nanocore | 4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad

Analysis

max time kernel
120s
max time network
153s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-10-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT-SWIFTCOPY.exe
Size

391KB
MD5

788c7a25b15a7263c24c4060f0c0df6a
SHA1

c28333f296ea281d90610a0866d5cdb8885fc34b
SHA256

4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad
SHA512

eb6b0ea6b483c000940c2a30a9ccee14d44a9b1c748486a6b6996e723526aa9e31a7f8df8599c7ed7720f528ab241b70a7f174ccfc054afc589447045c101e85

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

doc-file.ddns.net:9829

127.0.0.1:9829

Mutex

488a14cf-6a5f-44f7-91cc-ed29cde2cc8c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-05T13:51:06.259902836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9829
default_group
PAYMENT-SWIFTCOPY
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
488a14cf-6a5f-44f7-91cc-ed29cde2cc8c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
doc-file.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exeAdvancedRun.exeAdvancedRun.exe

pid process

620 AdvancedRun.exe
592 AdvancedRun.exe
1008 ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
2196 AdvancedRun.exe
2252 AdvancedRun.exe

Drops startup file 2 IoCs

Processes:

PAYMENT-SWIFTCOPY.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	PAYMENT-SWIFTCOPY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	PAYMENT-SWIFTCOPY.exe

Loads dropped DLL 9 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeAdvancedRun.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exeAdvancedRun.exe

pid	process
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
620	AdvancedRun.exe
620	AdvancedRun.exe
1820	PAYMENT-SWIFTCOPY.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
2196	AdvancedRun.exe
2196	AdvancedRun.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

PAYMENT-SWIFTCOPY.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	PAYMENT-SWIFTCOPY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	PAYMENT-SWIFTCOPY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe = "0"	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe = "0"	PAYMENT-SWIFTCOPY.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe = "0"	PAYMENT-SWIFTCOPY.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PAYMENT-SWIFTCOPY.exeregsvcs.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ = "C:\\Windows\\Cursors\\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\\svchost.exe"	PAYMENT-SWIFTCOPY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsvc.exe"	regsvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ = "C:\\Windows\\Cursors\\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\\svchost.exe"	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PAYMENT-SWIFTCOPY.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PAYMENT-SWIFTCOPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PAYMENT-SWIFTCOPY.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 29 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

pid	process
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

description	pid	process	target process
PID 1820 set thread context of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1008 set thread context of 2732	1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	regsvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

regsvcs.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SMTP Service\smtpsvc.exe	regsvcs.exe
File created	C:\Program Files (x86)\SMTP Service\smtpsvc.exe	regsvcs.exe

Drops file in Windows directory 1 IoCs

Processes:

PAYMENT-SWIFTCOPY.exe

description ioc process

File created C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe PAYMENT-SWIFTCOPY.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2136 schtasks.exe
2284 schtasks.exe

description	ioc	process
File created	C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe	PAYMENT-SWIFTCOPY.exe

pid	process
2136	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exePAYMENT-SWIFTCOPY.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeregsvcs.exepowershell.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
620	AdvancedRun.exe
620	AdvancedRun.exe
592	AdvancedRun.exe
592	AdvancedRun.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1820	PAYMENT-SWIFTCOPY.exe
1080	powershell.exe
2024	powershell.exe
1556	powershell.exe
1364	powershell.exe
1956	powershell.exe
984	powershell.exe
1484	powershell.exe
1752	powershell.exe
2196	AdvancedRun.exe
2196	AdvancedRun.exe
2252	AdvancedRun.exe
2252	AdvancedRun.exe
932	regsvcs.exe
932	regsvcs.exe
932	regsvcs.exe
2404	powershell.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
2524	powershell.exe
2440	powershell.exe
2476	powershell.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
2608	powershell.exe
932	regsvcs.exe
932	regsvcs.exe
932	regsvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regsvcs.exe

