640	powershell.exe
2004	powershell.exe
640	powershell.exe
2004	powershell.exe
3500	powershell.exe
2004	powershell.exe
3400	powershell.exe
3500	powershell.exe
684	powershell.exe
3400	powershell.exe
3500	powershell.exe
684	powershell.exe
684	powershell.exe
4296	powershell.exe
4296	powershell.exe
3400	powershell.exe
3400	powershell.exe
4480	powershell.exe
4480	powershell.exe
684	powershell.exe
4296	powershell.exe
4676	powershell.exe
4676	powershell.exe
4480	powershell.exe
4884	powershell.exe
4884	powershell.exe
4296	powershell.exe
4296	powershell.exe
5112	powershell.exe
5112	powershell.exe
4480	powershell.exe
4480	powershell.exe
4624	powershell.exe
4624	powershell.exe
4676	powershell.exe
5076	powershell.exe
5076	powershell.exe
4884	powershell.exe
4820	powershell.exe
4820	powershell.exe
5112	powershell.exe
4676	powershell.exe
4676	powershell.exe
4748	powershell.exe
4748	powershell.exe
4624	powershell.exe
5076	powershell.exe
3200	powershell.exe
3200	powershell.exe
4884	powershell.exe
4884	powershell.exe
5112	powershell.exe
5112	powershell.exe
4820	powershell.exe
5344	powershell.exe
5344	powershell.exe
4624	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	2044	powershell.exe
Token: SeSecurityPrivilege	2044	powershell.exe
Token: SeTakeOwnershipPrivilege	2044	powershell.exe
Token: SeLoadDriverPrivilege	2044	powershell.exe
Token: SeSystemProfilePrivilege	2044	powershell.exe
Token: SeSystemtimePrivilege	2044	powershell.exe
Token: SeProfSingleProcessPrivilege	2044	powershell.exe
Token: SeIncBasePriorityPrivilege	2044	powershell.exe
Token: SeCreatePagefilePrivilege	2044	powershell.exe
Token: SeBackupPrivilege	2044	powershell.exe
Token: SeRestorePrivilege	2044	powershell.exe
Token: SeShutdownPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeSystemEnvironmentPrivilege	2044	powershell.exe
Token: SeRemoteShutdownPrivilege	2044	powershell.exe
Token: SeUndockPrivilege	2044	powershell.exe
Token: SeManageVolumePrivilege	2044	powershell.exe
Token: 33	2044	powershell.exe
Token: 34	2044	powershell.exe
Token: 35	2044	powershell.exe
Token: 36	2044	powershell.exe
Token: SeIncreaseQuotaPrivilege	2044	powershell.exe
Token: SeSecurityPrivilege	2044	powershell.exe
Token: SeTakeOwnershipPrivilege	2044	powershell.exe
Token: SeLoadDriverPrivilege	2044	powershell.exe
Token: SeSystemProfilePrivilege	2044	powershell.exe
Token: SeSystemtimePrivilege	2044	powershell.exe
Token: SeProfSingleProcessPrivilege	2044	powershell.exe
Token: SeIncBasePriorityPrivilege	2044	powershell.exe
Token: SeCreatePagefilePrivilege	2044	powershell.exe
Token: SeBackupPrivilege	2044	powershell.exe
Token: SeRestorePrivilege	2044	powershell.exe
Token: SeShutdownPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeSystemEnvironmentPrivilege	2044	powershell.exe
Token: SeRemoteShutdownPrivilege	2044	powershell.exe
Token: SeUndockPrivilege	2044	powershell.exe
Token: SeManageVolumePrivilege	2044	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

