Vr.rar

General
Target

0x000300000001a5a2-209.exe

Filesize

842KB

Completed

25-11-2020 10:47

Score
10 /10
MD5

185749ffbb860d3e5b705b557d819702

SHA1

f09470a934d381cfc4e1504193eb58139061a645

SHA256

1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa

Malware Config
Signatures 19

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Persistence
  • Deletes Windows Defender Definitions
    mpcmdrun.exe

    Description

    Uses mpcmdrun utility to delete all AV definitions.

    Tags

    TTPs

    Disabling Security ToolsCommand-Line Interface

    Reported IOCs

    pidprocess
    196mpcmdrun.exe
  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory
    updatewin2.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\drivers\etc\hostsupdatewin2.exe
  • Executes dropped EXE
    updatewin1.exeupdatewin2.exeupdatewin1.exe5.exe

    Reported IOCs

    pidprocess
    1584updatewin1.exe
    1764updatewin2.exe
    4056updatewin1.exe
    46645.exe
  • Loads dropped DLL
    5.exe

    Reported IOCs

    pidprocess
    46645.exe
    46645.exe
  • Modifies file permissions
    icacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    556icacls.exe
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    0x000300000001a5a2-209.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cfb152a9-386d-48e7-aa9e-bd6a6fd0b7ff\\0x000300000001a5a2-209.exe\" --AutoStart"0x000300000001a5a2-209.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral18/files/0x000100000001ab8c-170.datjs
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    14api.2ip.ua
    15api.2ip.ua
    22api.2ip.ua
    33ip-api.com
  • Checks processor information in registry
    5.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\05.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString5.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    5028taskkill.exe
  • Modifies system certificate store
    0x000300000001a5a2-209.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E3490x000300000001a5a2-209.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e0x000300000001a5a2-209.exe
  • Suspicious behavior: EnumeratesProcesses
    0x000300000001a5a2-209.exe0x000300000001a5a2-209.exepowershell.exepowershell.exepowershell.exe5.exe

