412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326

Analysis

max time kernel
111s
max time network
110s
platform
windows7_x64
resource
win7v20201028
submitted
06-11-2020 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
Size

725KB
MD5

a8d6d7d35598c80ffb2e81a144deaf22
SHA1

a8cb80156d4fea3f081706346ae1e169aa3d732b
SHA256

412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326
SHA512

f05bae0d296c5fddc12001389c10e226e5d63917b71af4eaa72390b50333b73aace9cd6f63ce9a5c794c3cae177a028a5c1c7d9bd634852ceee029ac145a61a4

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Disabling Security Tools
T1089

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

2036 mpcmdrun.exe
Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe
Executes dropped EXE 4 IoCs

Processes:

updatewin1.exeupdatewin1.exeupdatewin2.exe5.exe

pid process

1924 updatewin1.exe
1820 updatewin1.exe
1652 updatewin2.exe
1764 5.exe

pid	process
2036	mpcmdrun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

pid	process
1924	updatewin1.exe
1820	updatewin1.exe
1652	updatewin2.exe
1764	5.exe

Loads dropped DLL 16 IoCs

Processes:

412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exeupdatewin1.exeupdatewin1.exe5.exe

pid	process
688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
1924	updatewin1.exe
1924	updatewin1.exe
1924	updatewin1.exe
1924	updatewin1.exe
1924	updatewin1.exe
1820	updatewin1.exe
1820	updatewin1.exe
1820	updatewin1.exe
688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
1764	5.exe
1764	5.exe
1764	5.exe
1764	5.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

768 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
768	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1a072c0b-a956-4ca1-b50b-5e1ead437938\\412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe\" --AutoStart"	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe

JavaScript code in executable 1 IoCs

Processes:

resource yara_rule

\ProgramData\nss3.dll js
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 ip-api.com
6 api.2ip.ua
7 api.2ip.ua
17 api.2ip.ua

resource	yara_rule
\ProgramData\nss3.dll	js

flow	ioc
33	ip-api.com
6	api.2ip.ua
7	api.2ip.ua
17	api.2ip.ua

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

940 taskkill.exe

pid	process
940	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c190000000100000010000000ea6089055218053dd01e37e1d806eedf040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf91400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exepowershell.exepowershell.exepowershell.exe5.exe

pid	process
1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
572	powershell.exe
572	powershell.exe
572	powershell.exe
456	powershell.exe
456	powershell.exe
892	powershell.exe
1764	5.exe
1764	5.exe
1764	5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	940	taskkill.exe

Suspicious use of WriteProcessMemory 73 IoCs

Processes:

412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exeupdatewin1.exeupdatewin1.exepowershell.exe

description	pid	process	target process
PID 1992 wrote to memory of 768	1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	icacls.exe
PID 1992 wrote to memory of 768	1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	icacls.exe
PID 1992 wrote to memory of 768	1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	icacls.exe
PID 1992 wrote to memory of 768	1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	icacls.exe
PID 1992 wrote to memory of 688	1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
PID 1992 wrote to memory of 688	1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
PID 1992 wrote to memory of 688	1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
PID 1992 wrote to memory of 688	1992	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
PID 688 wrote to memory of 1924	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin1.exe
PID 688 wrote to memory of 1924	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin1.exe
PID 688 wrote to memory of 1924	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin1.exe
PID 688 wrote to memory of 1924	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin1.exe
PID 688 wrote to memory of 1924	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin1.exe
PID 688 wrote to memory of 1924	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin1.exe
PID 688 wrote to memory of 1924	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin1.exe
PID 1924 wrote to memory of 1820	1924	updatewin1.exe	updatewin1.exe
PID 1924 wrote to memory of 1820	1924	updatewin1.exe	updatewin1.exe
PID 1924 wrote to memory of 1820	1924	updatewin1.exe	updatewin1.exe
PID 1924 wrote to memory of 1820	1924	updatewin1.exe	updatewin1.exe
PID 1924 wrote to memory of 1820	1924	updatewin1.exe	updatewin1.exe
PID 1924 wrote to memory of 1820	1924	updatewin1.exe	updatewin1.exe
PID 1924 wrote to memory of 1820	1924	updatewin1.exe	updatewin1.exe
PID 1820 wrote to memory of 572	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 572	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 572	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 572	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 572	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 572	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 572	1820	updatewin1.exe	powershell.exe
PID 688 wrote to memory of 1652	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin2.exe
PID 688 wrote to memory of 1652	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin2.exe
PID 688 wrote to memory of 1652	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin2.exe
PID 688 wrote to memory of 1652	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin2.exe
PID 688 wrote to memory of 1652	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin2.exe
PID 688 wrote to memory of 1652	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin2.exe
PID 688 wrote to memory of 1652	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	updatewin2.exe
PID 688 wrote to memory of 1764	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	5.exe
PID 688 wrote to memory of 1764	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	5.exe
PID 688 wrote to memory of 1764	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	5.exe
PID 688 wrote to memory of 1764	688	412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe	5.exe
PID 1820 wrote to memory of 456	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 456	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 456	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 456	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 456	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 456	1820	updatewin1.exe	powershell.exe
PID 1820 wrote to memory of 456	1820	updatewin1.exe	powershell.exe
PID 456 wrote to memory of 892	456	powershell.exe	powershell.exe
PID 456 wrote to memory of 892	456	powershell.exe	powershell.exe
PID 456 wrote to memory of 892	456	powershell.exe	powershell.exe
PID 456 wrote to memory of 892	456	powershell.exe	powershell.exe
PID 456 wrote to memory of 892	456	powershell.exe	powershell.exe
PID 456 wrote to memory of 892	456	powershell.exe	powershell.exe
PID 456 wrote to memory of 892	456	powershell.exe	powershell.exe
PID 1820 wrote to memory of 2036	1820	updatewin1.exe	mpcmdrun.exe
PID 1820 wrote to memory of 2036	1820	updatewin1.exe	mpcmdrun.exe
PID 1820 wrote to memory of 2036	1820	updatewin1.exe	mpcmdrun.exe
PID 1820 wrote to memory of 2036	1820	updatewin1.exe	mpcmdrun.exe
PID 1820 wrote to memory of 1708	1820	updatewin1.exe	cmd.exe
PID 1820 wrote to memory of 1708	1820	updatewin1.exe	cmd.exe
PID 1820 wrote to memory of 1708	1820	updatewin1.exe	cmd.exe
PID 1820 wrote to memory of 1708	1820	updatewin1.exe	cmd.exe
PID 1820 wrote to memory of 1708	1820	updatewin1.exe	cmd.exe
PID 1820 wrote to memory of 1708	1820	updatewin1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
"C:\Users\Admin\AppData\Local\Temp\412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1a072c0b-a956-4ca1-b50b-5e1ead437938" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:768