app.exe

description	pid	process	target process
PID 632 wrote to memory of 3832	632	app.exe	powershell.exe
PID 632 wrote to memory of 3832	632	app.exe	powershell.exe
PID 632 wrote to memory of 3832	632	app.exe	powershell.exe
PID 632 wrote to memory of 2044	632	app.exe	powershell.exe
PID 632 wrote to memory of 2044	632	app.exe	powershell.exe
PID 632 wrote to memory of 2044	632	app.exe	powershell.exe
PID 632 wrote to memory of 640	632	app.exe	powershell.exe
PID 632 wrote to memory of 640	632	app.exe	powershell.exe
PID 632 wrote to memory of 640	632	app.exe	powershell.exe
PID 632 wrote to memory of 2004	632	app.exe	powershell.exe
PID 632 wrote to memory of 2004	632	app.exe	powershell.exe
PID 632 wrote to memory of 2004	632	app.exe	powershell.exe
PID 632 wrote to memory of 3500	632	app.exe	powershell.exe
PID 632 wrote to memory of 3500	632	app.exe	powershell.exe
PID 632 wrote to memory of 3500	632	app.exe	powershell.exe
PID 632 wrote to memory of 3400	632	app.exe	powershell.exe
PID 632 wrote to memory of 3400	632	app.exe	powershell.exe
PID 632 wrote to memory of 3400	632	app.exe	powershell.exe
PID 632 wrote to memory of 684	632	app.exe	powershell.exe
PID 632 wrote to memory of 684	632	app.exe	powershell.exe
PID 632 wrote to memory of 684	632	app.exe	powershell.exe
PID 632 wrote to memory of 4296	632	app.exe	powershell.exe
PID 632 wrote to memory of 4296	632	app.exe	powershell.exe
PID 632 wrote to memory of 4296	632	app.exe	powershell.exe
PID 632 wrote to memory of 4480	632	app.exe	powershell.exe
PID 632 wrote to memory of 4480	632	app.exe	powershell.exe
PID 632 wrote to memory of 4480	632	app.exe	powershell.exe
PID 632 wrote to memory of 4676	632	app.exe	powershell.exe
PID 632 wrote to memory of 4676	632	app.exe	powershell.exe
PID 632 wrote to memory of 4676	632	app.exe	powershell.exe
PID 632 wrote to memory of 4884	632	app.exe	powershell.exe
PID 632 wrote to memory of 4884	632	app.exe	powershell.exe
PID 632 wrote to memory of 4884	632	app.exe	powershell.exe
PID 632 wrote to memory of 5112	632	app.exe	powershell.exe
PID 632 wrote to memory of 5112	632	app.exe	powershell.exe
PID 632 wrote to memory of 5112	632	app.exe	powershell.exe
PID 632 wrote to memory of 4624	632	app.exe	powershell.exe
PID 632 wrote to memory of 4624	632	app.exe	powershell.exe
PID 632 wrote to memory of 4624	632	app.exe	powershell.exe
PID 632 wrote to memory of 5076	632	app.exe	powershell.exe
PID 632 wrote to memory of 5076	632	app.exe	powershell.exe
PID 632 wrote to memory of 5076	632	app.exe	powershell.exe
PID 632 wrote to memory of 4820	632	app.exe	powershell.exe
PID 632 wrote to memory of 4820	632	app.exe	powershell.exe
PID 632 wrote to memory of 4820	632	app.exe	powershell.exe
PID 632 wrote to memory of 4748	632	app.exe	powershell.exe
PID 632 wrote to memory of 4748	632	app.exe	powershell.exe
PID 632 wrote to memory of 4748	632	app.exe	powershell.exe
PID 632 wrote to memory of 3200	632	app.exe	powershell.exe
PID 632 wrote to memory of 3200	632	app.exe	powershell.exe
PID 632 wrote to memory of 3200	632	app.exe	powershell.exe
PID 632 wrote to memory of 5344	632	app.exe	powershell.exe
PID 632 wrote to memory of 5344	632	app.exe	powershell.exe
PID 632 wrote to memory of 5344	632	app.exe	powershell.exe
PID 632 wrote to memory of 5564	632	app.exe	powershell.exe
PID 632 wrote to memory of 5564	632	app.exe	powershell.exe
PID 632 wrote to memory of 5564	632	app.exe	powershell.exe
PID 632 wrote to memory of 5860	632	app.exe	powershell.exe
PID 632 wrote to memory of 5860	632	app.exe	powershell.exe
PID 632 wrote to memory of 5860	632	app.exe	powershell.exe
PID 632 wrote to memory of 6076	632	app.exe	powershell.exe
PID 632 wrote to memory of 6076	632	app.exe	powershell.exe
PID 632 wrote to memory of 6076	632	app.exe	powershell.exe
PID 632 wrote to memory of 4556	632	app.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:6076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:4556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
2⤵
PID:5476