    Reported IOCs

    pidprocess
    47680x000300000001a5a2-209.exe
    47680x000300000001a5a2-209.exe
    8560x000300000001a5a2-209.exe
    8560x000300000001a5a2-209.exe
    1000powershell.exe
    1000powershell.exe
    1000powershell.exe
    1000powershell.exe
    2320powershell.exe
    2320powershell.exe
    2320powershell.exe
    4740powershell.exe
    4740powershell.exe
    4740powershell.exe
    46645.exe
    46645.exe
    46645.exe
    46645.exe
    46645.exe
    46645.exe
  • Suspicious use of AdjustPrivilegeToken
    powershell.exepowershell.exepowershell.exetaskkill.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1000powershell.exe
    Token: SeDebugPrivilege2320powershell.exe
    Token: SeDebugPrivilege4740powershell.exe
    Token: SeDebugPrivilege5028taskkill.exe
  • Suspicious use of WriteProcessMemory
    0x000300000001a5a2-209.exe0x000300000001a5a2-209.exeupdatewin1.exeupdatewin1.exepowershell.exe5.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4768 wrote to memory of 55647680x000300000001a5a2-209.exeicacls.exe
    PID 4768 wrote to memory of 55647680x000300000001a5a2-209.exeicacls.exe
    PID 4768 wrote to memory of 55647680x000300000001a5a2-209.exeicacls.exe
    PID 4768 wrote to memory of 85647680x000300000001a5a2-209.exe0x000300000001a5a2-209.exe
    PID 4768 wrote to memory of 85647680x000300000001a5a2-209.exe0x000300000001a5a2-209.exe
    PID 4768 wrote to memory of 85647680x000300000001a5a2-209.exe0x000300000001a5a2-209.exe
    PID 856 wrote to memory of 15848560x000300000001a5a2-209.exeupdatewin1.exe
    PID 856 wrote to memory of 15848560x000300000001a5a2-209.exeupdatewin1.exe
    PID 856 wrote to memory of 15848560x000300000001a5a2-209.exeupdatewin1.exe
    PID 856 wrote to memory of 17648560x000300000001a5a2-209.exeupdatewin2.exe
    PID 856 wrote to memory of 17648560x000300000001a5a2-209.exeupdatewin2.exe
    PID 856 wrote to memory of 17648560x000300000001a5a2-209.exeupdatewin2.exe
    PID 1584 wrote to memory of 40561584updatewin1.exeupdatewin1.exe
    PID 1584 wrote to memory of 40561584updatewin1.exeupdatewin1.exe
    PID 1584 wrote to memory of 40561584updatewin1.exeupdatewin1.exe
    PID 4056 wrote to memory of 10004056updatewin1.exepowershell.exe
    PID 4056 wrote to memory of 10004056updatewin1.exepowershell.exe
    PID 4056 wrote to memory of 10004056updatewin1.exepowershell.exe
    PID 4056 wrote to memory of 23204056updatewin1.exepowershell.exe
    PID 4056 wrote to memory of 23204056updatewin1.exepowershell.exe
    PID 4056 wrote to memory of 23204056updatewin1.exepowershell.exe
    PID 2320 wrote to memory of 47402320powershell.exepowershell.exe
    PID 2320 wrote to memory of 47402320powershell.exepowershell.exe
    PID 2320 wrote to memory of 47402320powershell.exepowershell.exe
    PID 4056 wrote to memory of 1964056updatewin1.exempcmdrun.exe
    PID 4056 wrote to memory of 1964056updatewin1.exempcmdrun.exe
    PID 4056 wrote to memory of 24764056updatewin1.execmd.exe
    PID 4056 wrote to memory of 24764056updatewin1.execmd.exe
    PID 4056 wrote to memory of 24764056updatewin1.execmd.exe
    PID 856 wrote to memory of 46648560x000300000001a5a2-209.exe5.exe
    PID 856 wrote to memory of 46648560x000300000001a5a2-209.exe5.exe
    PID 856 wrote to memory of 46648560x000300000001a5a2-209.exe5.exe
    PID 4664 wrote to memory of 500446645.execmd.exe
    PID 4664 wrote to memory of 500446645.execmd.exe
    PID 4664 wrote to memory of 500446645.execmd.exe
    PID 5004 wrote to memory of 50285004cmd.exetaskkill.exe
    PID 5004 wrote to memory of 50285004cmd.exetaskkill.exe
    PID 5004 wrote to memory of 50285004cmd.exetaskkill.exe
Processes 14
  • C:\Users\Admin\AppData\Local\Temp\0x000300000001a5a2-209.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000001a5a2-209.exe"
    Adds Run key to start application
    Modifies system certificate store
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:4768
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\cfb152a9-386d-48e7-aa9e-bd6a6fd0b7ff" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      Modifies file permissions
      PID:556
    • C:\Users\Admin\AppData\Local\Temp\0x000300000001a5a2-209.exe
      "C:\Users\Admin\AppData\Local\Temp\0x000300000001a5a2-209.exe" --Admin IsNotAutoStart IsNotTask
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:856
      • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe
        "C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe"
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        PID:1584
        • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe
          "C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe" --Admin
          Executes dropped EXE
          Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            PID:1000
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              PID:4740
          • C:\Program Files\Windows Defender\mpcmdrun.exe
            "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
            Deletes Windows Defender Definitions
            PID:196
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
            PID:2476
      • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin2.exe
        "C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin2.exe"
        Drops file in Drivers directory
        Executes dropped EXE
        PID:1764
      • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe
        "C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe"
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:4664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe & exit
          Suspicious use of WriteProcessMemory
          PID:5004
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /im 5.exe /f
            Kills process with taskkill
            Suspicious use of AdjustPrivilegeToken
            PID:5028
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                MD5

                da538122a8b241ee1ac7e06f703b2812

                SHA1

                3b28a969f885abee9eaededd5b57fb26d6c59464

                SHA256

                74836dabf0db99ccf45f994555ae4cdf6228ec0e1cd3745b64baedb10d0c69d7

                SHA512

                ecd4dde4e0a93d18ac1ef3552117d65a60f40e4d20ac050584c267c68c846538753ead7faecca3b93ab88eb0df1842523fe6dbfe88fe2f350d12a2ff55b57645

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                MD5

                2fbe681c900d02992635cc9c8c51452e

                SHA1

                c424061bddc86a7c8c00d615af90cdcddeb05ae7

                SHA256

                0fdaf4d9478d37b3dd51469a2f0559f9573bb4ec0b0026e424a1155583fb66ac

                SHA512

                15e71354fa4b444a0db306fd54f3c7d16e31395268d9164f36a9f532dcd65a95d598dea77a698d4a78c996596d489c7d18175f77aac11ebd98adac46d5570712

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

                MD5

                c442e2deb063f626e3177a7b1e63e28a

                SHA1

                73433493fbb0dd70c2e55244bdfab4d7b64f7035

                SHA256

                a910411d3af937e8840ca51fe100c6e226f886fcb2ef55488c00fa831aaaeaff

                SHA512

                258ed3dcdce866a63772aa9e1d341167ddd1077893b2e02d2d5b01fb1fc9a4891ce8767991376f08cdaaade5de63ab672909b5cfea2a8e6b58c002d84e916afe

