daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e

Analysis

max time kernel
150s
max time network
137s
platform
windows10_x64
resource
win10-en-20210920
submitted
19-10-2021 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Size

45KB
MD5

291bea114eb566d39f69d8c2af059548
SHA1

5a9fd8d8a1aa9e9ea1e6a01a55808b1040fae01a
SHA256

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e
SHA512

e1df169940c3024bf20623088bfc5eb1c2b46763c247731a4a9b40770b37a2eb3dd7fc9246fe05337565676d1029e7236caa5876efe8576c6d58929a42e1b725

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\read-me.txt

Ransom Note

All your files are Encrypted! For data recovery needs decryptor. How to buy decryptor: ---------------------------------------------------------------------------------------- | 1. Download Tor browser - https://www.torproject.org/ and install it. | 2. Open link in TOR browser - http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV | 3. Create Ticket ---------------------------------------------------------------------------------------- Note! This link is available via Tor Browser only. ------------------------------------------------------------ or http://helpqvrg3cc5mvb3.onion/ Your ID ��38 85 63 F0 70 C0 77 B8 39 4C 06 74 9C FB FB F1 2E F9 D6 71 9E 04 11 D5 14 9F EE F9 DC CC 93 16 B8 D1 5A 87 FD 12 94 D4 2B 4C 00 F7 E4 97 A4 7C 0B B7 D3 54 FA BA DD 11 A3 6D C2 C3 03 F4 31 2A 58 01 D0 56 9B 91 E3 EC 0D 4F 60 DF 53 E5 52 F0 C3 27 99 3E A8 10 19 E2 64 75 D5 5F C0 97 F4 FB B5 07 A2 30 60 70 86 3D C4 90 D7 E3 C2 73 35 65 BA 7D 6B 68 D2 02 96 C2 51 C1 73 BC 99 9C 5A DC 3B B2 E9 6E A1 10 5C 4D 04 45 55 C2 56 BA 37 A1 38 91 65 60 7A A4 56 E2 CE 5B 39 EB 47 C8 01 38 6C 77 F5 35 71 04 B9 8F D2 73 3F A3 80 BD 87 08 69 B6 EE 42 FC 62 B2 90 98 0D 3C 73 AF 3E BD 44 E3 B8 65 20 B2 B0 8C FC 80 1C 8D 50 D2 48 9C 89 5F 9D FC 20 7C 88 73 1F 4F 61 79 AF 5C E1 C4 84 C1 DD FE A0 BF B8 A3 67 25 1F F8 9A F8 DE 6E 96 22 EB 2E 42 54 70 C5 82 BC 5C 9C 11 51 CD 03 A8

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?STAHYJUHGFV

http://helpqvrg3cc5mvb3.onion/

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

1008 AdvancedRun.exe
2076 AdvancedRun.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MountRemove.raw => C:\Users\Admin\Pictures\MountRemove.raw.xls	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File renamed	C:\Users\Admin\Pictures\MovePop.tif => C:\Users\Admin\Pictures\MovePop.tif.xls	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File renamed	C:\Users\Admin\Pictures\RepairUninstall.raw => C:\Users\Admin\Pictures\RepairUninstall.raw.xls	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File renamed	C:\Users\Admin\Pictures\SaveHide.png => C:\Users\Admin\Pictures\SaveHide.png.xls	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File renamed	C:\Users\Admin\Pictures\SuspendConvert.raw => C:\Users\Admin\Pictures\SuspendConvert.raw.xls	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\⾙⿃⿘⾒⾒⿅⿂⾸⿅⾙⾔⾫⿂⿅⾕\svchost.exe = "0"	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe = "0"	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

pid	process
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

description	pid	process	target process
PID 3608 set thread context of 5012	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

