djvu | eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197

Analysis

max time kernel
150s
max time network
92s
platform
windows7_x64
resource
win7v20201028
submitted
13-02-2021 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B9B1.exe
Size

684KB
MD5

7efdbcd2dda98974f89290ce0a02cdc7
SHA1

cbae61ac09fe75b570bee392aa70310ef4d94362
SHA256

eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197
SHA512

b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc

Score

10^/10

djvu taurus_stealer vidar discovery evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

Processes:

mpcmdrun.exe

pid	Process
1768	mpcmdrun.exe

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus_stealer
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Executes dropped EXE 5 IoCs

Processes:

updatewin1.exeupdatewin1.exeupdatewin2.exeupdatewin.exe5.exe

pid	Process
1580	updatewin1.exe
1628	updatewin1.exe
1452	updatewin2.exe
1396	updatewin.exe
704	5.exe

Loads dropped DLL 20 IoCs

Processes:

B9B1.exeupdatewin1.exeupdatewin1.exeupdatewin.exe5.exe

pid	Process
1104	B9B1.exe
1580	updatewin1.exe
1580	updatewin1.exe
1580	updatewin1.exe
1580	updatewin1.exe
1580	updatewin1.exe
1628	updatewin1.exe
1628	updatewin1.exe
1628	updatewin1.exe
1104	B9B1.exe
1104	B9B1.exe
1396	updatewin.exe
1396	updatewin.exe
1396	updatewin.exe
1104	B9B1.exe
1104	B9B1.exe
704	5.exe
704	5.exe
704	5.exe
704	5.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
948	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

B9B1.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b3b4016d-2de3-4020-8206-f7f4735a7fc2\\B9B1.exe\" --AutoStart"	B9B1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
15	api.2ip.ua
6	api.2ip.ua
7	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2044	timeout.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
624	taskkill.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

B9B1.exeB9B1.exe5.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B9B1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B9B1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	B9B1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	B9B1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	B9B1.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

B9B1.exeB9B1.exepowershell.exepowershell.exepowershell.exe5.exe

pid	Process
1968	B9B1.exe
1968	B9B1.exe
1104	B9B1.exe
1104	B9B1.exe
328	powershell.exe
328	powershell.exe
328	powershell.exe
436	powershell.exe
436	powershell.exe
1376	powershell.exe
704	5.exe
704	5.exe
704	5.exe
704	5.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exeupdatewin.exepowershell.exepowershell.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	328	powershell.exe
Token: SeRestorePrivilege	1396	updatewin.exe
Token: SeBackupPrivilege	1396	updatewin.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	624	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B9B1.exeB9B1.exeupdatewin1.exeupdatewin1.exeupdatewin.execmd.exe

description	pid	Process	procid_target
PID 1968 wrote to memory of 948	1968	B9B1.exe	31
PID 1968 wrote to memory of 948	1968	B9B1.exe	31
PID 1968 wrote to memory of 948	1968	B9B1.exe	31
PID 1968 wrote to memory of 948	1968	B9B1.exe	31
PID 1968 wrote to memory of 1104	1968	B9B1.exe	32
PID 1968 wrote to memory of 1104	1968	B9B1.exe	32
PID 1968 wrote to memory of 1104	1968	B9B1.exe	32
PID 1968 wrote to memory of 1104	1968	B9B1.exe	32
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1104 wrote to memory of 1580	1104	B9B1.exe	33
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1580 wrote to memory of 1628	1580	updatewin1.exe	34
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1104 wrote to memory of 1452	1104	B9B1.exe	36
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1628 wrote to memory of 328	1628	updatewin1.exe	37
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 1396	1104	B9B1.exe	39
PID 1104 wrote to memory of 704	1104	B9B1.exe	40
PID 1104 wrote to memory of 704	1104	B9B1.exe	40
PID 1104 wrote to memory of 704	1104	B9B1.exe	40
PID 1104 wrote to memory of 704	1104	B9B1.exe	40
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 1396 wrote to memory of 916	1396	updatewin.exe	41
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 916 wrote to memory of 2044	916	cmd.exe	43
PID 1628 wrote to memory of 436	1628	updatewin1.exe	44
PID 1628 wrote to memory of 436	1628	updatewin1.exe	44
PID 1628 wrote to memory of 436	1628	updatewin1.exe	44