pid process

932 regsvcs.exe

pid	process
932	regsvcs.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeAdvancedRun.exeAdvancedRun.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exeregsvcs.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1820	PAYMENT-SWIFTCOPY.exe
Token: SeDebugPrivilege	620	AdvancedRun.exe
Token: SeImpersonatePrivilege	620	AdvancedRun.exe
Token: SeDebugPrivilege	592	AdvancedRun.exe
Token: SeImpersonatePrivilege	592	AdvancedRun.exe
Token: SeDebugPrivilege	1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2196	AdvancedRun.exe
Token: SeImpersonatePrivilege	2196	AdvancedRun.exe
Token: SeDebugPrivilege	2252	AdvancedRun.exe
Token: SeImpersonatePrivilege	2252	AdvancedRun.exe
Token: SeDebugPrivilege	932	regsvcs.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PAYMENT-SWIFTCOPY.exeAdvancedRun.exeregsvcs.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

description	pid	process	target process
PID 1820 wrote to memory of 620	1820	PAYMENT-SWIFTCOPY.exe	AdvancedRun.exe
PID 1820 wrote to memory of 620	1820	PAYMENT-SWIFTCOPY.exe	AdvancedRun.exe
PID 1820 wrote to memory of 620	1820	PAYMENT-SWIFTCOPY.exe	AdvancedRun.exe
PID 1820 wrote to memory of 620	1820	PAYMENT-SWIFTCOPY.exe	AdvancedRun.exe
PID 620 wrote to memory of 592	620	AdvancedRun.exe	AdvancedRun.exe
PID 620 wrote to memory of 592	620	AdvancedRun.exe	AdvancedRun.exe
PID 620 wrote to memory of 592	620	AdvancedRun.exe	AdvancedRun.exe
PID 620 wrote to memory of 592	620	AdvancedRun.exe	AdvancedRun.exe
PID 1820 wrote to memory of 1484	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1484	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1484	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1484	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1956	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1956	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1956	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1956	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1752	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1752	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1752	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1752	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 984	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 984	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 984	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 984	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1364	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1364	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1364	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1364	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1008	1820	PAYMENT-SWIFTCOPY.exe	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
PID 1820 wrote to memory of 1008	1820	PAYMENT-SWIFTCOPY.exe	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
PID 1820 wrote to memory of 1008	1820	PAYMENT-SWIFTCOPY.exe	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
PID 1820 wrote to memory of 1008	1820	PAYMENT-SWIFTCOPY.exe	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
PID 1820 wrote to memory of 2024	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 2024	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 2024	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 2024	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1080	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1080	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1080	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1080	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1556	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1556	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1556	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 1556	1820	PAYMENT-SWIFTCOPY.exe	powershell.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 1820 wrote to memory of 932	1820	PAYMENT-SWIFTCOPY.exe	regsvcs.exe
PID 932 wrote to memory of 2136	932	regsvcs.exe	schtasks.exe
PID 932 wrote to memory of 2136	932	regsvcs.exe	schtasks.exe
PID 932 wrote to memory of 2136	932	regsvcs.exe	schtasks.exe
PID 932 wrote to memory of 2136	932	regsvcs.exe	schtasks.exe
PID 1008 wrote to memory of 2196	1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	AdvancedRun.exe
PID 1008 wrote to memory of 2196	1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	AdvancedRun.exe
PID 1008 wrote to memory of 2196	1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	AdvancedRun.exe
PID 1008 wrote to memory of 2196	1008	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe	AdvancedRun.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

PAYMENT-SWIFTCOPY.exeᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	PAYMENT-SWIFTCOPY.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1820
- C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe" /SpecialRun 4101d8 620
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe" /SpecialRun 4101d8 2196
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    PID:2732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT-SWIFTCOPY.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\熔燅燐熔熖熘熔熘熘熩熘熕熒燌熕\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2136
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4DF2.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4099.tmp

