f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9bb5824bdcb260753367e68abfa8fb5.exe
Size

1.4MB
MD5

e9bb5824bdcb260753367e68abfa8fb5
SHA1

956c467cdbecf98b250f780aa3d8cd1d9634f3a4
SHA256

f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db
SHA512

e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe	Nirsoft

Executes dropped EXE 8 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeB2DAD187.exeAdvancedRun.exeAdvancedRun.exeB2DAD187.exeB2DAD187.exeB2DAD187.exe

pid	process
1152	AdvancedRun.exe
1756	AdvancedRun.exe
1660	B2DAD187.exe
2500	AdvancedRun.exe
2548	AdvancedRun.exe
2872	B2DAD187.exe
3064	B2DAD187.exe
2112	B2DAD187.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

B2DAD187.exee9bb5824bdcb260753367e68abfa8fb5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B2DAD187.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B2DAD187.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e9bb5824bdcb260753367e68abfa8fb5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e9bb5824bdcb260753367e68abfa8fb5.exe

Drops startup file 2 IoCs

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe	e9bb5824bdcb260753367e68abfa8fb5.exe

Loads dropped DLL 15 IoCs

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exeAdvancedRun.exeB2DAD187.exeAdvancedRun.exeWerFault.exe

pid	process
1636	e9bb5824bdcb260753367e68abfa8fb5.exe
1636	e9bb5824bdcb260753367e68abfa8fb5.exe
1152	AdvancedRun.exe
1152	AdvancedRun.exe
1636	e9bb5824bdcb260753367e68abfa8fb5.exe
1636	e9bb5824bdcb260753367e68abfa8fb5.exe
1660	B2DAD187.exe
1660	B2DAD187.exe
2500	AdvancedRun.exe
2500	AdvancedRun.exe
2208	WerFault.exe
2208	WerFault.exe
2208	WerFault.exe
2208	WerFault.exe
2208	WerFault.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe = "0"	e9bb5824bdcb260753367e68abfa8fb5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	e9bb5824bdcb260753367e68abfa8fb5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe = "0"	e9bb5824bdcb260753367e68abfa8fb5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe = "0"	e9bb5824bdcb260753367e68abfa8fb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	e9bb5824bdcb260753367e68abfa8fb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	e9bb5824bdcb260753367e68abfa8fb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	e9bb5824bdcb260753367e68abfa8fb5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	e9bb5824bdcb260753367e68abfa8fb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	e9bb5824bdcb260753367e68abfa8fb5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	e9bb5824bdcb260753367e68abfa8fb5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exeB2DAD187.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\B2DAD187 = "C:\\Windows\\Microsoft.NET\\Framework\\437CE198\\svchost.exe"	e9bb5824bdcb260753367e68abfa8fb5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\B2DAD187 = "C:\\Windows\\Microsoft.NET\\Framework\\437CE198\\svchost.exe"	B2DAD187.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exeB2DAD187.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e9bb5824bdcb260753367e68abfa8fb5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9bb5824bdcb260753367e68abfa8fb5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B2DAD187.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	B2DAD187.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exeB2DAD187.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e9bb5824bdcb260753367e68abfa8fb5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	e9bb5824bdcb260753367e68abfa8fb5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	B2DAD187.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	B2DAD187.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exeB2DAD187.exe

description	pid	process	target process
PID 1636 set thread context of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1660 set thread context of 2872	1660	B2DAD187.exe	B2DAD187.exe
PID 1660 set thread context of 3064	1660	B2DAD187.exe	B2DAD187.exe
PID 1660 set thread context of 2112	1660	B2DAD187.exe	B2DAD187.exe

Drops file in Windows directory 1 IoCs

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe e9bb5824bdcb260753367e68abfa8fb5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2256 1636 WerFault.exe e9bb5824bdcb260753367e68abfa8fb5.exe
2208 1660 WerFault.exe B2DAD187.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe	e9bb5824bdcb260753367e68abfa8fb5.exe

pid	pid_target	process	target process
2256	1636	WerFault.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
2208	1660	WerFault.exe	B2DAD187.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

pid	process
1152	AdvancedRun.exe
1152	AdvancedRun.exe
1756	AdvancedRun.exe
1756	AdvancedRun.exe
780	powershell.exe
1332	powershell.exe
1724	powershell.exe
2028	powershell.exe
1328	powershell.exe
648	powershell.exe
1560	powershell.exe
996	powershell.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2256	WerFault.exe
2500	AdvancedRun.exe
2500	AdvancedRun.exe
2548	AdvancedRun.exe
2548	AdvancedRun.exe
2624	powershell.exe
2712	powershell.exe
2596	powershell.exe
2660	powershell.exe
2752	powershell.exe
2208	WerFault.exe
2208	WerFault.exe
2208	WerFault.exe
2208	WerFault.exe
2208	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