C:\Users\Admin\AppData\Local\Temp\B9B1.exe
"C:\Users\Admin\AppData\Local\Temp\B9B1.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\b3b4016d-2de3-4020-8206-f7f4735a7fc2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:948
- C:\Users\Admin\AppData\Local\Temp\B9B1.exe
  "C:\Users\Admin\AppData\Local\Temp\B9B1.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe
    "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe
      "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe" --Admin
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Program Files\Windows Defender\mpcmdrun.exe
        
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        5⤵
        Deletes Windows Defender Definitions
        
        PID:1768
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        5⤵
        
        PID:624
- - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin2.exe
    "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:1452
- - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe
    "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2044
- - C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe
    "C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe & exit
      4⤵
      PID:436
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
af84fc28cfe68a1b40e47b613d04beef

SHA1
0683f6f1d4deb53d0dd030bc6f7afd64fc2ac1e9

SHA256
3217f5d319ad13cebfdcaddb0dc6fa98b188654393ea72a2816cd627e58d0403

SHA512
0549c01465bfc1adf7da06dd10440e4344e4c77d04ec4e6d1641de972adcc2c551e5d9735fcb645a08bd6c294a30632dd97149e32a66561453bd08b37710892d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
e92176b0889cc1bb97114beb2f3c1728

SHA1
ad1459d390ec23ab1c3da73ff2fbec7fa3a7f443

SHA256
58a4f38ba43f115ba3f465c311eaaf67f43d92e580f7f153de3ab605fc9900f3

SHA512
cd2267ba2f08d2f87538f5b4f8d3032638542ac3476863a35f0df491eb3a84458ce36c06e8c1bd84219f5297b6f386748e817945a406082fa8e77244ec229d8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
71bdeac261b22c9ba2b4783a9b37a828

SHA1
69757551c9f47e1b8202dd98af8ba4a2d7af2a33

SHA256
4c84e1884e5743a518ce9bf84b7e497af037d207c042d6d277f1232e7d5c18ee

SHA512
73fa4aad33a1d92e6ba17d859b0d0abfb33131a31752e6daac464ecaf82791509b2d9927c949e4c12b38b0a8ad7c9eceb21c97d4a1abe5dfaf360c1182d3fe7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5
855c10e04e4ef4d98b13dc66cf75ee7b

SHA1
2cd502ac8417e1eefd263edc8da31bc9e928f0c5

SHA256
da29fb787b6f05ed23a4fc96192174708efafbb1f855c2a2dc91eec61a73c5ee

SHA512
8579442591fe8d54efa987bbd492b6c3da820c240abd429dc258ef5d82b0010461f6a5ebf1a2986893171619daf0d3afa5b8fee56b2a35034f86997177bf4933

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
ccd32e8071c23c2151b78ac794323ad7

SHA1
29360709d87edd0279608b9f6a0727870172c7c6

SHA256
d2e64906d44c9baf6ef336cbde007c0c519961c6daecde36616efd029a0f6f06

SHA512
ed1c4d288a3682b52b16d87cd8448088de85ba5a16811b5d2cf7d1cafa38088e114c5a8545c23c57cc9a87b287231deb227d4421f15d7a2e52d311207bf5dc91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
d02853eb8965f6822d3964ac082cd1aa

SHA1
89abfa1d58ada269acb40f99941d89856fbb166a

SHA256
dd1f478b63e84a587590e75a035d853c23e6c195dd288cf05a8eca2d60f66571

SHA512
eed83f34d8126b40b863d0709c85a926df9f0f9b89a910186ccc82650db89599ec4daa70215cdbc00d8d23a16840c5a8dffcff62840e52478fd6eaefe59a2b08

Download Submit
C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe

MD5
5f687ad24b2feb486b8afc6aaab95baa

SHA1
2a62b913d21738e016b0ff8e707d7223d7add757

SHA256
c1fd5b744ec1119e4d2340e68d38c9f58752c6cac4432f11162cc951c754f1a4

SHA512
a988535679b23d81c4065f4a63bced1845fbeec356ddcde9921613c9ac341d058125503dbd4e6baa00ef1119893f6c5ef4077e23b3c84dcac2f543aa60897c48

