51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

Analysis

max time kernel
26s
max time network
176s
platform
windows7_x64
resource
win7v20210408
submitted
15-09-2021 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8ce83b306dd68d1d7660919c9dd523.exe
Size

1.4MB
MD5

fa8ce83b306dd68d1d7660919c9dd523
SHA1

1a0c86251a0044d65915640a0042c492e19275a2
SHA256

51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d
SHA512

efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

1516 AdvancedRun.exe
628 AdvancedRun.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

pid	process
1516	AdvancedRun.exe
628	AdvancedRun.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fa8ce83b306dd68d1d7660919c9dd523.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fa8ce83b306dd68d1d7660919c9dd523.exe

Drops startup file 2 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe	fa8ce83b306dd68d1d7660919c9dd523.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

Loads dropped DLL 4 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exeAdvancedRun.exe

pid process

1936 fa8ce83b306dd68d1d7660919c9dd523.exe
1936 fa8ce83b306dd68d1d7660919c9dd523.exe
1516 AdvancedRun.exe
1516 AdvancedRun.exe

pid	process
1936	fa8ce83b306dd68d1d7660919c9dd523.exe
1936	fa8ce83b306dd68d1d7660919c9dd523.exe
1516	AdvancedRun.exe
1516	AdvancedRun.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	fa8ce83b306dd68d1d7660919c9dd523.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	fa8ce83b306dd68d1d7660919c9dd523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	fa8ce83b306dd68d1d7660919c9dd523.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fa8ce83b306dd68d1d7660919c9dd523.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	fa8ce83b306dd68d1d7660919c9dd523.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

832 1936 WerFault.exe fa8ce83b306dd68d1d7660919c9dd523.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

1516 AdvancedRun.exe
1516 AdvancedRun.exe
628 AdvancedRun.exe
628 AdvancedRun.exe

pid	pid_target	process	target process
832	1936	WerFault.exe	fa8ce83b306dd68d1d7660919c9dd523.exe

pid	process
1516	AdvancedRun.exe
1516	AdvancedRun.exe
628	AdvancedRun.exe
628	AdvancedRun.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	1516	AdvancedRun.exe
Token: SeImpersonatePrivilege	1516	AdvancedRun.exe
Token: SeDebugPrivilege	628	AdvancedRun.exe
Token: SeImpersonatePrivilege	628	AdvancedRun.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

fa8ce83b306dd68d1d7660919c9dd523.exeAdvancedRun.exe

description	pid	process	target process
PID 1936 wrote to memory of 1516	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 1936 wrote to memory of 1516	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 1936 wrote to memory of 1516	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 1936 wrote to memory of 1516	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	AdvancedRun.exe
PID 1516 wrote to memory of 628	1516	AdvancedRun.exe	AdvancedRun.exe
PID 1516 wrote to memory of 628	1516	AdvancedRun.exe	AdvancedRun.exe
PID 1516 wrote to memory of 628	1516	AdvancedRun.exe	AdvancedRun.exe
PID 1516 wrote to memory of 628	1516	AdvancedRun.exe	AdvancedRun.exe
PID 1936 wrote to memory of 1652	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1652	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1652	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1652	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1520	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1520	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1520	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1520	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1880	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1880	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1880	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 1880	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 296	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 296	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 296	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe
PID 1936 wrote to memory of 296	1936	fa8ce83b306dd68d1d7660919c9dd523.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe
"C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe" /SpecialRun 4101d8 1516
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
2⤵
PID:1880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
2⤵
PID:296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
PID:792

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
2⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe" /SpecialRun 4101d8 2136
4⤵
PID:2184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:2224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:2252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
3⤵
PID:2296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
3⤵
PID:2356

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
PID:2408

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
PID:2828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
2⤵
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe" -Force
2⤵
PID:820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
2⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe
"C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe"
2⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe
"C:\Users\Admin\AppData\Local\Temp\fa8ce83b306dd68d1d7660919c9dd523.exe"
2⤵
PID:1004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 864
2⤵
- Program crash
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
8958dfb71ff8bc2b739e4729ce772baf