2256 WerFault.exe

pid	process
2256	WerFault.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exee9bb5824bdcb260753367e68abfa8fb5.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exeAdvancedRun.exeAdvancedRun.exeB2DAD187.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1152	AdvancedRun.exe
Token: SeImpersonatePrivilege	1152	AdvancedRun.exe
Token: SeDebugPrivilege	1756	AdvancedRun.exe
Token: SeImpersonatePrivilege	1756	AdvancedRun.exe
Token: SeDebugPrivilege	1636	e9bb5824bdcb260753367e68abfa8fb5.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2256	WerFault.exe
Token: SeDebugPrivilege	2500	AdvancedRun.exe
Token: SeImpersonatePrivilege	2500	AdvancedRun.exe
Token: SeDebugPrivilege	2548	AdvancedRun.exe
Token: SeImpersonatePrivilege	2548	AdvancedRun.exe
Token: SeDebugPrivilege	1660	B2DAD187.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2208	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exe

pid process

2188 e9bb5824bdcb260753367e68abfa8fb5.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exe

pid process

2188 e9bb5824bdcb260753367e68abfa8fb5.exe

pid	process
2188	e9bb5824bdcb260753367e68abfa8fb5.exe

pid	process
2188	e9bb5824bdcb260753367e68abfa8fb5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e9bb5824bdcb260753367e68abfa8fb5.exeAdvancedRun.exeB2DAD187.exeAdvancedRun.exe

description	pid	process	target process
PID 1636 wrote to memory of 1152	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1152	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1152	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	AdvancedRun.exe
PID 1636 wrote to memory of 1152	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	AdvancedRun.exe
PID 1152 wrote to memory of 1756	1152	AdvancedRun.exe	AdvancedRun.exe
PID 1152 wrote to memory of 1756	1152	AdvancedRun.exe	AdvancedRun.exe
PID 1152 wrote to memory of 1756	1152	AdvancedRun.exe	AdvancedRun.exe
PID 1152 wrote to memory of 1756	1152	AdvancedRun.exe	AdvancedRun.exe
PID 1636 wrote to memory of 2028	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 2028	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 2028	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 2028	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1328	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1328	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1328	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1328	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1332	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1332	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1332	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1332	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 996	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 996	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 996	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 996	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1724	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1724	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1724	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1724	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1660	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	B2DAD187.exe
PID 1636 wrote to memory of 1660	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	B2DAD187.exe
PID 1636 wrote to memory of 1660	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	B2DAD187.exe
PID 1636 wrote to memory of 1660	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	B2DAD187.exe
PID 1636 wrote to memory of 780	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 780	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 780	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 780	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1560	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1560	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1560	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 1560	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 648	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 648	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 648	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 648	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	powershell.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2188	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	e9bb5824bdcb260753367e68abfa8fb5.exe
PID 1636 wrote to memory of 2256	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	WerFault.exe
PID 1636 wrote to memory of 2256	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	WerFault.exe
PID 1636 wrote to memory of 2256	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	WerFault.exe
PID 1636 wrote to memory of 2256	1636	e9bb5824bdcb260753367e68abfa8fb5.exe	WerFault.exe
PID 1660 wrote to memory of 2500	1660	B2DAD187.exe	AdvancedRun.exe
PID 1660 wrote to memory of 2500	1660	B2DAD187.exe	AdvancedRun.exe
PID 1660 wrote to memory of 2500	1660	B2DAD187.exe	AdvancedRun.exe
PID 1660 wrote to memory of 2500	1660	B2DAD187.exe	AdvancedRun.exe
PID 2500 wrote to memory of 2548	2500	AdvancedRun.exe	AdvancedRun.exe
PID 2500 wrote to memory of 2548	2500	AdvancedRun.exe	AdvancedRun.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

B2DAD187.exee9bb5824bdcb260753367e68abfa8fb5.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	B2DAD187.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e9bb5824bdcb260753367e68abfa8fb5.exe

C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe
"C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1636

C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe" /SpecialRun 4101d8 1152
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1660

C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe" /SpecialRun 4101d8 2500
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
- Executes dropped EXE
PID:2872

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
- Executes dropped EXE
PID:3064

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
- Executes dropped EXE
PID:2112

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe"
3⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 824
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\437CE198\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe
"C:\Users\Admin\AppData\Local\Temp\e9bb5824bdcb260753367e68abfa8fb5.exe"
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 592
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
c8cd554794a2c5f7a8c8417ed0a0dc1f

SHA1
85f7502c05fa59ea122af658632f48ca60b73488

SHA256
5927d9c28a08cb7711fb2973f094aa0d8874246a76e6ea5b55fb0faf878c9fc8

SHA512
2073fcdd3425532edbda37bf90a74be8d563dee1cc23e836089f4031564fc09d01711557a1d60cfab4ba719b6e9069e5048c219e98fe29d9def0c08296e7c5ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\8c7bbaac-47a9-4da8-bbdb-3c241c8aa4af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\dcb378fe-2c10-45db-bf73-0f2423b9656c\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B2DAD187.exe
MD5
e9bb5824bdcb260753367e68abfa8fb5

SHA1
956c467cdbecf98b250f780aa3d8cd1d9634f3a4

SHA256
f5c297279b27a02d9ede35e210c0bf0dbe0decbecd09183e5a2677f05cea50db

SHA512
e33838c5dd7e94efdf08ae37f33945dd6eefa26f8a56f415e2447179c40bd9d081abf59a1f054274ea9e1b5e80a9948a55ba5d0a048ff8f0f45f644b524d6c5f

Download Submit
memory/648-87-0x0000000000000000-mapping.dmp

Download
memory/648-99-0x0000000002260000-0x0000000002EAA000-memory.dmp

Filesize
12.3MB

Download
memory/648-122-0x0000000002260000-0x0000000002EAA000-memory.dmp

Filesize
12.3MB

Download
memory/780-112-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/780-121-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/780-100-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/780-84-0x0000000000000000-mapping.dmp

Download
memory/996-108-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/996-70-0x0000000000000000-mapping.dmp

Download
memory/996-123-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/996-103-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/1152-60-0x0000000076161000-0x0000000076163000-memory.dmp

Filesize
8KB

Download
memory/1152-58-0x0000000000000000-mapping.dmp

Download
memory/1328-107-0x0000000002241000-0x0000000002242000-memory.dmp

Filesize
4KB

Download
memory/1328-98-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1328-116-0x0000000002242000-0x0000000002244000-memory.dmp

Filesize
8KB

Download
memory/1328-68-0x0000000000000000-mapping.dmp

Download
memory/1332-117-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1332-110-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1332-111-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1332-69-0x0000000000000000-mapping.dmp

Download
memory/1560-97-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1560-101-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1560-85-0x0000000000000000-mapping.dmp

Download
memory/1560-118-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1636-54-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1636-53-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1636-113-0x0000000000DB0000-0x0000000000DB3000-memory.dmp

Filesize
12KB

Download
memory/1636-55-0x0000000000420000-0x0000000000476000-memory.dmp

Filesize
344KB

Download
memory/1660-102-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/1660-77-0x0000000000000000-mapping.dmp

Download
memory/1660-83-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1724-96-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/1724-71-0x0000000000000000-mapping.dmp

Download
memory/1724-120-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/1756-64-0x0000000000000000-mapping.dmp

Download
memory/2028-93-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2028-67-0x0000000000000000-mapping.dmp

Download
memory/2028-104-0x0000000002171000-0x0000000002172000-memory.dmp

Filesize
4KB

Download
memory/2028-119-0x0000000002172000-0x0000000002174000-memory.dmp

Filesize
8KB

Download
memory/2112-179-0x00000000004080EF-mapping.dmp

Download
memory/2188-115-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2188-105-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2188-106-0x00000000004080EF-mapping.dmp

Download
memory/2208-183-0x0000000000000000-mapping.dmp

Download
memory/2208-189-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2256-114-0x0000000000000000-mapping.dmp

Download
memory/2256-124-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2500-128-0x0000000000000000-mapping.dmp

Download
memory/2548-134-0x0000000000000000-mapping.dmp

Download
memory/2596-162-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/2596-169-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/2596-137-0x0000000000000000-mapping.dmp

Download
memory/2596-172-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/2624-164-0x0000000002250000-0x0000000002E9A000-memory.dmp

Filesize
12.3MB

Download
memory/2624-159-0x0000000002250000-0x0000000002E9A000-memory.dmp

Filesize
12.3MB

Download
memory/2624-148-0x0000000002250000-0x0000000002E9A000-memory.dmp

Filesize
12.3MB

Download
memory/2624-138-0x0000000000000000-mapping.dmp

Download
memory/2660-141-0x0000000000000000-mapping.dmp

Download
memory/2660-168-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/2660-170-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/2660-160-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/2712-166-0x0000000002581000-0x0000000002582000-memory.dmp

Filesize
4KB

Download
memory/2712-165-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2712-167-0x0000000002582000-0x0000000002584000-memory.dmp

Filesize
8KB

Download
memory/2712-143-0x0000000000000000-mapping.dmp

Download
memory/2752-163-0x0000000002290000-0x0000000002EDA000-memory.dmp

Filesize
12.3MB

Download
memory/2752-171-0x0000000002290000-0x0000000002EDA000-memory.dmp

Filesize
12.3MB

Download
memory/2752-161-0x0000000002290000-0x0000000002EDA000-memory.dmp

Filesize
12.3MB

Download
memory/2752-144-0x0000000000000000-mapping.dmp

Download
memory/2872-154-0x00000000004080EF-mapping.dmp

Download
memory/3064-174-0x00000000004080EF-mapping.dmp

Download