dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7

Analysis

max time kernel
94s
max time network
121s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-10-2021 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Size

58KB
MD5

9d4458f6de6fb97b9b2a6ee9a69b62f4
SHA1

b7e91d625d95e6b6c8452c0beb4d9900da1931a2
SHA256

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7
SHA512

a7b91a7df43fa0902192d34b556d6957954c2878f3329a347226bb2edcfa5a5c44de3e0e245bfd1bcf2efd3c4bcbbb6e7dc17528d5917798cb9795a53dd53e06

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Extracted

Path

\??\M:\Read_Me.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101NEGXZGST 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5

URLs

http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101NEGXZGST

https://yip.su/2QstD5

Signatures

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeOfficeClickToRun.exe

pid process

788 AdvancedRun.exe
1992 AdvancedRun.exe
896 OfficeClickToRun.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
788	AdvancedRun.exe
1992	AdvancedRun.exe
896	OfficeClickToRun.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe = "0"	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe = "0"	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\desktop.ini	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

description	ioc	process
File opened (read-only)	\??\Q:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\R:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\F:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\K:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\W:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\T:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\P:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\A:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\V:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\B:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\N:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\M:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\E:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\U:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\S:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\H:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\J:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\L:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\Z:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\X:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\Y:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\I:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\O:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened (read-only)	\??\G:	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

description	pid	process	target process
PID 2820 set thread context of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

Drops file in Program Files directory 64 IoCs

Processes:

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-phn.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.bat	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pcsc.dll	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\Read_Me.txt	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jli.dll	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javafx_iio.dll	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial2-ppd.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\Read_Me.txt	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable@3x.png	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ko\msipc.dll.mui	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File created	C:\Program Files\Common Files\microsoft shared\Triedit\Read_Me.txt	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\ConfirmComplete.wmf	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-oob.xrm-ms	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_ja.jar	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File created	C:\Program Files\Common Files\System\ado\Read_Me.txt	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcr100.dll	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exedfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exedfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

pid	process
3388	powershell.exe
1140	powershell.exe
1044	powershell.exe
788	AdvancedRun.exe
788	AdvancedRun.exe
788	AdvancedRun.exe
788	AdvancedRun.exe
3388	powershell.exe
1044	powershell.exe
1140	powershell.exe
1992	AdvancedRun.exe
1992	AdvancedRun.exe
1992	AdvancedRun.exe
1992	AdvancedRun.exe
2848	powershell.exe
2848	powershell.exe
1140	powershell.exe
3388	powershell.exe
2848	powershell.exe
1044	powershell.exe
2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
3000	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	788	AdvancedRun.exe
Token: SeImpersonatePrivilege	788	AdvancedRun.exe
Token: SeDebugPrivilege	1992	AdvancedRun.exe
Token: SeImpersonatePrivilege	1992	AdvancedRun.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeCreatePagefilePrivilege	1568	explorer.exe
Token: SeShutdownPrivilege	1568	explorer.exe
Token: SeCreatePagefilePrivilege	1568	explorer.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exeAdvancedRun.exe

description	pid	process	target process
PID 2820 wrote to memory of 1140	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 1140	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 1140	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 1044	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 1044	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 1044	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 3388	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 3388	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 3388	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 788	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	AdvancedRun.exe
PID 2820 wrote to memory of 788	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	AdvancedRun.exe
PID 2820 wrote to memory of 788	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	AdvancedRun.exe
PID 788 wrote to memory of 1992	788	AdvancedRun.exe	AdvancedRun.exe
PID 788 wrote to memory of 1992	788	AdvancedRun.exe	AdvancedRun.exe
PID 788 wrote to memory of 1992	788	AdvancedRun.exe	AdvancedRun.exe
PID 2820 wrote to memory of 2848	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 2848	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 2848	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	powershell.exe
PID 2820 wrote to memory of 3236	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3236	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3236	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
PID 2820 wrote to memory of 3000	2820	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe	dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe

C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
"C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe"
1⤵
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe" /SpecialRun 4101d8 788
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
2⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
C:\Users\Admin\AppData\Local\Temp\dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7.exe
2⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
PID:896

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:1872

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
MD5
23e4f3d4c5058fa198640d6d0e1b0eb7

SHA1
1694ebc688e741e16bbee3ff665b1f184c2740f6

SHA256
9d8ff84c7ce8884d816f15e39d0246ad4a4eb37135a8cd2cc30079061ff43fb9

SHA512
9bc75b0c02cfcdb9b286aa4a6c0d336741eeca96fbf4c733dc6e2c9ef807b20602d24ebb737eb142b29a9902f12ae0176e4d0b9c86422366010ee6b85741d2a5

Download Submit
C:\Program Files\VideoLAN\VLC\vlc.exe
MD5
8d4a522feb5a6a8fb8c4e448e96d4051

SHA1
e0ac2c60bf4d09068a727d6462c87ee87a4e2da9

SHA256
ded395fbab6365dfe1f612bff0a2592064297d1e89114214858d8a9d35898399

SHA512
f2a2a62baa2cd53d36587b7fa71a406c2b658aaf83fd6504f356aaf2a4151a051b72297ee7ff31047ae9dd052882356219f04d4a165b2374ba11a2c095d1a741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
2c59a3c90f0c16d346f8c4f4df64a6c6

SHA1
324099be473da754fe733c61e2e536e550f1d45c

SHA256
17da3cfdee18f36a8ed7f5213e0829096fffc6546555ec381e06ada83388beb0

SHA512
31d54490518b88d44ec2916a1571a21b8a9db0bfc7e680cfc492c942cf81b58c32be929acfd30e14bd0b85e131d752f3c3a695a62bc5e002f761f3c8e0f1df7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
2c59a3c90f0c16d346f8c4f4df64a6c6