Drops file in Program Files directory 64 IoCs

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\ui-strings.js	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\read-me.txt	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_contrast-white.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5665_40x40x32.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\OneConnectLargeTile.scale-200.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-400.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\10910_48x48x32.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleMedTile.scale-200.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile-2x.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\3490_24x24x32.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-125.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-96_altform-unplated.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\DailyChallenges\Popup\FUE1_Image_4.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\read-me.txt	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\SmallTile.scale-100.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-125.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\read-me.txt	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\MedTile.scale-200.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libmosaic_plugin.dll	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ru.dll	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\PlayStore_icon.svg	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\example_icons.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupLargeTile.scale-100.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxManifest.xml	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_shout_plugin.dll	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-no-text_2x.gif	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarMediumTile.scale-400.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Backgrounds\Aquarium.jpg	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\ui-strings.js	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Images\PiSh_placeholder.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-64_altform-unplated.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\Apply.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\read-me.txt	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-36_altform-unplated.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-GoogleCloudCache-Dark.scale-240.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-colorize.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8FR.DLL	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\np_16x11.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\Sounds\Delete_Contact.wav	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-20_altform-unplated.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libanaglyph_plugin.dll	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\gb_60x42.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\read-me.txt	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\read-me.txt	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-64.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4642_24x24x32.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-100_contrast-black.png	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N.svg	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\read-me.txt	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\read-me.txt	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

Drops file in Windows directory 3 IoCs

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exeWerFault.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\⾙⿃⿘⾒⾒⿅⿂⾸⿅⾙⾔⾫⿂⿅⾕\svchost.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\⾙⿃⿘⾒⾒⿅⿂⾸⿅⾙⾔⾫⿂⿅⾕\svchost.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2820 3608 WerFault.exe daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

pid	pid_target	process	target process
2820	3608	WerFault.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

AdvancedRun.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exedaa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exepowershell.exeWerFault.exe

pid	process
1008	AdvancedRun.exe
1008	AdvancedRun.exe
1008	AdvancedRun.exe
1008	AdvancedRun.exe
3168	powershell.exe
800	powershell.exe
3968	powershell.exe
3168	powershell.exe
2076	AdvancedRun.exe
2076	AdvancedRun.exe
2076	AdvancedRun.exe
2076	AdvancedRun.exe
3968	powershell.exe
800	powershell.exe
800	powershell.exe
3968	powershell.exe
3168	powershell.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exepowershell.exepowershell.exeAdvancedRun.exepowershell.exeAdvancedRun.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	1008	AdvancedRun.exe
Token: SeImpersonatePrivilege	1008	AdvancedRun.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	2076	AdvancedRun.exe
Token: SeImpersonatePrivilege	2076	AdvancedRun.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeRestorePrivilege	2820	WerFault.exe
Token: SeBackupPrivilege	2820	WerFault.exe
Token: SeBackupPrivilege	2820	WerFault.exe
Token: SeDebugPrivilege	2820	WerFault.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exeAdvancedRun.exe

description	pid	process	target process
PID 3608 wrote to memory of 800	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 800	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 800	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 3168	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 3168	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 3168	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 3968	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 3968	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 3968	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 1008	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	AdvancedRun.exe
PID 3608 wrote to memory of 1008	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	AdvancedRun.exe
PID 3608 wrote to memory of 1008	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	AdvancedRun.exe
PID 1008 wrote to memory of 2076	1008	AdvancedRun.exe	AdvancedRun.exe
PID 1008 wrote to memory of 2076	1008	AdvancedRun.exe	AdvancedRun.exe
PID 1008 wrote to memory of 2076	1008	AdvancedRun.exe	AdvancedRun.exe
PID 3608 wrote to memory of 4448	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 4448	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 4448	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	powershell.exe
PID 3608 wrote to memory of 5012	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
PID 3608 wrote to memory of 5012	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
PID 3608 wrote to memory of 5012	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
PID 3608 wrote to memory of 5012	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
PID 3608 wrote to memory of 5012	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
PID 3608 wrote to memory of 5012	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
PID 3608 wrote to memory of 5012	3608	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe	daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe

C:\Users\Admin\AppData\Local\Temp\daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
"C:\Users\Admin\AppData\Local\Temp\daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\⾙⿃⿘⾒⾒⿅⿂⾸⿅⾙⾔⾫⿂⿅⾕\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\⾙⿃⿘⾒⾒⿅⿂⾸⿅⾙⾔⾫⿂⿅⾕\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe" /SpecialRun 4101d8 1008
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Users\Admin\AppData\Local\Temp\daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe
"C:\Users\Admin\AppData\Local\Temp\daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e.exe"
2⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 2404
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6241018cb9c4d059eaf81fb76ff997f6