SHA1
03930e0cca109b90315cef8782488169f553118e

SHA256
93b14268161f12712eb419b2408f90709b0ff35bfd9d0c8bbacb4451f2cccf8a

SHA512
523d06e4dadceb767c005f9cde840d67018757af5b7472bf13890933c1be0839952ec093d7b45d517f67b01bb92669ba3c4fe1f0ea107c665d3147c90071d012

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
49cc674c7ddf55cd881001f2986f8801

SHA1
137f4e144958143824e7df2eaa7b915192e4cc8e

SHA256
2557df6a11a3f5051b798be972e6620668055ea256c74ae5720036826b677670

SHA512
0f7a53e1b73bebdb83fd8207f7f7261627e0f7fb356ee780dc45d3a5066110915f128a241a7156af75e10de5befb5d390bf2ed00df2e8f138137d5350e49ab18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa92aa028269d3d56a2e261a9c3c7936

SHA1
c29f8a4661145bd8ad06a99a1b7cca9a40ae6bc5

SHA256
b250855dd56658d8c73d365f0c6743d683836231f08f827dfd6b8742c3b9910e

SHA512
25187d6413b62f01167148c6e4e71d4d2d20a281eb1642a0523beda0a8c5b5482af01cf307f4a288d7017ad0b0fe6df3764cc4975c361eed62178b66e2ed17e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\5f4a5254-c990-49e7-a8a7-7c49614f4bba\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\98c3c570-215a-4d46-8183-a91bc73a54ec\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
fa8ce83b306dd68d1d7660919c9dd523

SHA1
1a0c86251a0044d65915640a0042c492e19275a2

SHA256
51f5b830fb0da1abe98f445889d9cf12a5d2c175c8f8b5d30df220b11113756d

SHA512
efa77b674afcca7ea1a14574ac855252848c91252bd189f6b5de8b7c30a00790f66cc986af4f90722e0f8cb4f66099b8419c794b6fbfc43f78241770d86e64fb

Download Submit
memory/296-79-0x0000000000000000-mapping.dmp

Download
memory/628-71-0x0000000000000000-mapping.dmp

Download
memory/792-81-0x0000000000000000-mapping.dmp

Download
memory/820-94-0x0000000000000000-mapping.dmp

Download
memory/832-120-0x0000000000000000-mapping.dmp

Download
memory/928-99-0x0000000000000000-mapping.dmp

Download
memory/968-88-0x0000000000000000-mapping.dmp

Download
memory/968-122-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1004-113-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1004-114-0x00000000004080EF-mapping.dmp

Download
memory/1408-105-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1408-85-0x0000000000000000-mapping.dmp

Download
memory/1408-89-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1516-65-0x0000000000000000-mapping.dmp

Download
memory/1516-67-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1520-117-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1520-75-0x0000000000000000-mapping.dmp

Download
memory/1652-74-0x0000000000000000-mapping.dmp

Download
memory/1880-104-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1880-78-0x0000000000000000-mapping.dmp

Download
memory/1880-93-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1880-91-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1880-108-0x0000000001082000-0x0000000001083000-memory.dmp

Filesize
4KB

Download
memory/1880-175-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1936-61-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1936-62-0x00000000009E0000-0x0000000000A36000-memory.dmp

Filesize
344KB

Download
memory/1936-116-0x0000000000AE0000-0x0000000000AE3000-memory.dmp

Filesize
12KB

Download
memory/1936-60-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/2136-127-0x0000000000000000-mapping.dmp

Download
memory/2184-133-0x0000000000000000-mapping.dmp

Download
memory/2224-136-0x0000000000000000-mapping.dmp

Download
memory/2252-137-0x0000000000000000-mapping.dmp

Download
memory/2296-139-0x0000000000000000-mapping.dmp

Download
memory/2320-140-0x0000000000000000-mapping.dmp

Download
memory/2356-142-0x0000000000000000-mapping.dmp

Download
memory/2408-148-0x00000000004080EF-mapping.dmp

Download
memory/2828-200-0x00000000004080EF-mapping.dmp

Download