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
PID:6812

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 6812
3⤵
- Executes dropped EXE
PID:6296

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
PID:3880

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3880
3⤵
- Executes dropped EXE
PID:4028

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Pihyqojmbbrsadmr.vbs"
2⤵
PID:6548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WindowsUpdater\Updater.exe'
3⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\app.exe
C:\Users\Admin\AppData\Local\Temp\app.exe
2⤵
PID:6584

C:\Users\Admin\AppData\Local\Temp\app.exe
C:\Users\Admin\AppData\Local\Temp\app.exe
2⤵
- Suspicious use of SetThreadContext
PID:3848

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\yByPyLjSwU\cfgi"
3⤵
PID:2352

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2352 -s 180
4⤵
- Program crash
PID:4732

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\yByPyLjSwU\cfgi"
3⤵
PID:5020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5020 -s 180
4⤵
- Program crash
PID:4348

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\yByPyLjSwU\cfgi"
3⤵
PID:6504

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6504 -s 188
4⤵
- Program crash
PID:6552

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\yByPyLjSwU\r.vbs"
3⤵
PID:5188

C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\yByPyLjSwU\r.vbs"
4⤵
PID:856

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\yByPyLjSwU\cfgi"
3⤵
PID:4684

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4684 -s 180
4⤵
- Program crash
PID:5788

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\yByPyLjSwU\cfgi"
3⤵
PID:6068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6068 -s 180
4⤵
- Program crash
PID:6616

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\yByPyLjSwU\cfgi"
3⤵
PID:6600

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6600 -s 180
4⤵
- Program crash
PID:6592

C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\yByPyLjSwU\cfgi"
3⤵
PID:2708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2708 -s 180
4⤵
- Program crash
PID:2748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\yByPyLjSwU\r.vbs
MD5
45b0a5659a6650b49f539527e25473cc

SHA1
13326b80f155144495a80bbb675eeb32bd4666a1

SHA256
df60a8725fe15f9848f3eba301b3768899bb8f6528d888d5885b73409bacc722

SHA512
f597d051eea48df481f6d44d190d0c70578d23f8b755d3de214513b8f19eec714b92c6f83534e8e37691a5be0ebd7e943ace55ef98a17cff39f2360f1c3532e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
a4022a7d2b113226b000be0705680813

SHA1
599e22d03201704127a045ca53ffb78f9ea3b6c3

SHA256
2557a14e476d55330043af2858dbf1377e24dba3fa9aedc369d5feefefb7f9a7

SHA512
40ef88632a4ad38a7d21c640a7f0c8cd7c76b8451f55dd758c15baa5a90f4f0938de409426570c4405362fd2d90fadd96d23d190e09692b5fbe2c87ebc8d3c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
46a066401a9cea5c417b5ceece6a8cb6

SHA1
b36bdeda54cccbd26d186b1f8aa558224e5d1502

SHA256
ddd5ce63776e20d28634be8641678fdf608bbf68a3d5b65b2509b9faf0f97a27

SHA512
3c93bd393a900dc7104ebd7292a6f4b946aab38fae52d5a581e39ef85b89adec1799b7f78e542c3f5160573580ec4ad3b712a640ac3cb351de10a6333ac939ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fc34d139e44d4d7c41ca34e5b1e42e19

SHA1
09d54e1c5f080aa8c70939ead7b9434c84692f64

SHA256
e11ad9dcdd8152fd7ee9cc7fb575ef4b140f31163accb1e68a96912e985ce2c1

SHA512
9c98bf196f8f2ac3cac10d9fc913d473276349dee1e849c335bd6a12b9463c4e84e2a112a51decfca1295b4be8a2e73ec1f2da330fec60edd88f061189b1af50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
9d90f805f75c72216467c43c31866e68

SHA1
831d3e0d890973c9e08e8a198617d3221b5a1efa

SHA256
b330afa5fd213a3467555c9b60b36bfebce6d49bd1fa3eddaefc6016efe9ecb6

SHA512
50565deb8f1e510241fcd6808034f13d1d91c57a11d8d9ce8e772d319913058d985ff5994235c5cba4cd66e764d0e5dad8f3eb822cfc063ec70e8acd6ea4480f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b3f77434f075b255b95f9b8067f14a1e