SHA1
324099be473da754fe733c61e2e536e550f1d45c

SHA256
17da3cfdee18f36a8ed7f5213e0829096fffc6546555ec381e06ada83388beb0

SHA512
31d54490518b88d44ec2916a1571a21b8a9db0bfc7e680cfc492c942cf81b58c32be929acfd30e14bd0b85e131d752f3c3a695a62bc5e002f761f3c8e0f1df7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
69d657fb8c34d135d1cceb6f1d1395cd

SHA1
815e8c87073c60f7486940b4a4513facaf01a62f

SHA256
86554cca9edec6d1acee30dca569c1bb385a16b4a8560ca9a25930d3da1fd698

SHA512
eaacd47021bfa3daa5f34fe083ad95d7fbdb23cc9f387689bece0a3a5011c9e6870ced24483f7eca32e199b3f9c5caa65bc172e5cad27ed93c73b7e240446ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
69d657fb8c34d135d1cceb6f1d1395cd

SHA1
815e8c87073c60f7486940b4a4513facaf01a62f

SHA256
86554cca9edec6d1acee30dca569c1bb385a16b4a8560ca9a25930d3da1fd698

SHA512
eaacd47021bfa3daa5f34fe083ad95d7fbdb23cc9f387689bece0a3a5011c9e6870ced24483f7eca32e199b3f9c5caa65bc172e5cad27ed93c73b7e240446ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
69d657fb8c34d135d1cceb6f1d1395cd

SHA1
815e8c87073c60f7486940b4a4513facaf01a62f

SHA256
86554cca9edec6d1acee30dca569c1bb385a16b4a8560ca9a25930d3da1fd698

SHA512
eaacd47021bfa3daa5f34fe083ad95d7fbdb23cc9f387689bece0a3a5011c9e6870ced24483f7eca32e199b3f9c5caa65bc172e5cad27ed93c73b7e240446ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5dc0f704dcf1b77496f3c10a052c3604

SHA1
115e20c4f525e1c7b65cc9ab66a10fa949af35b6

SHA256
66ba1c74e584a728b2567e204d2822e0e2e5af4cf7f282c2d04be420d9891b69

SHA512
f5d3cb7495ca7e9d0f5bd6142ef937078619faf00007e229cdb927f35c130be2ecf56ef658a517590e571b0288d89c153a21ba882b4f49574b38abdae26bc66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\58a4cfea-7840-4a07-a6d0-1403c84a1adb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/788-152-0x0000000000000000-mapping.dmp

Download
memory/1044-272-0x0000000004503000-0x0000000004504000-memory.dmp

Filesize
4KB

Download
memory/1044-235-0x000000007F3A0000-0x000000007F3A1000-memory.dmp

Filesize
4KB

Download
memory/1044-186-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1044-171-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/1044-125-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1044-145-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/1044-137-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/1044-139-0x0000000004502000-0x0000000004503000-memory.dmp

Filesize
4KB

Download
memory/1044-154-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/1044-124-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/1044-122-0x0000000000000000-mapping.dmp

Download
memory/1140-136-0x0000000006B70000-0x0000000006B71000-memory.dmp

Filesize
4KB

Download
memory/1140-127-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1140-149-0x0000000007130000-0x0000000007131000-memory.dmp

Filesize
4KB

Download
memory/1140-132-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/1140-230-0x000000007F230000-0x000000007F231000-memory.dmp

Filesize
4KB

Download
memory/1140-181-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/1140-138-0x0000000006B72000-0x0000000006B73000-memory.dmp

Filesize
4KB

Download
memory/1140-129-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/1140-175-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/1140-126-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1140-121-0x0000000000000000-mapping.dmp

Download
memory/1140-187-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/1140-271-0x0000000006B73000-0x0000000006B74000-memory.dmp

Filesize
4KB

Download
memory/1992-158-0x0000000000000000-mapping.dmp

Download
memory/2820-120-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/2820-115-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2820-119-0x0000000005490000-0x0000000005504000-memory.dmp

Filesize
464KB

Download
memory/2820-147-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/2820-118-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/2820-141-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/2820-117-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/2848-269-0x0000000004F73000-0x0000000004F74000-memory.dmp

Filesize
4KB

Download
memory/2848-169-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2848-160-0x0000000000000000-mapping.dmp

Download
memory/2848-161-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/2848-162-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/2848-239-0x000000007E6F0000-0x000000007E6F1000-memory.dmp

Filesize
4KB

Download
memory/2848-170-0x0000000004F72000-0x0000000004F73000-memory.dmp

Filesize
4KB

Download
memory/2848-188-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/3000-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3000-180-0x0000000000407CA0-mapping.dmp

Download
memory/3000-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3388-270-0x0000000006613000-0x0000000006614000-memory.dmp

Filesize
4KB

Download
memory/3388-128-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/3388-123-0x0000000000000000-mapping.dmp

Download
memory/3388-226-0x000000007EAA0000-0x000000007EAA1000-memory.dmp

Filesize
4KB

Download
memory/3388-135-0x0000000006610000-0x0000000006611000-memory.dmp

Filesize
4KB

Download
memory/3388-140-0x0000000006612000-0x0000000006613000-memory.dmp

Filesize
4KB

Download
memory/3388-142-0x0000000006B90000-0x0000000006B91000-memory.dmp

Filesize
4KB

Download