cf1b38106e42989ddffb99e0163787135e7b294c5d5e88e3b47ca1b7cd0d6681

Analysis

max time kernel
81s
max time network
143s
platform
windows10_x64
resource
win10v20201028
submitted
25-11-2020 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x000300000001a5a2-209.exe
Size

842KB
MD5

185749ffbb860d3e5b705b557d819702
SHA1

f09470a934d381cfc4e1504193eb58139061a645
SHA256

1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa
SHA512

0bb85d296bdcee1fd50200af1924c73f751b08737256178052f46a8937a1a9be5656b4ea465b97ef798e48a0f600ceb7d2e18feb4026426112642d3b9213cce5

Score

10^/10

discovery evasion persistence spyware stealer

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Disabling Security Tools
T1089

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

196 mpcmdrun.exe
Disables Task Manager via registry modification
evasion
Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe
Executes dropped EXE 4 IoCs

Processes:

updatewin1.exeupdatewin2.exeupdatewin1.exe5.exe

pid process

1584 updatewin1.exe
1764 updatewin2.exe
4056 updatewin1.exe
4664 5.exe
Loads dropped DLL 2 IoCs

Processes:

5.exe

pid process

4664 5.exe
4664 5.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

556 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
196	mpcmdrun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

pid	process
1584	updatewin1.exe
1764	updatewin2.exe
4056	updatewin1.exe
4664	5.exe

pid	process
4664	5.exe
4664	5.exe

pid	process
556	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0x000300000001a5a2-209.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cfb152a9-386d-48e7-aa9e-bd6a6fd0b7ff\\0x000300000001a5a2-209.exe\" --AutoStart"	0x000300000001a5a2-209.exe

JavaScript code in executable 1 IoCs

Processes:

resource yara_rule

\ProgramData\nss3.dll js
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.2ip.ua
15 api.2ip.ua
22 api.2ip.ua
33 ip-api.com

resource	yara_rule
\ProgramData\nss3.dll	js

flow	ioc
14	api.2ip.ua
15	api.2ip.ua
22	api.2ip.ua
33	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5028 taskkill.exe

pid	process
5028	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0x000300000001a5a2-209.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0x000300000001a5a2-209.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0x000300000001a5a2-209.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

0x000300000001a5a2-209.exe0x000300000001a5a2-209.exepowershell.exepowershell.exepowershell.exe5.exe

pid	process
4768	0x000300000001a5a2-209.exe
4768	0x000300000001a5a2-209.exe
856	0x000300000001a5a2-209.exe
856	0x000300000001a5a2-209.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe
4664	5.exe
4664	5.exe
4664	5.exe
4664	5.exe
4664	5.exe
4664	5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	5028	taskkill.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