SHA1
1dd57a5c282e69453bbe7583a72b9ce25b0ded62

SHA256
aab440bd2c9c0f057874dfafc8f8ab174e8a9ff090ff5e8df0d9d4252c5c590d

SHA512
3d7afd34d79c982acb38e7353f56cca0c6e8a1a152bc04904307644baf8168bf37cb3ca966df489343aa4e84d9829ab1686b4a00d658ec9a977e0cd1c49868c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b3f77434f075b255b95f9b8067f14a1e

SHA1
1dd57a5c282e69453bbe7583a72b9ce25b0ded62

SHA256
aab440bd2c9c0f057874dfafc8f8ab174e8a9ff090ff5e8df0d9d4252c5c590d

SHA512
3d7afd34d79c982acb38e7353f56cca0c6e8a1a152bc04904307644baf8168bf37cb3ca966df489343aa4e84d9829ab1686b4a00d658ec9a977e0cd1c49868c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d8fdffbde531d18f7757c630e4e8197d

SHA1
482ce17caa501cc215f01f111ecf03fc25f0d92c

SHA256
a80edb13cee0efa04cd06391a52faf317e1c5e50f4389e32cc308aa70f416734

SHA512
ede70c9169bae3b11e8c31f8babeb58ddc7a9e27ac0df449778f38b9047d217317c6fbcef338fc82d618f1aaf3216d6c3cfaa3cc4d981297187d85de221be763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3d8b0f40cc09b2ac9dc8603578e28cc5

SHA1
aef4e2abcb34365e5dd4c515595c3966b1f46a6e

SHA256
fbae496d857b40b7aa53c721d04bb827764fe73c2849e481aca90a2e8a33ca12

SHA512
5e07326bbf8d738ab2833b1148af3e3040b51a9425f4f85c664443f5b71a4c7545173b80eef6904b3099154e6dff7a44b71f1ddae14cf1ac79a620b7464bee1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1f93c43be2c6eef2595b0035b7138126

SHA1
8af067645f11c6194b1b6b216fe966d3524e67c0

SHA256
aa7e43e029d659df6682cf424b90644e783ea0e8834dbb13affeeb14daaded90

SHA512
24d8a4d17e00ba94610c01d6d848b6541eaea422f8cd2263752cff9d981d7d3ac23f339e84a51e66974fbec13bf0aeee7f29e7ebbb01b86bd93d4159cd4d969b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
de0714c51817ef5cd36725644c15836b

SHA1
bf9d8674f68f55243f690c715cd16f510073d499

SHA256
a3165e76ede7da38a055e65d6ea68113c9515c64fa08d041924f3af2b5f3d7c4

SHA512
5baf5e234ff41af39d8b27a76e1c2a8712376fd03ac3d16c5412fa0be9abe2cc1cca32b8206eed15c3fae1a67d049eb09dc194710671be6306f461a13a758e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c90ada722deef0252cb41bfda152f533

SHA1
f57e380fa34542e8a9717462b42605819e36556f

SHA256
8a1be6194e90b4c2de426d528d21bd542f7c1d2b413cb3615ee85483cd42705b

SHA512
25fc10d586153e207b453957258a57ab4b61b6b916f752e1ebb28bb6c9eb5e7eb84c649b766cb51d39805424641b1916699ad76e5568399e51561ab8c6321de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1bdd761ea8d84d280d3923802127294f

SHA1
5d652adc7402b8b9ca804dd4b15d352fadd4e840

SHA256
611f5d716ab1568c24ba1c8380bee154a513284c46f0e5a5c548fc6627ce5478

SHA512
2f56ffe6f1487d4b272b46ede0fe35f2da2e96ecd4e6ce8dde4f43d1389b33aefa9492cbb4762b37378ee3e216dbbcd73776270f07ea3e1029eccaad5f917d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b1c9670be9c9eea34300eedb2b45b4c5

