njrat | 566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-en-20211104
submitted
05-11-2021 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7355d1a43f1d438e09eebff0c90211b0.exe
Size

227KB
MD5

7355d1a43f1d438e09eebff0c90211b0
SHA1

4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a
SHA256

566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c
SHA512

867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Score

10^/10

njrat directx evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

DirectX

20.79.249.125:1604

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exeAdvancedRun.exeAdvancedRun.exe

pid process

840 AdvancedRun.exe
1324 AdvancedRun.exe
1336 䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
2216 AdvancedRun.exe
2276 AdvancedRun.exe

Drops startup file 4 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	7355d1a43f1d438e09eebff0c90211b0.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	7355d1a43f1d438e09eebff0c90211b0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	7355d1a43f1d438e09eebff0c90211b0.exe

Loads dropped DLL 9 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exeAdvancedRun.exe

pid	process
1268	7355d1a43f1d438e09eebff0c90211b0.exe
1268	7355d1a43f1d438e09eebff0c90211b0.exe
840	AdvancedRun.exe
840	AdvancedRun.exe
1268	7355d1a43f1d438e09eebff0c90211b0.exe
1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
2216	AdvancedRun.exe
2216	AdvancedRun.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	7355d1a43f1d438e09eebff0c90211b0.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾 = "C:\\Windows\\Microsoft.NET\\Framework\\\u200c\u2008\u200c\u200c\u202f›‼\u200d‽\u2028\u2009\u200d\u200b\u200f\u200a\\svchost.exe"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾 = "C:\\Windows\\Microsoft.NET\\Framework\\\u200c\u2008\u200c\u200c\u202f›‼\u200d‽\u2028\u2009\u200d\u200b\u200f\u200a\\svchost.exe"	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

Drops file in Windows directory 1 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe	7355d1a43f1d438e09eebff0c90211b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
840	AdvancedRun.exe
840	AdvancedRun.exe
1324	AdvancedRun.exe
1324	AdvancedRun.exe
456	powershell.exe
1172	powershell.exe
1776	powershell.exe
1916	powershell.exe
1008	powershell.exe
752	powershell.exe
1716	powershell.exe
1148	powershell.exe
2216	AdvancedRun.exe
2216	AdvancedRun.exe
2276	AdvancedRun.exe
2276	AdvancedRun.exe
2496	powershell.exe
2416	powershell.exe
2452	powershell.exe
2548	powershell.exe
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exeAdvancedRun.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeDebugPrivilege	840	AdvancedRun.exe
Token: SeImpersonatePrivilege	840	AdvancedRun.exe
Token: SeDebugPrivilege	1324	AdvancedRun.exe
Token: SeImpersonatePrivilege	1324	AdvancedRun.exe
Token: SeDebugPrivilege	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2216	AdvancedRun.exe
Token: SeImpersonatePrivilege	2216	AdvancedRun.exe
Token: SeDebugPrivilege	2276	AdvancedRun.exe
Token: SeImpersonatePrivilege	2276	AdvancedRun.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	1268	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	1268	7355d1a43f1d438e09eebff0c90211b0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exeAdvancedRun.exe

description	pid	process	target process
PID 1268 wrote to memory of 840	1268	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 1268 wrote to memory of 840	1268	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 1268 wrote to memory of 840	1268	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 1268 wrote to memory of 840	1268	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 840 wrote to memory of 1324	840	AdvancedRun.exe	AdvancedRun.exe
PID 840 wrote to memory of 1324	840	AdvancedRun.exe	AdvancedRun.exe
PID 840 wrote to memory of 1324	840	AdvancedRun.exe	AdvancedRun.exe
PID 840 wrote to memory of 1324	840	AdvancedRun.exe	AdvancedRun.exe
PID 1268 wrote to memory of 1148	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1148	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1148	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1148	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1008	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1008	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1008	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1008	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1716	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1716	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1716	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1716	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 456	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 456	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 456	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 456	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1172	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1172	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1172	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1172	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1336	1268	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 1268 wrote to memory of 1336	1268	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 1268 wrote to memory of 1336	1268	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 1268 wrote to memory of 1336	1268	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 1268 wrote to memory of 1776	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1776	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1776	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1776	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 752	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 752	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 752	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 752	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1916	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1916	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1916	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1268 wrote to memory of 1916	1268	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 1336 wrote to memory of 2216	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	AdvancedRun.exe
PID 1336 wrote to memory of 2216	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	AdvancedRun.exe
PID 1336 wrote to memory of 2216	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	AdvancedRun.exe
PID 1336 wrote to memory of 2216	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	AdvancedRun.exe
PID 2216 wrote to memory of 2276	2216	AdvancedRun.exe	AdvancedRun.exe
PID 2216 wrote to memory of 2276	2216	AdvancedRun.exe	AdvancedRun.exe
PID 2216 wrote to memory of 2276	2216	AdvancedRun.exe	AdvancedRun.exe
PID 2216 wrote to memory of 2276	2216	AdvancedRun.exe	AdvancedRun.exe
PID 1336 wrote to memory of 2416	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2416	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2416	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2416	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2452	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2452	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2452	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2452	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2496	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2496	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2496	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe
PID 1336 wrote to memory of 2496	1336	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	powershell.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe
"C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1268

C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe" /SpecialRun 4101d8 840
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1336

C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe" /SpecialRun 4101d8 2216
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
13487bfb25d04f2996d8ee7132880289