0x000300000001a5a2-209.exe0x000300000001a5a2-209.exeupdatewin1.exeupdatewin1.exepowershell.exe5.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 556	4768	0x000300000001a5a2-209.exe	icacls.exe
PID 4768 wrote to memory of 556	4768	0x000300000001a5a2-209.exe	icacls.exe
PID 4768 wrote to memory of 556	4768	0x000300000001a5a2-209.exe	icacls.exe
PID 4768 wrote to memory of 856	4768	0x000300000001a5a2-209.exe	0x000300000001a5a2-209.exe
PID 4768 wrote to memory of 856	4768	0x000300000001a5a2-209.exe	0x000300000001a5a2-209.exe
PID 4768 wrote to memory of 856	4768	0x000300000001a5a2-209.exe	0x000300000001a5a2-209.exe
PID 856 wrote to memory of 1584	856	0x000300000001a5a2-209.exe	updatewin1.exe
PID 856 wrote to memory of 1584	856	0x000300000001a5a2-209.exe	updatewin1.exe
PID 856 wrote to memory of 1584	856	0x000300000001a5a2-209.exe	updatewin1.exe
PID 856 wrote to memory of 1764	856	0x000300000001a5a2-209.exe	updatewin2.exe
PID 856 wrote to memory of 1764	856	0x000300000001a5a2-209.exe	updatewin2.exe
PID 856 wrote to memory of 1764	856	0x000300000001a5a2-209.exe	updatewin2.exe
PID 1584 wrote to memory of 4056	1584	updatewin1.exe	updatewin1.exe
PID 1584 wrote to memory of 4056	1584	updatewin1.exe	updatewin1.exe
PID 1584 wrote to memory of 4056	1584	updatewin1.exe	updatewin1.exe
PID 4056 wrote to memory of 1000	4056	updatewin1.exe	powershell.exe
PID 4056 wrote to memory of 1000	4056	updatewin1.exe	powershell.exe
PID 4056 wrote to memory of 1000	4056	updatewin1.exe	powershell.exe
PID 4056 wrote to memory of 2320	4056	updatewin1.exe	powershell.exe
PID 4056 wrote to memory of 2320	4056	updatewin1.exe	powershell.exe
PID 4056 wrote to memory of 2320	4056	updatewin1.exe	powershell.exe
PID 2320 wrote to memory of 4740	2320	powershell.exe	powershell.exe
PID 2320 wrote to memory of 4740	2320	powershell.exe	powershell.exe
PID 2320 wrote to memory of 4740	2320	powershell.exe	powershell.exe
PID 4056 wrote to memory of 196	4056	updatewin1.exe	mpcmdrun.exe
PID 4056 wrote to memory of 196	4056	updatewin1.exe	mpcmdrun.exe
PID 4056 wrote to memory of 2476	4056	updatewin1.exe	cmd.exe
PID 4056 wrote to memory of 2476	4056	updatewin1.exe	cmd.exe
PID 4056 wrote to memory of 2476	4056	updatewin1.exe	cmd.exe
PID 856 wrote to memory of 4664	856	0x000300000001a5a2-209.exe	5.exe
PID 856 wrote to memory of 4664	856	0x000300000001a5a2-209.exe	5.exe
PID 856 wrote to memory of 4664	856	0x000300000001a5a2-209.exe	5.exe
PID 4664 wrote to memory of 5004	4664	5.exe	cmd.exe
PID 4664 wrote to memory of 5004	4664	5.exe	cmd.exe
PID 4664 wrote to memory of 5004	4664	5.exe	cmd.exe
PID 5004 wrote to memory of 5028	5004	cmd.exe	taskkill.exe
PID 5004 wrote to memory of 5028	5004	cmd.exe	taskkill.exe
PID 5004 wrote to memory of 5028	5004	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\0x000300000001a5a2-209.exe
"C:\Users\Admin\AppData\Local\Temp\0x000300000001a5a2-209.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\cfb152a9-386d-48e7-aa9e-bd6a6fd0b7ff" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:556

C:\Users\Admin\AppData\Local\Temp\0x000300000001a5a2-209.exe
"C:\Users\Admin\AppData\Local\Temp\0x000300000001a5a2-209.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe
"C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe
"C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe" --Admin
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
5⤵
- Deletes Windows Defender Definitions
PID:196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
5⤵
PID:2476

C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin2.exe
"C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin2.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe
"C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
da538122a8b241ee1ac7e06f703b2812

SHA1
3b28a969f885abee9eaededd5b57fb26d6c59464

SHA256
74836dabf0db99ccf45f994555ae4cdf6228ec0e1cd3745b64baedb10d0c69d7

SHA512
ecd4dde4e0a93d18ac1ef3552117d65a60f40e4d20ac050584c267c68c846538753ead7faecca3b93ab88eb0df1842523fe6dbfe88fe2f350d12a2ff55b57645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
2fbe681c900d02992635cc9c8c51452e