SHA1
4ddad8476123852d6fbb33902cab87fda2a36dc1

SHA256
64ddc1d373a6a9fdb9397443139f16526e4abfabf1d8148ff4bca655d389eabe

SHA512
fb514f6dc26b66e6dbb5d530a00c0e108617b98b0f26eb14bde0dcdf3624be168e7cb0e2a70a467c57162d10ef07e53c59d930c0fb364ffe083790e109aba506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f656d2ace4144dd37fecdc818dd6fc75

SHA1
e41bbe0ffcc90019b79229c43178ef320653c2ab

SHA256
f73a8466f846883a4be725e460f73b60c33d4441b3b2ff134e31e672c9cce5a0

SHA512
e83e27372b2626c7fcc9be7ff4faf187f2ee90a3ad7c17f7b2badbd8cc1cabe295690660adc7a0176ab7b56740b48a4e12a1d6368745a63ecbeae7a0be80cf65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4746cc38a6210861ee3c93ef8f2a169c

SHA1
84267f0aaae33b583adf63b7ccf942017ff3dbee

SHA256
6e966f6a30c173c452b8462073632392a5976188f342551da9c2eb2dcac47053

SHA512
f6b2af867e9d3636bf9cdee3373439ee7d75192f33dc4535eb5cc923549012916e958fdedc4397fff8ce2accdd475f8f6ddd3525e565e8d9328a8ba37deffa4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
230eff049d2b5844618a38d0f299834c

SHA1
dd51b08aedc1c2290e4fffe68f1d6fd05f194556

SHA256
94bff8214dd7d4c411a78863d6fa70fde230b0711c99f7a6a0253c06cfb01a22

SHA512
ccc353f4b575781ca43557a5a39729a300b46062c119677584e31181345c6ec35e06b0ee3783bcce1f93059fdbad401d831854da011b684e2462369e88918cc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5dd856f7c121e119d85b88d46d85e052

SHA1
14e7489c15a86e1d9b2c7566dddde5f4f8afe06f

SHA256
374961de07c24fc88171acb4a250729c0855b92eaee9e4bf1f58bce8c31685e1

SHA512
d6d5fd61dcd05f0c2cd7cdce06cd7a5ae1ebbe722ebfe7de1b6e135a818dec028848961e9c76e7afbfcdda8bedbdcb9e06f7d4d17bfe2ab4712046a8b6e410cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
88a9f79e86ceaccfed8e3f9c6c4f7ab2

SHA1
45243ae815dac14f2c521496061b86502f32f1d8

SHA256
a354395d67d9665cd40f5c7931273e251a5974c8375b7e39c7c65b3fd339ec70

SHA512
5d477c8d8ab7aeb5ce5bf67e161d65da2c8e91a93344c20318f051cdeceebcd60a4360aa4892ea5f45cef28ce86b2d2b318c271daa5939f819d51d4b2f10d98f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d6274bced47f3ab147030dbad56e840d

SHA1
e62153f63818b22b731dc4e06817fb0216b7493a

SHA256
814c3813deb3c318d189163ed2e1c74f40b5e43333d789a7ad0b7ee1e3a01fb8

SHA512
fb46859e435826dd23c4ebd529b3320ff2c70bf26d48450e68b88233d010159cc2c293c54496d4e973e8d545d734a52088b18b2f0d1396983dee1dc9566901e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d6274bced47f3ab147030dbad56e840d

SHA1
e62153f63818b22b731dc4e06817fb0216b7493a

SHA256
814c3813deb3c318d189163ed2e1c74f40b5e43333d789a7ad0b7ee1e3a01fb8

SHA512
fb46859e435826dd23c4ebd529b3320ff2c70bf26d48450e68b88233d010159cc2c293c54496d4e973e8d545d734a52088b18b2f0d1396983dee1dc9566901e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f16ae7d71c48a7f0212ca6037add35ff

SHA1
6d9b4e424968d88d533261f93850a466bdb67816

SHA256
17763221165731315d597e06d882758b57f7396891876dc0e0dc520e77725d65

SHA512
84f08cb17739d2c7495f40fb96fb145ab2deda9e91f66e7ab3e160aceeaca19ec170952941c2bf835604674317127e89212b0ba62c53b3cfb981503224f3f474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a41d3084aee7f1ab7df0ac30c56c6d20