MD5
2511f5150c45c9c6141788c8be9a44bd

SHA1
1e468ad16380d3b6a7268d7af2482f6259c8651d

SHA256
b95602df2c09914384788c97c9bca318fc50bb443de39b13fb2e45856a2fe065

SHA512
a638b54fbe899780f6dcee8a1859085bcfd2f2195c6db092811b8019c5f4969457ba80b80e3a31c16f4bc964e3c9afbcdf6141c3a2e8953ad209838de8ca1a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DF2.tmp

MD5
cfae5a3b7d8aa9653fe2512578a0d23a

SHA1
a91a2f8daef114f89038925ada6784646a0a5b12

SHA256
2ab741415f193a2a9134eac48a2310899d18efb5e61c3e81c35140a7efea30fa

SHA512
9dfd7eca6924ae2785ce826a447b6ce6d043c552fbd3b8a804ce6722b07a74900e703dc56cd4443cae9ab9601f21a6068e29771e48497a9ae434096a11814e84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
83b46bed6f215cc56006ea79b6646f89

SHA1
37b4fd8bd38cd0e98f3b84e467758c61fd3a9924

SHA256
01bd25a1bdaa4171d9d6717a862f3da63c3a9f406966c59f0d226817e1c83f63

SHA512
d3a6bc6412e4ecc4e7c6c603363aafef73ad7d58ee380fa5e2c95ecf837cdc59e095286c9db2115304ef7b3575cce43911f8f931f8d684f4577af959fe9d947c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

MD5
788c7a25b15a7263c24c4060f0c0df6a

SHA1
c28333f296ea281d90610a0866d5cdb8885fc34b

SHA256
4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad

SHA512
eb6b0ea6b483c000940c2a30a9ccee14d44a9b1c748486a6b6996e723526aa9e31a7f8df8599c7ed7720f528ab241b70a7f174ccfc054afc589447045c101e85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

MD5
788c7a25b15a7263c24c4060f0c0df6a

SHA1
c28333f296ea281d90610a0866d5cdb8885fc34b

SHA256
4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad

SHA512
eb6b0ea6b483c000940c2a30a9ccee14d44a9b1c748486a6b6996e723526aa9e31a7f8df8599c7ed7720f528ab241b70a7f174ccfc054afc589447045c101e85

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\7216150a-d20f-4d8d-8d96-c76ccc5e12b0\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\764857b2-1457-402e-8ac2-f34c56af46a2\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ᇩᇧሟሓᇠᇠᇨሞᇢᇡᇠᇤᇦᇥᇠ.exe

MD5
788c7a25b15a7263c24c4060f0c0df6a

SHA1
c28333f296ea281d90610a0866d5cdb8885fc34b

SHA256
4ba6a3b111db7d0e22339141a17eb368e1882734fe0a22641c46ab94c725bfad

SHA512
eb6b0ea6b483c000940c2a30a9ccee14d44a9b1c748486a6b6996e723526aa9e31a7f8df8599c7ed7720f528ab241b70a7f174ccfc054afc589447045c101e85

Download Submit
memory/592-69-0x0000000000000000-mapping.dmp

Download
memory/620-63-0x0000000000000000-mapping.dmp

Download
memory/932-151-0x00000000009C0000-0x00000000009D9000-memory.dmp

Filesize
100KB

Download
memory/932-128-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/932-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/932-119-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/932-153-0x0000000004E45000-0x0000000004E56000-memory.dmp

Filesize
68KB

Download
memory/932-152-0x00000000009F0000-0x00000000009F3000-memory.dmp

Filesize
12KB

Download
memory/932-150-0x00000000009B0000-0x00000000009B5000-memory.dmp

Filesize
20KB

Download
memory/932-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/932-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/932-123-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/932-122-0x000000000041E792-mapping.dmp

Download
memory/932-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/984-129-0x0000000000602000-0x0000000000604000-memory.dmp

Filesize
8KB

Download
memory/984-109-0x0000000000601000-0x0000000000602000-memory.dmp

Filesize
4KB

Download
memory/984-77-0x0000000000000000-mapping.dmp

Download
memory/984-103-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1008-93-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1008-84-0x0000000000000000-mapping.dmp