C:\Users\Admin\AppData\Local\Temp\412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
"C:\Users\Admin\AppData\Local\Temp\412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
"C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
"C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe" --Admin
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
5⤵
- Deletes Windows Defender Definitions
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
5⤵
PID:1708

C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin2.exe
"C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin2.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\5.exe
"C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\5.exe & exit
4⤵
PID:1596

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
6c5b65755a00e464ebaaa2894b9cdb03

SHA1
853f6dbc8754da18f6bf5b8d0f8598dee126a902

SHA256
e587a1f90ff0ad8db8e584c076fb3eb043c5265bffbc7d6c74b3ebb2f1bf2e29

SHA512
005b97c7639c1585b9bb7f82985818a187102c54a6923f89f06b09767922841874ecffffc8e55baab186c9ef513794bf212270f18b8cf768910c8c91ba47adb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c6f27d5d1ee450d3400bf13e0804fce6

SHA1
2d0505f90eca6a49ca15b742aa5ef9ef01c7af41

SHA256
2c01ba329cfb39b6141b3c98d662ba24eb458e051fb7de79f975e681e8b4327a

SHA512
75687ddffd7021a033d19049f0cc05bbccd97a1433c06738a04590ed660996f669838514fe9f3b7c4b2eb494cf8a594f54bab1446cc915da4a042c3a327adc3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
c9529b316cd0577063d6d46e740898b9

SHA1
e4d409a73cf83fb15be6da1e586aa26ab696b50a

SHA256
3cb1c1ceea45081b25169da812a5133e8724615c0f172eae275d8807b1d959c4

SHA512
c78eab3974917b8ac1284d0ee04ecc4a23daecb52f486520c423288f180000afa764bde37e3e3b74809e9fb1a2ef16e950494325f94dd352c84fa1c440844dad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a6398c68c6a109b93169def784db9ddd

SHA1
9e3ae1a9d13b7b4d1a7a13f92db7b1d465d96125

SHA256
f64645b023e2ab34c3136e3a68361f8c290e9701a0c2ddb7ec8f6cf43142793e

SHA512
05c5ffd4224fd3072cd27aeb0bb6065069b6a97b8428d17e496a79dd7bccfff0e15938bf97fe426035c0589a786453c6b741d5b2df2d2e1d24b290a715c01547

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
1847b05ae8031348273257bff94e39d0

SHA1
16828831d943751ea5049cf38db8451653536f96

SHA256
e5f94dd755cf18124afb9822a8b04dcadd5cae16c6b9938d3da8b4e6fe625b5c

SHA512
08094881a4ff7009382f7d254af87e5e67bb843980a54ddd9b271d4e1da6290e3f5b9aade0ef19b68b9a4466ceed588b67ff1e4aab23badc6457c2625b16010f

Download Submit
C:\Users\Admin\AppData\Local\1a072c0b-a956-4ca1-b50b-5e1ead437938\412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326.exe
MD5
a8d6d7d35598c80ffb2e81a144deaf22

SHA1
a8cb80156d4fea3f081706346ae1e169aa3d732b

SHA256
412c4b0ef5dd5bdbe35efcbaaa89c804c36565c6aaf51bf37818aece5f47c326

SHA512
f05bae0d296c5fddc12001389c10e226e5d63917b71af4eaa72390b50333b73aace9cd6f63ce9a5c794c3cae177a028a5c1c7d9bd634852ceee029ac145a61a4