SHA1
678bdcec54006aa2022fa1767bf2a5cec5ebc141

SHA256
2d25a1b268027a35d8c1353f861f58f9f68d0f9dbd56b2e2115d244cd3fb8fbc

SHA512
0f08a7c439693249155157182bff8edd4da5e846133eb78d4083091b92b8f59f864ef517beb2937756d6749b8c6aea1dc0948d78d9725be0f9663ca1e9ee0724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2c73c7412c53f583a4d6f5f4793ba58f

SHA1
7dba51fb86993cccee533745d461e95488e36aa6

SHA256
d923675a82d35aeafc1d41f4d4c0e72b28624d6ab80c3a06408e8835d3a6b0ff

SHA512
d7bd75fc8a5873e9e606e04c597b969c3afdff2e0e9121637cd07d29fe2ddf8b85921c66ce13e83f2daff8101da8c64719b05824b86ac816716499d166ebb4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2c73c7412c53f583a4d6f5f4793ba58f

SHA1
7dba51fb86993cccee533745d461e95488e36aa6

SHA256
d923675a82d35aeafc1d41f4d4c0e72b28624d6ab80c3a06408e8835d3a6b0ff

SHA512
d7bd75fc8a5873e9e606e04c597b969c3afdff2e0e9121637cd07d29fe2ddf8b85921c66ce13e83f2daff8101da8c64719b05824b86ac816716499d166ebb4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2c73c7412c53f583a4d6f5f4793ba58f

SHA1
7dba51fb86993cccee533745d461e95488e36aa6

SHA256
d923675a82d35aeafc1d41f4d4c0e72b28624d6ab80c3a06408e8835d3a6b0ff

SHA512
d7bd75fc8a5873e9e606e04c597b969c3afdff2e0e9121637cd07d29fe2ddf8b85921c66ce13e83f2daff8101da8c64719b05824b86ac816716499d166ebb4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8de07af962777e523b988899ed34cd79

SHA1
b0eace32ab4f3f8e2106eb985b39618d25a53d50

SHA256
4b5feef5a8c3eabf9d50f1a69a28dbb27fec4c60e49d2e4161f2920bd1cfa751

SHA512
2efe5d1be71ca621e6362e25b1717f6b896b1b3116d777ab6e400f1cda57a8a2e79e6791cc82c630edcf4b62db34d598d281949c2fbfec4863ce19c2f9cef11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Pihyqojmbbrsadmr.vbs
MD5
03ed9ac6b72518db135bb1b63df9b5ff

SHA1
49faecea2cff562c5b37d8dcf71fda28aefd6567

SHA256
5b893dd9e82a0ea9b9ee0bb06a5d56f47fef3797b63e07f16958ba73b6b65ba4

SHA512
a3f62ee69d7f941cdf7140587a9ca0289081756e4d6857b4f52036cdbff9cc8bc2f32b1d291164a8d5ec7fc8f06c5aa45313f861f48162cb480dbfc6ebbf01a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WindowsUpdater\LpxruZnWAL.url
MD5
d19934ed884a701b7b9bfe172574161b

SHA1
c94107a8f2dce55bc73b0c9e8584bc668ef62876

SHA256
cdd85781620bf07444e87416409c1983e0aa7d627b03cfb853336623bdefd5b3

SHA512
389e796e88aa6ac31c9acd0b86c5d3d934e81b72d0e41c4ab9e8928ddde57fcf9ef87014afa106b9f1f74b286607837a01ae6ff516bca10a66a0230f2cb4df5a

Download Submit
memory/632-117-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/632-116-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/632-114-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/632-120-0x0000000005350000-0x000000000584E000-memory.dmp

Filesize
5.0MB

Download
memory/632-118-0x0000000005350000-0x000000000584E000-memory.dmp

Filesize
5.0MB

Download
memory/632-119-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/640-304-0x0000000006803000-0x0000000006804000-memory.dmp

Filesize
4KB

Download
memory/640-161-0x0000000006802000-0x0000000006803000-memory.dmp

Filesize
4KB

Download
memory/640-146-0x0000000000000000-mapping.dmp

Download
memory/640-160-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/684-217-0x0000000000000000-mapping.dmp

Download
memory/684-223-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/684-545-0x00000000067A3000-0x00000000067A4000-memory.dmp