SHA1
c424061bddc86a7c8c00d615af90cdcddeb05ae7

SHA256
0fdaf4d9478d37b3dd51469a2f0559f9573bb4ec0b0026e424a1155583fb66ac

SHA512
15e71354fa4b444a0db306fd54f3c7d16e31395268d9164f36a9f532dcd65a95d598dea77a698d4a78c996596d489c7d18175f77aac11ebd98adac46d5570712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
c442e2deb063f626e3177a7b1e63e28a

SHA1
73433493fbb0dd70c2e55244bdfab4d7b64f7035

SHA256
a910411d3af937e8840ca51fe100c6e226f886fcb2ef55488c00fa831aaaeaff

SHA512
258ed3dcdce866a63772aa9e1d341167ddd1077893b2e02d2d5b01fb1fc9a4891ce8767991376f08cdaaade5de63ab672909b5cfea2a8e6b58c002d84e916afe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
34300b40c5f5258f750a9f3f949e194b

SHA1
0114b5592037e95754623672f3655892820575aa

SHA256
4e2f35be1da9bf3530f0f66f5faa80c4d3dcbe5d9dac9646acdb75d2e7a6241f

SHA512
41563038a304365d95dcac6508b6cfe08aeacdeb4cc04cd85948ce0f021e9a4a14edf72c17a92ea4bcd19ce4665dd28a3ca594c6f4d7052b2baf597d726a2d3d

Download Submit
C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe
MD5
637a8b78f4985a7807c6cdb238df4534

SHA1
01c47b02ec8b83a0a29590c2512c844318af8710

SHA256
87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95

SHA512
0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682

Download Submit
C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe
MD5
637a8b78f4985a7807c6cdb238df4534

SHA1
01c47b02ec8b83a0a29590c2512c844318af8710

SHA256
87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95

SHA512
0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682

Download Submit
C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
13151583954f0def829054cc3eae25ec

SHA1
2a2b013e8d4201ddc8a80f9680931873702d0213

SHA256
eb542ae9c791940e8e74833eb50543dbbcbc8bf8485698fad82a8b079546c8a7

SHA512
3f7a6d0e5ca29de7b02f5cb993c508ce0c0df12c3d970a3ad6da95149b4cb5cc7a138e7ed6f83e910cb39120f199b3f74fc0ec1a14ca86435a52f247c2514aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e0952cbe1ed4f0002500dd9b2e7ecf63

SHA1
fdc936415b40a567e2505623f6cbd04feca037b8

SHA256
3e6e4e501e9de2585db6b619bf5164fc382ee7314c36a3dbc10e1b4918ec46c1

SHA512
7c6bc9b779721ee48786032d9669a795443a742fe706251e48a85f047f714e04e5e55844be68f5b66147d6efb915f6bd87912012d7553bc4d4961d2a63e5d753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d60f42b314f650a7303011e845f50d3f

SHA1
d8e492aabd2563c74feca89181b6b0b232622397

SHA256
bf86760a34549dcb4c3ec731fa016758cd810033b03953d10a43a5bebef0010a

SHA512
a6c7d4bcebec381de04567ac8ced9b06f48e29fd0b635145f11343b4a2d333d67566e613dccb4364e42d5490e65744deb7d29d17ab6abdd991bd0979885cfc99

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat
MD5
883df4da0952a416db266a47a3489a62

SHA1
b7f55fe6a94e5653ab4c79479d7b16ca946e6f7c

SHA256
459c88420aa92750c0928c626f28d25cd209646f01ccfcf2eec5897c16bd5b2a

SHA512
023afa7e1026603f707f1972bc783e9bda5edee3e118a68b837872c2f43c222cd1a23d979eb8b725dcc854cae34cfe565a9c1eaa652d303d6de5d9fbd332202f

Download Submit
C:\Users\Admin\AppData\Local\cfb152a9-386d-48e7-aa9e-bd6a6fd0b7ff\0x000300000001a5a2-209.exe
MD5
185749ffbb860d3e5b705b557d819702