Download
memory/1008-89-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1008-179-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1080-91-0x0000000000000000-mapping.dmp

Download
memory/1080-127-0x00000000025C0000-0x000000000320A000-memory.dmp

Filesize
12.3MB

Download
memory/1080-116-0x00000000025C0000-0x000000000320A000-memory.dmp

Filesize
12.3MB

Download
memory/1080-107-0x00000000025C0000-0x000000000320A000-memory.dmp

Filesize
12.3MB

Download
memory/1364-133-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/1364-112-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/1364-113-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/1364-80-0x0000000000000000-mapping.dmp

Download
memory/1484-114-0x00000000026D0000-0x000000000331A000-memory.dmp

Filesize
12.3MB

Download
memory/1484-72-0x0000000000000000-mapping.dmp

Download
memory/1484-111-0x00000000026D0000-0x000000000331A000-memory.dmp

Filesize
12.3MB

Download
memory/1484-131-0x00000000026D0000-0x000000000331A000-memory.dmp

Filesize
12.3MB

Download
memory/1556-105-0x0000000000791000-0x0000000000792000-memory.dmp

Filesize
4KB

Download
memory/1556-96-0x0000000000000000-mapping.dmp

Download
memory/1556-125-0x0000000000792000-0x0000000000794000-memory.dmp

Filesize
8KB

Download
memory/1556-115-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1752-76-0x0000000000000000-mapping.dmp

Download
memory/1752-102-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/1752-132-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/1820-55-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1820-60-0x00000000005D0000-0x000000000065B000-memory.dmp

Filesize
556KB

Download
memory/1820-57-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1820-58-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/1820-59-0x0000000000470000-0x0000000000473000-memory.dmp

Filesize
12KB

Download
memory/1956-130-0x0000000002232000-0x0000000002234000-memory.dmp

Filesize
8KB

Download
memory/1956-106-0x0000000002231000-0x0000000002232000-memory.dmp

Filesize
4KB

Download
memory/1956-73-0x0000000000000000-mapping.dmp

Download
memory/1956-110-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2024-104-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/2024-88-0x0000000000000000-mapping.dmp

Download
memory/2024-108-0x00000000023C1000-0x00000000023C2000-memory.dmp

Filesize
4KB

Download
memory/2024-126-0x00000000023C2000-0x00000000023C4000-memory.dmp

Filesize
8KB

Download
memory/2136-134-0x0000000000000000-mapping.dmp

Download
memory/2196-139-0x0000000000000000-mapping.dmp

Download
memory/2252-145-0x0000000000000000-mapping.dmp

Download
memory/2284-148-0x0000000000000000-mapping.dmp

Download
memory/2404-164-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2404-154-0x0000000000000000-mapping.dmp

Download
memory/2404-165-0x0000000002411000-0x0000000002412000-memory.dmp

Filesize
4KB

Download
memory/2404-168-0x0000000002412000-0x0000000002414000-memory.dmp

Filesize
8KB

Download
memory/2440-155-0x0000000000000000-mapping.dmp

Download
memory/2476-157-0x0000000000000000-mapping.dmp

Download
memory/2476-189-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/2476-193-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/2476-195-0x0000000002480000-0x00000000030CA000-memory.dmp

Filesize
12.3MB

Download
memory/2524-158-0x0000000000000000-mapping.dmp

Download
memory/2524-182-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2524-184-0x00000000022C1000-0x00000000022C2000-memory.dmp

Filesize
4KB

Download
memory/2524-187-0x00000000022C2000-0x00000000022C4000-memory.dmp

Filesize
8KB

Download
memory/2608-163-0x0000000000000000-mapping.dmp

Download
memory/2732-178-0x000000000041E792-mapping.dmp

Download
memory/2732-191-0x0000000004810000-0x0000000004811000-memory.dmp

Filesize
4KB

Download