Filesize
4KB

Download
memory/684-239-0x00000000067A2000-0x00000000067A3000-memory.dmp

Filesize
4KB

Download
memory/856-2699-0x0000000000000000-mapping.dmp

Download
memory/1908-713-0x0000000000000000-mapping.dmp

Download
memory/1908-766-0x0000000006A90000-0x0000000006A91000-memory.dmp

Filesize
4KB

Download
memory/1908-798-0x0000000006A92000-0x0000000006A93000-memory.dmp

Filesize
4KB

Download
memory/2004-177-0x0000000006980000-0x0000000006981000-memory.dmp

Filesize
4KB

Download
memory/2004-178-0x0000000006982000-0x0000000006983000-memory.dmp

Filesize
4KB

Download
memory/2004-159-0x0000000000000000-mapping.dmp

Download
memory/2004-337-0x0000000006983000-0x0000000006984000-memory.dmp

Filesize
4KB

Download
memory/2044-147-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/2044-302-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/2044-143-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/2044-129-0x0000000000000000-mapping.dmp

Download
memory/2044-191-0x0000000009410000-0x0000000009411000-memory.dmp

Filesize
4KB

Download
memory/2044-141-0x0000000007F70000-0x0000000007F71000-memory.dmp

Filesize
4KB

Download
memory/2044-188-0x00000000094F0000-0x00000000094F1000-memory.dmp

Filesize
4KB

Download
memory/2352-2369-0x0000000000A14AA0-mapping.dmp

Download
memory/2708-2719-0x0000000000A14AA0-mapping.dmp

Download
memory/3200-538-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3200-491-0x0000000000000000-mapping.dmp

Download
memory/3200-541-0x0000000000DA2000-0x0000000000DA3000-memory.dmp

Filesize
4KB

Download
memory/3400-488-0x00000000067A3000-0x00000000067A4000-memory.dmp

Filesize
4KB

Download
memory/3400-219-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/3400-197-0x0000000000000000-mapping.dmp

Download
memory/3400-221-0x00000000067A2000-0x00000000067A3000-memory.dmp

Filesize
4KB

Download
memory/3500-199-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/3500-201-0x0000000007662000-0x0000000007663000-memory.dmp

Filesize
4KB

Download
memory/3500-176-0x0000000000000000-mapping.dmp

Download
memory/3500-417-0x0000000007663000-0x0000000007664000-memory.dmp

Filesize
4KB

Download
memory/3832-127-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/3832-128-0x00000000068E0000-0x00000000068E1000-memory.dmp

Filesize
4KB

Download
memory/3832-130-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/3832-193-0x0000000008940000-0x0000000008941000-memory.dmp

Filesize
4KB

Download
memory/3832-126-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3832-125-0x0000000006F20000-0x0000000006F21000-memory.dmp

Filesize
4KB

Download
memory/3832-124-0x0000000006800000-0x0000000006801000-memory.dmp

Filesize
4KB

Download
memory/3832-144-0x0000000007990000-0x0000000007991000-memory.dmp

Filesize
4KB

Download
memory/3832-292-0x00000000068E3000-0x00000000068E4000-memory.dmp

Filesize
4KB

Download
memory/3832-121-0x0000000000000000-mapping.dmp

Download
memory/3832-142-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/3832-131-0x00000000068E2000-0x00000000068E3000-memory.dmp

Filesize
4KB

Download
memory/3832-136-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/3832-150-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/3848-2339-0x0000000000404470-mapping.dmp

Download
memory/3880-2234-0x0000000000000000-mapping.dmp

Download
memory/4028-2279-0x0000000000000000-mapping.dmp

Download
memory/4296-255-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/4296-257-0x0000000004BA2000-0x0000000004BA3000-memory.dmp

Filesize
4KB

Download
memory/4296-234-0x0000000000000000-mapping.dmp

Download
memory/4296-632-0x0000000004BA3000-0x0000000004BA4000-memory.dmp

Filesize
4KB

Download
memory/4480-701-0x0000000004E53000-0x0000000004E54000-memory.dmp

Filesize
4KB

Download
memory/4480-252-0x0000000000000000-mapping.dmp

Download
memory/4480-270-0x0000000004E52000-0x0000000004E53000-memory.dmp

Filesize
4KB

Download
memory/4480-269-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4556-645-0x0000000000000000-mapping.dmp