Download Submit
C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe

MD5
5f687ad24b2feb486b8afc6aaab95baa

SHA1
2a62b913d21738e016b0ff8e707d7223d7add757

SHA256
c1fd5b744ec1119e4d2340e68d38c9f58752c6cac4432f11162cc951c754f1a4

SHA512
a988535679b23d81c4065f4a63bced1845fbeec356ddcde9921613c9ac341d058125503dbd4e6baa00ef1119893f6c5ef4077e23b3c84dcac2f543aa60897c48

Download Submit
C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe

MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe

MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin2.exe

MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c

MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8

MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422

MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf

MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6

MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7f45a795-9723-4ae3-b7ea-79ea7f92b87a

MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
fb44158c4b9adf4f901d1f5a2fc43f70

SHA1
2f8b54c724f0c5346e0ea68086e94399856ab4f6

SHA256
4966bcf66c163d905e369bf681a90fffd79af6cfdb6711d4f6d0ac779e54bd17

SHA512
f1f52a37e64a7ddd8e1b9277ce75b5dc1dd9d55bbcd4ff076e874606a6abc860daf44d6942acf9459d4c9eaad3ef01d97a1eda77341bf947982554e4b6b48490

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat

MD5
e4340555423aa4e06b3d7e8c0cb19f8b

SHA1
9b0b8fe1e82a7bff88a098266d9919c26d64f04d

SHA256
a8ee9c00d7fb672710c7c69e3c2d3066b723f0e3e6749e93c508d4614253e358

SHA512
8104459ecd649e72d94341dad4b1ed97c34327d67358e5e6b7b8255370810cc5f3545e2e7d9e367460f13e045818786a2e2f85e0aca023bc796a9ed69cae1b59

Download Submit
C:\Users\Admin\AppData\Local\b3b4016d-2de3-4020-8206-f7f4735a7fc2\B9B1.exe

MD5
7efdbcd2dda98974f89290ce0a02cdc7

SHA1
cbae61ac09fe75b570bee392aa70310ef4d94362

SHA256
eb8de87523800e3aa747857a06938f3af3856fbd42be025688e2ff50248ac197

SHA512
b9d334d10bc4c02007efcdd789a4fb91bffa3790c8d8357f438cd167c86097acc0b6d4889c1b81de77c42e8b7d5f04f3a8dffca80adc2a9148051b68d1215adc

Download Submit
C:\Users\Admin\AppData\Local\script.ps1

MD5
f972c62f986b5ed49ad7713d93bf6c9f

SHA1
4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

SHA256
b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

SHA512
2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
4f7c53b0f8e9a88f51adaa1873f49037

SHA1
f2de9c924c7f1314b3b4c5ea514fefb4d238735a

SHA256
dad1be5500061cf7889abc60a6f0156b4517cc6a4a2e5825df7b3c066198bb06

SHA512
31a54d8fe0ed138e58021237f6712cc94029c8ab4825566be43865ac12e356bf37eeace43a2a9c8d002c7bf791912a3d875ede20fc1f8581a21e1940ba77cb5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
7450fac37cb7503a1732a35244a9ba87

SHA1
ddfe492969405bb1fb861e96aa5d226bda1bcebc

SHA256
d4282031b8873f937b920484849f122003f9908ab1a5b7c4f2b53bbce5298d0e

SHA512
bedd0e339ab4c40a9529f0d80eb1e9bb7e5d9fcd429a869d0cd12ad63b90192cf9a588eece3c5e3bc9cc934559521dc65310900e11bf0a38f2c501203b98249a

Download Submit
\ProgramData\mozglue.dll

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe

MD5
5f687ad24b2feb486b8afc6aaab95baa

SHA1
2a62b913d21738e016b0ff8e707d7223d7add757

SHA256
c1fd5b744ec1119e4d2340e68d38c9f58752c6cac4432f11162cc951c754f1a4

SHA512
a988535679b23d81c4065f4a63bced1845fbeec356ddcde9921613c9ac341d058125503dbd4e6baa00ef1119893f6c5ef4077e23b3c84dcac2f543aa60897c48

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\5.exe

MD5
5f687ad24b2feb486b8afc6aaab95baa

SHA1
2a62b913d21738e016b0ff8e707d7223d7add757

SHA256
c1fd5b744ec1119e4d2340e68d38c9f58752c6cac4432f11162cc951c754f1a4

SHA512
a988535679b23d81c4065f4a63bced1845fbeec356ddcde9921613c9ac341d058125503dbd4e6baa00ef1119893f6c5ef4077e23b3c84dcac2f543aa60897c48