SHA1
8f48bff80bce3fc3994d3696699290e953dddd2e

SHA256
43f2446c78e57c6a6a2adf0e48a1be9eb2dcee43ad913199619c4a2fe8495964

SHA512
a8fab3e08e4e171629778932ac1d1a956de213f2a894e4a3e7a1c73ed46ac5df92a3223ddd45a04c94d124227c604b52f9c3253c740f763b9437061ec0bcd50a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
MD5
dd41ed962d62e44913b1089edd2383d7

SHA1
dea9deb11bf7d92e557ca7bd0e690fad47c18ab9

SHA256
bf8747a0ca8ffa4ffa37df0013c9f5e25e4967154c6be976d2830cc47b6c4ed7

SHA512
6f31c60621912a7243ad796fa3b27ffcdcb0a3dbd6f5405803405387364a687119956bd63958e41c8acced6249a3fe53c49002a9537f85c00b835f62940b8df1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
MD5
7355d1a43f1d438e09eebff0c90211b0

SHA1
4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a

SHA256
566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

SHA512
867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
MD5
7355d1a43f1d438e09eebff0c90211b0

SHA1
4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a

SHA256
566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

SHA512
867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
MD5
fe5a8609873fca1988e785b67a2dd6ce

SHA1
e545c471f68c07ee560be48b8ab087792bea5a96

SHA256
a699cd9140cc803a5d4ab3aa8df257a79196ec6fc555d081288b915919074b44

SHA512
2953ce278a05feb044bc175bec8dfe2fdae1952c8cf0266c9b1e933f6e91e827b850978a83297ba8bd7c9c970a060a18475578f88e86ded8446e00857c82123b

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\74635970-69f4-4c43-b2df-c6d9442a3c01\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\e09c3fee-013c-4be2-a96c-ac1dbc3e04fb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
MD5
7355d1a43f1d438e09eebff0c90211b0

SHA1
4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a

SHA256
566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

SHA512
867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Download Submit
memory/456-80-0x0000000000000000-mapping.dmp

Download
memory/456-122-0x00000000022C0000-0x0000000002F0A000-memory.dmp

Filesize
12.3MB

Download
memory/456-110-0x00000000022C0000-0x0000000002F0A000-memory.dmp

Filesize
12.3MB

Download
memory/456-118-0x00000000022C0000-0x0000000002F0A000-memory.dmp

Filesize
12.3MB

Download
memory/752-120-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/752-124-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/752-114-0x00000000024A0000-0x00000000030EA000-memory.dmp

Filesize
12.3MB

Download
memory/752-95-0x0000000000000000-mapping.dmp

Download
memory/840-65-0x0000000000000000-mapping.dmp

Download
memory/1008-116-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1008-75-0x0000000000000000-mapping.dmp

Download
memory/1008-105-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1008-125-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/1148-99-0x0000000002230000-0x0000000002E7A000-memory.dmp

Filesize
12.3MB

Download
memory/1148-74-0x0000000000000000-mapping.dmp

Download
memory/1172-121-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/1172-82-0x0000000000000000-mapping.dmp

Download
memory/1172-119-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/1172-101-0x00000000024E0000-0x000000000312A000-memory.dmp

Filesize
12.3MB

Download
memory/1268-113-0x00000000007C0000-0x00000000007C7000-memory.dmp

Filesize
28KB

Download
memory/1268-62-0x0000000000560000-0x00000000005B2000-memory.dmp

Filesize
328KB

Download
memory/1268-61-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/1268-60-0x0000000000600000-0x0000000000603000-memory.dmp

Filesize
12KB

Download
memory/1268-55-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/1268-58-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/1268-57-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1324-71-0x0000000000000000-mapping.dmp

Download
memory/1336-100-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1336-88-0x0000000000000000-mapping.dmp

Download
memory/1336-92-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1336-111-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1716-78-0x0000000000000000-mapping.dmp

Download
memory/1716-109-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1776-91-0x0000000000000000-mapping.dmp

Download
memory/1776-108-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/1776-117-0x0000000001DE1000-0x0000000001DE2000-memory.dmp

Filesize
4KB

Download
memory/1776-123-0x0000000001DE2000-0x0000000001DE4000-memory.dmp

Filesize
8KB

Download
memory/1916-97-0x0000000000000000-mapping.dmp

Download
memory/1916-115-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/2216-129-0x0000000000000000-mapping.dmp

Download
memory/2276-135-0x0000000000000000-mapping.dmp

Download
memory/2416-157-0x0000000002440000-0x000000000308A000-memory.dmp

Filesize
12.3MB

Download
memory/2416-151-0x0000000002440000-0x000000000308A000-memory.dmp

Filesize
12.3MB

Download
memory/2416-138-0x0000000000000000-mapping.dmp

Download
memory/2416-153-0x0000000002440000-0x000000000308A000-memory.dmp

Filesize
12.3MB

Download
memory/2452-140-0x0000000000000000-mapping.dmp

Download
memory/2452-163-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/2452-165-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/2452-164-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/2496-141-0x0000000000000000-mapping.dmp

Download
memory/2496-155-0x0000000002281000-0x0000000002282000-memory.dmp

Filesize
4KB

Download
memory/2496-154-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2496-156-0x0000000002282000-0x0000000002284000-memory.dmp

Filesize
8KB

Download
memory/2548-143-0x0000000000000000-mapping.dmp

Download
memory/2548-166-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/2548-168-0x00000000023D0000-0x000000000301A000-memory.dmp

Filesize
12.3MB

Download
memory/2632-147-0x0000000000000000-mapping.dmp

Download
memory/2632-167-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/2632-169-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/2632-170-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download