Download
memory/4556-705-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4556-708-0x0000000000E52000-0x0000000000E53000-memory.dmp

Filesize
4KB

Download
memory/4624-352-0x0000000000000000-mapping.dmp

Download
memory/4624-450-0x0000000004DC2000-0x0000000004DC3000-memory.dmp

Filesize
4KB

Download
memory/4624-445-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4676-769-0x0000000004353000-0x0000000004354000-memory.dmp

Filesize
4KB

Download
memory/4676-268-0x0000000000000000-mapping.dmp

Download
memory/4676-298-0x0000000004352000-0x0000000004353000-memory.dmp

Filesize
4KB

Download
memory/4676-306-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/4684-2704-0x0000000000A14AA0-mapping.dmp

Download
memory/4748-460-0x0000000000000000-mapping.dmp

Download
memory/4748-517-0x00000000074E2000-0x00000000074E3000-memory.dmp

Filesize
4KB

Download
memory/4748-514-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/4820-428-0x0000000000000000-mapping.dmp

Download
memory/4820-483-0x0000000006D52000-0x0000000006D53000-memory.dmp

Filesize
4KB

Download
memory/4820-479-0x0000000006D50000-0x0000000006D51000-memory.dmp

Filesize
4KB

Download
memory/4884-332-0x00000000035D2000-0x00000000035D3000-memory.dmp

Filesize
4KB

Download
memory/4884-329-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/4884-934-0x00000000035D3000-0x00000000035D4000-memory.dmp

Filesize
4KB

Download
memory/4884-290-0x0000000000000000-mapping.dmp

Download
memory/5020-2684-0x0000000000A14AA0-mapping.dmp

Download
memory/5076-453-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/5076-449-0x0000000003332000-0x0000000003333000-memory.dmp

Filesize
4KB

Download
memory/5076-392-0x0000000000000000-mapping.dmp

Download
memory/5112-976-0x0000000006E43000-0x0000000006E44000-memory.dmp

Filesize
4KB

Download
memory/5112-321-0x0000000000000000-mapping.dmp

Download
memory/5112-374-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/5112-413-0x0000000006E42000-0x0000000006E43000-memory.dmp

Filesize
4KB

Download
memory/5188-2698-0x0000000000000000-mapping.dmp

Download
memory/5344-577-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/5344-519-0x0000000000000000-mapping.dmp

Download
memory/5344-580-0x0000000000BC2000-0x0000000000BC3000-memory.dmp

Filesize
4KB

Download
memory/5476-805-0x0000000006BB2000-0x0000000006BB3000-memory.dmp

Filesize
4KB

Download
memory/5476-740-0x0000000000000000-mapping.dmp

Download
memory/5476-809-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

Filesize
4KB

Download
memory/5564-604-0x0000000006762000-0x0000000006763000-memory.dmp

Filesize
4KB

Download
memory/5564-601-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/5564-547-0x0000000000000000-mapping.dmp

Download
memory/5780-737-0x0000000007562000-0x0000000007563000-memory.dmp

Filesize
4KB

Download
memory/5780-735-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/5780-677-0x0000000000000000-mapping.dmp

Download
memory/5860-639-0x0000000006972000-0x0000000006973000-memory.dmp

Filesize
4KB

Download
memory/5860-583-0x0000000000000000-mapping.dmp

Download
memory/5860-635-0x0000000006970000-0x0000000006971000-memory.dmp

Filesize
4KB

Download
memory/6068-2709-0x0000000000A14AA0-mapping.dmp

Download
memory/6076-671-0x0000000000DE2000-0x0000000000DE3000-memory.dmp

Filesize
4KB

Download
memory/6076-669-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/6076-608-0x0000000000000000-mapping.dmp

Download
memory/6296-2223-0x0000000000000000-mapping.dmp

Download
memory/6504-2695-0x0000000000A14AA0-mapping.dmp

Download
memory/6548-2304-0x0000000000000000-mapping.dmp

Download
memory/6600-2714-0x0000000000A14AA0-mapping.dmp

Download
memory/6720-2362-0x0000000000000000-mapping.dmp

Download
memory/6812-2153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads