f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653

Analysis

max time kernel
152s
max time network
109s
platform
windows7_x64
resource
win7v20201028
submitted
08-11-2020 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Size

725KB
MD5

4d3ab2e575b8e2f10d7201677d7e784b
SHA1

8b4edc54158818aa4f92f60b320c52c51600ae25
SHA256

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653
SHA512

777c224af5045a6df1af2d2fca91b7a193cdd8425661c063f84f7cb7fccf7d030565669d1a452928984b374dfb95746ff5345039f3c4e2554e79431927ab7801

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Disabling Security Tools
T1089

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

1084 mpcmdrun.exe
Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe
Executes dropped EXE 5 IoCs

Processes:

updatewin1.exeupdatewin1.exeupdatewin2.exe5.exef90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

pid process

1672 updatewin1.exe
1612 updatewin1.exe
1552 updatewin2.exe
1100 5.exe
624 f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

pid	process
1084	mpcmdrun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

pid	process
1672	updatewin1.exe
1612	updatewin1.exe
1552	updatewin2.exe
1100	5.exe
624	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

Loads dropped DLL 16 IoCs

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exeupdatewin1.exeupdatewin1.exe5.exe

pid	process
928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
1672	updatewin1.exe
1672	updatewin1.exe
1672	updatewin1.exe
1672	updatewin1.exe
1672	updatewin1.exe
1612	updatewin1.exe
1612	updatewin1.exe
1612	updatewin1.exe
928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
1100	5.exe
1100	5.exe
1100	5.exe
1100	5.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

752 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
752	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4bff1d72-e90a-4ab2-9c93-ec2cab2a27ee\\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe\" --AutoStart"	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

JavaScript code in executable 1 IoCs

Processes:

resource yara_rule

\ProgramData\nss3.dll js
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.2ip.ua
7 api.2ip.ua
17 api.2ip.ua
33 ip-api.com

resource	yara_rule
\ProgramData\nss3.dll	js

flow	ioc
6	api.2ip.ua
7	api.2ip.ua
17	api.2ip.ua
33	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1652 taskkill.exe

pid	process
1652	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c190000000100000010000000ea6089055218053dd01e37e1d806eedf040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf91400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exef90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exepowershell.exepowershell.exepowershell.exe5.exe

pid	process
756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
668	powershell.exe
668	powershell.exe
668	powershell.exe
952	powershell.exe
952	powershell.exe
1824	powershell.exe
1100	5.exe
1100	5.exe
1100	5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1652	taskkill.exe

Suspicious use of WriteProcessMemory 77 IoCs

Processes:

f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exef90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exeupdatewin1.exeupdatewin1.exepowershell.exe

description	pid	process	target process
PID 756 wrote to memory of 752	756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	icacls.exe
PID 756 wrote to memory of 752	756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	icacls.exe
PID 756 wrote to memory of 752	756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	icacls.exe
PID 756 wrote to memory of 752	756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	icacls.exe
PID 756 wrote to memory of 928	756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
PID 756 wrote to memory of 928	756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
PID 756 wrote to memory of 928	756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
PID 756 wrote to memory of 928	756	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
PID 928 wrote to memory of 1672	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 928 wrote to memory of 1672	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 928 wrote to memory of 1672	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 928 wrote to memory of 1672	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 928 wrote to memory of 1672	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 928 wrote to memory of 1672	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 928 wrote to memory of 1672	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin1.exe
PID 1672 wrote to memory of 1612	1672	updatewin1.exe	updatewin1.exe
PID 1672 wrote to memory of 1612	1672	updatewin1.exe	updatewin1.exe
PID 1672 wrote to memory of 1612	1672	updatewin1.exe	updatewin1.exe
PID 1672 wrote to memory of 1612	1672	updatewin1.exe	updatewin1.exe
PID 1672 wrote to memory of 1612	1672	updatewin1.exe	updatewin1.exe
PID 1672 wrote to memory of 1612	1672	updatewin1.exe	updatewin1.exe
PID 1672 wrote to memory of 1612	1672	updatewin1.exe	updatewin1.exe
PID 1612 wrote to memory of 668	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 668	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 668	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 668	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 668	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 668	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 668	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 952	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 952	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 952	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 952	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 952	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 952	1612	updatewin1.exe	powershell.exe
PID 1612 wrote to memory of 952	1612	updatewin1.exe	powershell.exe
PID 952 wrote to memory of 1824	952	powershell.exe	powershell.exe
PID 952 wrote to memory of 1824	952	powershell.exe	powershell.exe
PID 952 wrote to memory of 1824	952	powershell.exe	powershell.exe
PID 952 wrote to memory of 1824	952	powershell.exe	powershell.exe
PID 952 wrote to memory of 1824	952	powershell.exe	powershell.exe
PID 952 wrote to memory of 1824	952	powershell.exe	powershell.exe
PID 952 wrote to memory of 1824	952	powershell.exe	powershell.exe
PID 1612 wrote to memory of 1084	1612	updatewin1.exe	mpcmdrun.exe
PID 1612 wrote to memory of 1084	1612	updatewin1.exe	mpcmdrun.exe
PID 1612 wrote to memory of 1084	1612	updatewin1.exe	mpcmdrun.exe
PID 1612 wrote to memory of 1084	1612	updatewin1.exe	mpcmdrun.exe
PID 1612 wrote to memory of 1412	1612	updatewin1.exe	cmd.exe
PID 1612 wrote to memory of 1412	1612	updatewin1.exe	cmd.exe
PID 1612 wrote to memory of 1412	1612	updatewin1.exe	cmd.exe
PID 1612 wrote to memory of 1412	1612	updatewin1.exe	cmd.exe
PID 1612 wrote to memory of 1412	1612	updatewin1.exe	cmd.exe
PID 1612 wrote to memory of 1412	1612	updatewin1.exe	cmd.exe
PID 1612 wrote to memory of 1412	1612	updatewin1.exe	cmd.exe
PID 928 wrote to memory of 1552	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 928 wrote to memory of 1552	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 928 wrote to memory of 1552	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 928 wrote to memory of 1552	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 928 wrote to memory of 1552	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 928 wrote to memory of 1552	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 928 wrote to memory of 1552	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	updatewin2.exe
PID 928 wrote to memory of 1100	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	5.exe
PID 928 wrote to memory of 1100	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	5.exe
PID 928 wrote to memory of 1100	928	f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe	5.exe

C:\Users\Admin\AppData\Local\Temp\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
"C:\Users\Admin\AppData\Local\Temp\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4bff1d72-e90a-4ab2-9c93-ec2cab2a27ee" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:752

C:\Users\Admin\AppData\Local\Temp\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
"C:\Users\Admin\AppData\Local\Temp\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
"C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
"C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe" --Admin
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
5⤵
- Deletes Windows Defender Definitions
PID:1084

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
5⤵
PID:1412

C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin2.exe
"C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin2.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\5.exe
"C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\5.exe & exit
4⤵
PID:1312

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\taskeng.exe
taskeng.exe {C0B5EB52-3563-4400-98EA-80B90F86A08D} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
PID:1712

C:\Users\Admin\AppData\Local\4bff1d72-e90a-4ab2-9c93-ec2cab2a27ee\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
C:\Users\Admin\AppData\Local\4bff1d72-e90a-4ab2-9c93-ec2cab2a27ee\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe --Task
2⤵
- Executes dropped EXE
PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
473b867b22c45299c72e214824158bc8

SHA1
dfdce1aa6b4849b662a68d9678e1546e8f609676

SHA256
fb8ec9f410db6de1be3547e4ce7b18184a58a8828961e807809f610077db1fe4

SHA512
02d0912227b002f8b093d0a9a98a7555a81f57e87aa4d6838e32644425f9273fcfe98984eca354b4d92bd75c668fd3d0b5768fe3fb570b5531146ae3ab9bb5d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3bf227caeee1b07d47b29873a1640f1a

SHA1
61af6e587db89d7d7f518bb1e16c2d73451e5ed6

SHA256
30becef61dd6dd9d8b0402aec82db12ebb3ef7b76d854ca1f8bd30fa50ab5980

SHA512
29a3663efa62ccc6dce4e083b7e43e80560de48ebc0eebfff5aed1fc158f0ed65a009589046773cb3c97588005219f45ae414c53f7bffe5a0a2ec80b0c2a903e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
a94b1a971aa2eb359d044c80a77d41cc

SHA1
71865d63437b2f2a21c2fa7d32f428d1c791b1ef

SHA256
185980da510854932a64db231bcfae229df817cde4e2cd849ff73094a1b7d132

SHA512
7cf0a2298ccbdb8ad02af0ebc082936db5a8adf4f8339c9b27cd35cb07a69c3528da2758f9a9015b33b5afe41027b4cdfa921db9b8cb0debca132ba2e234dc16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
36703aa67b11142d9b5c263c91ac5034

SHA1
9764a5eb81e4730bae474944a97c1d36e0c80484

SHA256
4df4066adca9ce78b91b20bd2c909890ae78125bd4b1a287fed1f343b91925f7

SHA512
8d97c09d6f060f93c55030119aa05943e2f24e112160a5f47358492f8e4ecf20bea785babed57482124babd99d3d3f28778a8aa24c47d3c0afcb7b9d50e31dd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
27673b99ae2538d4656a441629bd9092

SHA1
2c2853a141ad3f677c407990cddb0bd93bba27b7

SHA256
4ff69def491e8c5f989b6f36beadfae8241473b77cb3548c2712a381ae4b3f10

SHA512
a5b5709f5d7c05b303f33c3fd03c73950f9eafd6c002b753985dfa66f03547eceb6708314fca8bad8d1d85fa12661e363c0a4fd8d176a52ada8f48a698aed704

Download Submit
C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\4bff1d72-e90a-4ab2-9c93-ec2cab2a27ee\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
MD5
4d3ab2e575b8e2f10d7201677d7e784b

SHA1
8b4edc54158818aa4f92f60b320c52c51600ae25

SHA256
f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653

SHA512
777c224af5045a6df1af2d2fca91b7a193cdd8425661c063f84f7cb7fccf7d030565669d1a452928984b374dfb95746ff5345039f3c4e2554e79431927ab7801

Download Submit
C:\Users\Admin\AppData\Local\4bff1d72-e90a-4ab2-9c93-ec2cab2a27ee\f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653.exe
MD5
4d3ab2e575b8e2f10d7201677d7e784b

SHA1
8b4edc54158818aa4f92f60b320c52c51600ae25

SHA256
f90deacedb2274ca6cd60b1699c6ff5aba30b4d3e8a45a1999cde019050fc653

SHA512
777c224af5045a6df1af2d2fca91b7a193cdd8425661c063f84f7cb7fccf7d030565669d1a452928984b374dfb95746ff5345039f3c4e2554e79431927ab7801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
97d5b19f3ecfcc4e71c41247ca71e107

SHA1
795fe55dfac8f687ff82467c53380170297ea583

SHA256
91e31da660f25d4f32c39f1c5c4c0721e00f37af591f8a0748cfdcc3885099ab

SHA512
e24cb158cdbf157bf2ed9d2db5c464785f51095a484fcd11969f237fa4b87da98611f9d058b171dc302b144c4516b1a380fb2627433ca6e3f7f856b9aa937f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat
MD5
a02347bbdc59d9356085e103de44f8df

SHA1
6a2d69b07db4e3f82fff115a63d2a86f66a9f818

SHA256
a032cac0c65b89b3d11d7843a2757fb7e884f8ced6cc9fc59b8085b52a31585d

SHA512
7b81ce8d23283eb441739102f278696d3d660b81b7359e052b4673761ecb0c0f630de79ec52964923894a2a73eb3d84223a8d791511d3e66a32d6b7e1332aa26

Download Submit
C:\Users\Admin\AppData\Local\script.ps1
MD5
f972c62f986b5ed49ad7713d93bf6c9f

SHA1
4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

SHA256
b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

SHA512
2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
f4509dda545a7ab5b794618428031f11