SHA1
f09470a934d381cfc4e1504193eb58139061a645

SHA256
1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa

SHA512
0bb85d296bdcee1fd50200af1924c73f751b08737256178052f46a8937a1a9be5656b4ea465b97ef798e48a0f600ceb7d2e18feb4026426112642d3b9213cce5

Download Submit
C:\Users\Admin\AppData\Local\script.ps1
MD5
f972c62f986b5ed49ad7713d93bf6c9f

SHA1
4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

SHA256
b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

SHA512
2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
memory/196-64-0x0000000000000000-mapping.dmp

Download
memory/556-1-0x0000000000000000-mapping.dmp

Download
memory/856-4-0x0000000006490000-0x0000000006491000-memory.dmp

Filesize
4KB

Download
memory/856-3-0x0000000000000000-mapping.dmp

Download
memory/1000-28-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/1000-30-0x0000000007740000-0x0000000007741000-memory.dmp

Filesize
4KB

Download
memory/1000-25-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1000-26-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/1000-27-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/1000-23-0x0000000000000000-mapping.dmp

Download
memory/1000-29-0x0000000006E80000-0x0000000006E81000-memory.dmp

Filesize
4KB

Download
memory/1000-24-0x0000000071E70000-0x000000007255E000-memory.dmp

Filesize
6.9MB

Download
memory/1000-31-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

Filesize
4KB

Download
memory/1000-32-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

Filesize
4KB

Download
memory/1000-33-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/1000-35-0x00000000089D0000-0x0000000008A03000-memory.dmp

Filesize
204KB

Download
memory/1000-42-0x0000000008990000-0x0000000008991000-memory.dmp

Filesize
4KB

Download
memory/1000-43-0x0000000008A10000-0x0000000008A11000-memory.dmp

Filesize
4KB

Download
memory/1000-44-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/1000-45-0x0000000008E60000-0x0000000008E61000-memory.dmp

Filesize
4KB

Download
memory/1584-17-0x00000000005BE000-0x00000000005BF000-memory.dmp

Filesize
4KB

Download
memory/1584-9-0x0000000000000000-mapping.dmp

Download
memory/1584-12-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1764-13-0x0000000000000000-mapping.dmp

Download
memory/1764-16-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/1764-21-0x00000000005BE000-0x00000000005BF000-memory.dmp

Filesize
4KB

Download
memory/2320-61-0x00000000091C0000-0x00000000091C1000-memory.dmp

Filesize
4KB

Download
memory/2320-62-0x0000000009A80000-0x0000000009A81000-memory.dmp

Filesize
4KB

Download
memory/2320-46-0x0000000000000000-mapping.dmp

Download
memory/2320-48-0x0000000071E70000-0x000000007255E000-memory.dmp

Filesize
6.9MB

Download
memory/2476-65-0x0000000000000000-mapping.dmp

Download
memory/4056-22-0x0000000000564000-0x0000000000567000-memory.dmp

Filesize
12KB

Download
memory/4056-20-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/4056-18-0x0000000000000000-mapping.dmp

Download
memory/4664-97-0x00000000063D0000-0x00000000063D1000-memory.dmp

Filesize
4KB

Download
memory/4664-79-0x0000000000000000-mapping.dmp

Download
memory/4740-76-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/4740-91-0x00000000090E0000-0x00000000090E1000-memory.dmp

Filesize
4KB

Download
memory/4740-93-0x0000000009340000-0x0000000009341000-memory.dmp

Filesize
4KB

Download
memory/4740-95-0x0000000009320000-0x0000000009321000-memory.dmp

Filesize
4KB

Download
memory/4740-73-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/4740-66-0x0000000071AC0000-0x00000000721AE000-memory.dmp

Filesize
6.9MB

Download
memory/4740-63-0x0000000000000000-mapping.dmp

Download
memory/4768-0-0x00000000065E0000-0x00000000065E1000-memory.dmp

Filesize
4KB

Download
memory/5004-176-0x0000000000000000-mapping.dmp

Download
memory/5028-177-0x0000000000000000-mapping.dmp

Download