SHA1
6cf3d762b533d2c5a8b7da0b8399475da751ece6

SHA256
242c08c9acaf2dfebc5ccc0d88c334327e3789134912c63ea5ccc92977c32ff3

SHA512
c73698802ad33f4f8fc3a8292c4d9c9a893f6d1b49b401e2b4f34c8fab683c1b8e95f8e115d9ff507b6580aaf66eefe39490f734b40b4bb0908cfeabc2a445d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
216d2a7d7defbbb036fc73b853bcb721

SHA1
dbe8508fecf2ac68fca23da0c4e540fe28dac6f8

SHA256
09315df1c9776db95ad9a5f42e4dc9b6bed446ccbc901b1f6eb16a4fcd45d239

SHA512
752c0314e397974e9860a67bfe78d9a083c192682345ff4cf3325b40b38cb86546266d2508e7427234bbe89f307750db585cb97a64ee367a06c968f76e6e5b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
216d2a7d7defbbb036fc73b853bcb721

SHA1
dbe8508fecf2ac68fca23da0c4e540fe28dac6f8

SHA256
09315df1c9776db95ad9a5f42e4dc9b6bed446ccbc901b1f6eb16a4fcd45d239

SHA512
752c0314e397974e9860a67bfe78d9a083c192682345ff4cf3325b40b38cb86546266d2508e7427234bbe89f307750db585cb97a64ee367a06c968f76e6e5b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f134f53-9db2-468b-9510-6f02a6294a14\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/800-143-0x00000000049A2000-0x00000000049A3000-memory.dmp

Filesize
4KB

Download
memory/800-123-0x0000000000000000-mapping.dmp

Download
memory/800-132-0x0000000007400000-0x0000000007401000-memory.dmp

Filesize
4KB

Download
memory/800-234-0x000000007F1A0000-0x000000007F1A1000-memory.dmp

Filesize
4KB

Download
memory/800-252-0x00000000049A3000-0x00000000049A4000-memory.dmp

Filesize
4KB

Download
memory/800-174-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/800-169-0x00000000084B0000-0x00000000084B1000-memory.dmp

Filesize
4KB

Download
memory/800-127-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/800-129-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/800-166-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/800-126-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

Filesize
4KB

Download
memory/800-142-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1008-140-0x0000000000000000-mapping.dmp

Download
memory/2076-161-0x0000000000000000-mapping.dmp

Download
memory/3168-153-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/3168-144-0x0000000002600000-0x000000000274A000-memory.dmp

Filesize
1.3MB

Download
memory/3168-150-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/3168-130-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3168-155-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3168-124-0x0000000000000000-mapping.dmp

Download
memory/3168-239-0x000000007E960000-0x000000007E961000-memory.dmp

Filesize
4KB

Download
memory/3168-145-0x0000000002600000-0x000000000274A000-memory.dmp

Filesize
1.3MB

Download
memory/3168-253-0x0000000002600000-0x000000000274A000-memory.dmp

Filesize
1.3MB

Download
memory/3168-148-0x0000000006A70000-0x0000000006A71000-memory.dmp

Filesize
4KB

Download
memory/3168-128-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3168-172-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/3608-138-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/3608-121-0x00000000061A0000-0x0000000006205000-memory.dmp

Filesize
404KB

Download
memory/3608-118-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/3608-117-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/3608-122-0x00000000067E0000-0x00000000067E1000-memory.dmp

Filesize
4KB

Download
memory/3608-115-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3608-131-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/3968-134-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3968-136-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3968-238-0x000000007EF00000-0x000000007EF01000-memory.dmp

Filesize
4KB

Download
memory/3968-146-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/3968-125-0x0000000000000000-mapping.dmp

Download
memory/3968-163-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/3968-254-0x0000000007213000-0x0000000007214000-memory.dmp

Filesize
4KB

Download
memory/3968-147-0x0000000007212000-0x0000000007213000-memory.dmp

Filesize
4KB

Download
memory/3968-176-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4448-363-0x000000007F740000-0x000000007F741000-memory.dmp

Filesize
4KB

Download
memory/4448-184-0x0000000000000000-mapping.dmp

Download
memory/4448-441-0x0000000006C63000-0x0000000006C64000-memory.dmp

Filesize
4KB

Download
memory/4448-240-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/4448-241-0x0000000006C62000-0x0000000006C63000-memory.dmp

Filesize
4KB

Download
memory/5012-192-0x0000000000409F20-mapping.dmp

Download
memory/5012-188-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5012-231-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download