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

                MD5

                34300b40c5f5258f750a9f3f949e194b

                SHA1

                0114b5592037e95754623672f3655892820575aa

                SHA256

                4e2f35be1da9bf3530f0f66f5faa80c4d3dcbe5d9dac9646acdb75d2e7a6241f

                SHA512

                41563038a304365d95dcac6508b6cfe08aeacdeb4cc04cd85948ce0f021e9a4a14edf72c17a92ea4bcd19ce4665dd28a3ca594c6f4d7052b2baf597d726a2d3d

              • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe

                MD5

                637a8b78f4985a7807c6cdb238df4534

                SHA1

                01c47b02ec8b83a0a29590c2512c844318af8710

                SHA256

                87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95

                SHA512

                0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682

              • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\5.exe

                MD5

                637a8b78f4985a7807c6cdb238df4534

                SHA1

                01c47b02ec8b83a0a29590c2512c844318af8710

                SHA256

                87dc2c320339840a39ae63d4a53a406d2c091573c9f75aa28ea614b454fcfe95

                SHA512

                0eef7aec2cd0de345299bccda7cce486d65bde9d8d1dcfb6a90ffff79bb32d2be36452b064e4bd5da7aa5998e3398dca4bc1bf1ead863c324f7111a8ebfa0682

              • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe

                MD5

                5b4bd24d6240f467bfbc74803c9f15b0

                SHA1

                c17f98c182d299845c54069872e8137645768a1a

                SHA256

                14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

                SHA512

                a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

              • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe

                MD5

                5b4bd24d6240f467bfbc74803c9f15b0

                SHA1

                c17f98c182d299845c54069872e8137645768a1a

                SHA256

                14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

                SHA512

                a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

              • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin1.exe

                MD5

                5b4bd24d6240f467bfbc74803c9f15b0

                SHA1

                c17f98c182d299845c54069872e8137645768a1a

                SHA256

                14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

                SHA512

                a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

              • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin2.exe

                MD5

                996ba35165bb62473d2a6743a5200d45

                SHA1

                52169b0b5cce95c6905873b8d12a759c234bd2e0

                SHA256

                5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

                SHA512

                2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

              • C:\Users\Admin\AppData\Local\05930d1d-051b-4c0d-9db4-c91b601b7108\updatewin2.exe

                MD5

                996ba35165bb62473d2a6743a5200d45

                SHA1

                52169b0b5cce95c6905873b8d12a759c234bd2e0

                SHA256

                5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

                SHA512

                2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                MD5

                13151583954f0def829054cc3eae25ec

                SHA1

                2a2b013e8d4201ddc8a80f9680931873702d0213

                SHA256

                eb542ae9c791940e8e74833eb50543dbbcbc8bf8485698fad82a8b079546c8a7

                SHA512

                3f7a6d0e5ca29de7b02f5cb993c508ce0c0df12c3d970a3ad6da95149b4cb5cc7a138e7ed6f83e910cb39120f199b3f74fc0ec1a14ca86435a52f247c2514aaf

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                MD5

                e0952cbe1ed4f0002500dd9b2e7ecf63

                SHA1

                fdc936415b40a567e2505623f6cbd04feca037b8

                SHA256

                3e6e4e501e9de2585db6b619bf5164fc382ee7314c36a3dbc10e1b4918ec46c1

                SHA512

                7c6bc9b779721ee48786032d9669a795443a742fe706251e48a85f047f714e04e5e55844be68f5b66147d6efb915f6bd87912012d7553bc4d4961d2a63e5d753

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                MD5

                d60f42b314f650a7303011e845f50d3f

                SHA1

                d8e492aabd2563c74feca89181b6b0b232622397

                SHA256

                bf86760a34549dcb4c3ec731fa016758cd810033b03953d10a43a5bebef0010a

                SHA512

                a6c7d4bcebec381de04567ac8ced9b06f48e29fd0b635145f11343b4a2d333d67566e613dccb4364e42d5490e65744deb7d29d17ab6abdd991bd0979885cfc99

              • C:\Users\Admin\AppData\Local\Temp\delself.bat

                MD5

                883df4da0952a416db266a47a3489a62

                SHA1

                b7f55fe6a94e5653ab4c79479d7b16ca946e6f7c

                SHA256

                459c88420aa92750c0928c626f28d25cd209646f01ccfcf2eec5897c16bd5b2a

                SHA512

                023afa7e1026603f707f1972bc783e9bda5edee3e118a68b837872c2f43c222cd1a23d979eb8b725dcc854cae34cfe565a9c1eaa652d303d6de5d9fbd332202f

              • C:\Users\Admin\AppData\Local\cfb152a9-386d-48e7-aa9e-bd6a6fd0b7ff\0x000300000001a5a2-209.exe