SHA1
95a3cbb04276f7609f0a77c043abf1fc038dedea

SHA256
80de295355687f50776fa77c9b56fc97c51a15edf914657c64aeb94d7fe19942

SHA512
1e1a2d641a58c151ca393a7c5da7c7d9e375af1fdefdd0655654558d26998e15ece083f1af8f06e32b538f365a67b10ba4c3e3453c6d47d45afdddea5ccf6fcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
f4509dda545a7ab5b794618428031f11

SHA1
95a3cbb04276f7609f0a77c043abf1fc038dedea

SHA256
80de295355687f50776fa77c9b56fc97c51a15edf914657c64aeb94d7fe19942

SHA512
1e1a2d641a58c151ca393a7c5da7c7d9e375af1fdefdd0655654558d26998e15ece083f1af8f06e32b538f365a67b10ba4c3e3453c6d47d45afdddea5ccf6fcd

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\5.exe
MD5
28994346c82a501f6198643b4c6a1f81

SHA1
d6ea2f731626402b0081504628a9ba05f4279cbf

SHA256
6b57625c531e64626de7627158f8644f9f4825357ebd01173eb3441fd84cb232

SHA512
ce4f1be36ad0730468c09d537f1e639c3f5a6aebaa0c64057b5709e83fe596d072c5e33e405d311efba41b6146581da5008489f2caf13a46778dcf62081c4138

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\4067742c-e4d4-4a27-b9b4-e0d33a540b84\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
memory/476-2-0x000007FEF7E30000-0x000007FEF80AA000-memory.dmp

Filesize
2.5MB

Download
memory/624-117-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/624-115-0x0000000000000000-mapping.dmp

Download
memory/668-35-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/668-45-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/668-39-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/668-52-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/668-36-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/668-34-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/668-33-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/668-31-0x0000000000000000-mapping.dmp

Download
memory/668-32-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/668-44-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/752-3-0x0000000000000000-mapping.dmp

Download
memory/756-1-0x0000000001E80000-0x0000000001E91000-memory.dmp

Filesize
68KB

Download
memory/756-0-0x0000000001D10000-0x0000000001DA1000-memory.dmp

Filesize
580KB

Download
memory/928-6-0x0000000000230000-0x00000000002C1000-memory.dmp

Filesize
580KB

Download
memory/928-5-0x0000000000000000-mapping.dmp

Download
memory/928-7-0x0000000001F50000-0x0000000001F61000-memory.dmp

Filesize
68KB

Download
memory/952-58-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/952-59-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/952-53-0x0000000000000000-mapping.dmp

Download
memory/952-55-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/952-56-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/952-57-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/952-67-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/1084-69-0x0000000000000000-mapping.dmp

Download
memory/1100-107-0x0000000004B30000-0x0000000004B41000-memory.dmp

Filesize
68KB

Download
memory/1100-106-0x000000000319B000-0x000000000319C000-memory.dmp

Filesize
4KB

Download
memory/1100-104-0x0000000000000000-mapping.dmp

Download
memory/1312-112-0x0000000000000000-mapping.dmp

Download
memory/1412-74-0x0000000000000000-mapping.dmp

Download
memory/1552-81-0x0000000001FA0000-0x0000000001FB1000-memory.dmp

Filesize
68KB

Download
memory/1552-82-0x000000000058F000-0x0000000000590000-memory.dmp

Filesize
4KB

Download
memory/1552-79-0x0000000000000000-mapping.dmp

Download
memory/1612-30-0x00000000005A2000-0x00000000005A3000-memory.dmp

Filesize
4KB

Download
memory/1612-24-0x0000000000000000-mapping.dmp

Download
memory/1612-29-0x0000000001FB0000-0x0000000001FC1000-memory.dmp

Filesize
68KB

Download
memory/1652-113-0x0000000000000000-mapping.dmp

Download
memory/1672-14-0x0000000000000000-mapping.dmp

Download
memory/1672-20-0x0000000001FC0000-0x0000000001FD1000-memory.dmp

Filesize
68KB

Download
memory/1672-21-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1824-77-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1824-72-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/1824-100-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1824-75-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1824-71-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/1824-68-0x0000000000000000-mapping.dmp

Download
memory/1824-85-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/1824-88-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/1824-101-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download