Download Submit
C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
25ad5ff7b30e3a7e2f8fc0f0eac951ed

SHA1
e6fbdf2711d8763cd7eee941125b9f0c2d75cafa

SHA256
1fe7dc3bfddeba9119ac4b43c6259bb319913131fa3f2a46bb9eda0d1fd081e2

SHA512
6b7912eb044806dbdc42dbb65e4c1818da4c761cfb47c231a1c1c239c4859c6ebf75b222bcd30901ee6d7c9adc53af23ea039bf422ea448a3a19680991d455ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat
MD5
26513e4662a293e6533e73c847715e96

SHA1
eac00b203a06fd0528f1004642b4a6febe55ce28

SHA256
b35dbbd75c2c67f848deff7106c09974895062bfae7306d8f2b0981c160489ac

SHA512
13878562c137edccf2708e7ab427d68ee6269a7b4193f2b19b4b1c2522acdcc282576b27824381683e63824f5492a58b663ca36ff6c0bec54dcc3bd09257bd06

Download Submit
C:\Users\Admin\AppData\Local\script.ps1
MD5
f972c62f986b5ed49ad7713d93bf6c9f

SHA1
4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

SHA256
b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

SHA512
2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
7647ec1003697e4fcc22a7a8fc048fcf

SHA1
73ac9738291375667468ab191c8964b5b62364c0

SHA256
18296da57bb5005f3f05f3848d85eebf54db716256fc1f2507e2486066bff04e

SHA512
b768c4d20ea3a95b4d49b6899829dcf42e1e8e031f4cf5b93c0081dd79d2b1100c1bfc4b9c2cf38eb703bc4639d52c6c6f790a3800fea7f2aa1e0b19fcf55083

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
7647ec1003697e4fcc22a7a8fc048fcf

SHA1
73ac9738291375667468ab191c8964b5b62364c0

SHA256
18296da57bb5005f3f05f3848d85eebf54db716256fc1f2507e2486066bff04e

SHA512
b768c4d20ea3a95b4d49b6899829dcf42e1e8e031f4cf5b93c0081dd79d2b1100c1bfc4b9c2cf38eb703bc4639d52c6c6f790a3800fea7f2aa1e0b19fcf55083

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\20a9ee0d-339f-4542-a6be-4e3bb48d0ec5\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
memory/456-62-0x0000000000000000-mapping.dmp

Download
memory/456-83-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/456-70-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/456-67-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/456-66-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/456-65-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/456-64-0x0000000073170000-0x000000007385E000-memory.dmp

Filesize
6.9MB

Download
memory/572-54-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/572-41-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/572-61-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/572-53-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/572-31-0x0000000000000000-mapping.dmp

Download
memory/572-48-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/572-32-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/572-37-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/572-39-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/572-40-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/688-5-0x0000000000000000-mapping.dmp

Download
memory/688-6-0x0000000000860000-0x00000000008F1000-memory.dmp

Filesize
580KB

Download
memory/688-7-0x0000000001ED0000-0x0000000001EE1000-memory.dmp

Filesize
68KB

Download
memory/768-3-0x0000000000000000-mapping.dmp

Download
memory/892-87-0x0000000073860000-0x0000000073F4E000-memory.dmp

Filesize
6.9MB

Download
memory/892-88-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/892-91-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/892-103-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/892-100-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/892-97-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/892-84-0x0000000000000000-mapping.dmp

Download
memory/892-115-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/892-116-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/940-118-0x0000000000000000-mapping.dmp

Download
memory/1596-117-0x0000000000000000-mapping.dmp

Download
memory/1652-34-0x0000000000000000-mapping.dmp

Download
memory/1652-38-0x00000000005EF000-0x00000000005F0000-memory.dmp

Filesize
4KB

Download
memory/1652-36-0x0000000001E40000-0x0000000001E51000-memory.dmp

Filesize
68KB

Download
memory/1656-2-0x000007FEF7B20000-0x000007FEF7D9A000-memory.dmp

Filesize
2.5MB

Download
memory/1708-90-0x0000000000000000-mapping.dmp

Download
memory/1764-69-0x0000000004920000-0x0000000004931000-memory.dmp

Filesize
68KB

Download
memory/1764-44-0x0000000000000000-mapping.dmp

Download
memory/1764-68-0x000000000311B000-0x000000000311C000-memory.dmp

Filesize
4KB

Download
memory/1820-24-0x0000000000000000-mapping.dmp

Download
memory/1820-29-0x0000000001FA0000-0x0000000001FB1000-memory.dmp

Filesize
68KB

Download
memory/1820-30-0x00000000008F2000-0x00000000008F3000-memory.dmp

Filesize
4KB

Download
memory/1924-14-0x0000000000000000-mapping.dmp

Download
memory/1924-20-0x00000000020A0000-0x00000000020B1000-memory.dmp

Filesize
68KB

Download
memory/1924-21-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1992-0-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1992-1-0x0000000001F40000-0x0000000001F51000-memory.dmp

Filesize
68KB

Download
memory/2036-85-0x0000000000000000-mapping.dmp

Download