                MD5

                185749ffbb860d3e5b705b557d819702

                SHA1

                f09470a934d381cfc4e1504193eb58139061a645

                SHA256

                1c5319523b316c789c5c29e87675e580a9016b4624f197df889cb942c9a32bfa

                SHA512

                0bb85d296bdcee1fd50200af1924c73f751b08737256178052f46a8937a1a9be5656b4ea465b97ef798e48a0f600ceb7d2e18feb4026426112642d3b9213cce5

              • C:\Users\Admin\AppData\Local\script.ps1

                MD5

                f972c62f986b5ed49ad7713d93bf6c9f

                SHA1

                4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

                SHA256

                b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

                SHA512

                2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

              • \ProgramData\mozglue.dll

                MD5

                8f73c08a9660691143661bf7332c3c27

                SHA1

                37fa65dd737c50fda710fdbde89e51374d0c204a

                SHA256

                3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                SHA512

                0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

              • \ProgramData\nss3.dll

                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

              • memory/196-64-0x0000000000000000-mapping.dmp

              • memory/556-1-0x0000000000000000-mapping.dmp

              • memory/856-3-0x0000000000000000-mapping.dmp

              • memory/856-4-0x0000000006490000-0x0000000006491000-memory.dmp

              • memory/1000-27-0x00000000048E0000-0x00000000048E1000-memory.dmp

              • memory/1000-23-0x0000000000000000-mapping.dmp

              • memory/1000-25-0x0000000004820000-0x0000000004821000-memory.dmp

              • memory/1000-26-0x0000000007110000-0x0000000007111000-memory.dmp

              • memory/1000-32-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

              • memory/1000-28-0x0000000006E10000-0x0000000006E11000-memory.dmp

              • memory/1000-29-0x0000000006E80000-0x0000000006E81000-memory.dmp

              • memory/1000-30-0x0000000007740000-0x0000000007741000-memory.dmp

              • memory/1000-31-0x0000000006DA0000-0x0000000006DA1000-memory.dmp

              • memory/1000-24-0x0000000071E70000-0x000000007255E000-memory.dmp

              • memory/1000-33-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

              • memory/1000-35-0x00000000089D0000-0x0000000008A03000-memory.dmp

              • memory/1000-42-0x0000000008990000-0x0000000008991000-memory.dmp

              • memory/1000-43-0x0000000008A10000-0x0000000008A11000-memory.dmp

              • memory/1000-44-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

              • memory/1000-45-0x0000000008E60000-0x0000000008E61000-memory.dmp

              • memory/1584-12-0x0000000002210000-0x0000000002211000-memory.dmp

              • memory/1584-9-0x0000000000000000-mapping.dmp

              • memory/1584-17-0x00000000005BE000-0x00000000005BF000-memory.dmp

              • memory/1764-21-0x00000000005BE000-0x00000000005BF000-memory.dmp

              • memory/1764-13-0x0000000000000000-mapping.dmp

              • memory/1764-16-0x0000000002070000-0x0000000002071000-memory.dmp

              • memory/2320-48-0x0000000071E70000-0x000000007255E000-memory.dmp

              • memory/2320-62-0x0000000009A80000-0x0000000009A81000-memory.dmp

              • memory/2320-46-0x0000000000000000-mapping.dmp

              • memory/2320-61-0x00000000091C0000-0x00000000091C1000-memory.dmp

              • memory/2476-65-0x0000000000000000-mapping.dmp

              • memory/4056-18-0x0000000000000000-mapping.dmp

              • memory/4056-22-0x0000000000564000-0x0000000000567000-memory.dmp

              • memory/4056-20-0x0000000002130000-0x0000000002131000-memory.dmp

              • memory/4664-97-0x00000000063D0000-0x00000000063D1000-memory.dmp

              • memory/4664-79-0x0000000000000000-mapping.dmp

              • memory/4740-63-0x0000000000000000-mapping.dmp

              • memory/4740-76-0x0000000008320000-0x0000000008321000-memory.dmp

              • memory/4740-91-0x00000000090E0000-0x00000000090E1000-memory.dmp

              • memory/4740-93-0x0000000009340000-0x0000000009341000-memory.dmp

              • memory/4740-95-0x0000000009320000-0x0000000009321000-memory.dmp

              • memory/4740-73-0x0000000007900000-0x0000000007901000-memory.dmp

              • memory/4740-66-0x0000000071AC0000-0x00000000721AE000-memory.dmp

              • memory/4768-0-0x00000000065E0000-0x00000000065E1000-memory.dmp

              • memory/5004-176-0x0000000000000000-mapping.dmp

              • memory/5028-177-0x0000000000000000-mapping.dmp