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe

MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe

MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe

MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin.exe

MD5
9010fa92cc83afe00fab38703e6ffa77

SHA1
4d603ec27d02d84a65d1555c2df0896d7675fafc

SHA256
38e6f4d8f53e8a38950594d9588cb00218bf46113c51b5241771181a521b9c75

SHA512
a39ea249da189fedd5f8d1c13d03693626c70ba08c69c4ec76396d3475c5480e98c8dba1da0b74089252d8d781fc050e4eed9346b648ccbb42e22cf6d15399e8

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin1.exe

MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\5d0cf677-4235-4566-98cf-31efbebbf62d\updatewin2.exe

MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
memory/328-65-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/328-62-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/328-104-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/328-64-0x0000000001F02000-0x0000000001F03000-memory.dmp

Filesize
4KB

Download
memory/328-45-0x0000000000000000-mapping.dmp

Download
memory/328-99-0x0000000006420000-0x0000000006421000-memory.dmp

Filesize
4KB

Download
memory/328-92-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/328-91-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/328-86-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/328-61-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/328-52-0x0000000072EC0000-0x00000000735AE000-memory.dmp

Filesize
6.9MB

Download
memory/328-74-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/328-63-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/436-106-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/436-118-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/436-107-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/436-157-0x0000000000000000-mapping.dmp

Download
memory/436-100-0x0000000000000000-mapping.dmp

Download
memory/436-109-0x00000000012F0000-0x00000000012F1000-memory.dmp

Filesize
4KB

Download
memory/436-103-0x00000000727D0000-0x0000000072EBE000-memory.dmp

Filesize
6.9MB

Download
memory/436-105-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/436-110-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/436-108-0x00000000029B2000-0x00000000029B3000-memory.dmp

Filesize
4KB

Download
memory/624-126-0x0000000000000000-mapping.dmp

Download
memory/624-158-0x0000000000000000-mapping.dmp

Download
memory/704-82-0x0000000000230000-0x00000000002B8000-memory.dmp

Filesize
544KB

Download
memory/704-68-0x0000000000000000-mapping.dmp

Download
memory/704-83-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/704-75-0x0000000003BB0000-0x0000000003BC1000-memory.dmp

Filesize
68KB

Download
memory/916-69-0x0000000000000000-mapping.dmp

Download
memory/948-11-0x0000000000000000-mapping.dmp

Download
memory/1104-17-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1104-13-0x0000000000000000-mapping.dmp

Download
memory/1104-14-0x0000000000A30000-0x0000000000A41000-memory.dmp

Filesize
68KB

Download
memory/1376-131-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/1376-132-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1376-137-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/1376-119-0x0000000000000000-mapping.dmp

Download
memory/1376-154-0x00000000064E0000-0x00000000064E1000-memory.dmp

Filesize
4KB

Download
memory/1376-155-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/1376-123-0x0000000072EC0000-0x00000000735AE000-memory.dmp

Filesize
6.9MB

Download
memory/1376-124-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1376-142-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/1376-129-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1376-130-0x0000000004C42000-0x0000000004C43000-memory.dmp

Filesize
4KB

Download
memory/1396-54-0x0000000000000000-mapping.dmp

Download
memory/1452-43-0x0000000000000000-mapping.dmp

Download
memory/1452-51-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1452-47-0x0000000001FB0000-0x0000000001FC1000-memory.dmp

Filesize
68KB

Download
memory/1580-32-0x0000000001E80000-0x0000000001E91000-memory.dmp

Filesize
68KB

Download
memory/1580-25-0x0000000000000000-mapping.dmp

Download
memory/1580-49-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1628-35-0x0000000000000000-mapping.dmp

Download
memory/1628-41-0x0000000002140000-0x0000000002151000-memory.dmp

Filesize
68KB

Download
memory/1768-122-0x0000000000000000-mapping.dmp

Download
memory/1816-6-0x000007FEF5E90000-0x000007FEF610A000-memory.dmp

Filesize
2.5MB

Download
memory/1968-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1968-4-0x0000000000940000-0x0000000000A5A000-memory.dmp

Filesize
1.1MB

Download
memory/1968-2-0x0000000000BF0000-0x0000000000C01000-memory.dmp

Filesize
68KB

Download
memory/1968-3-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/2044-72-0x0000000000000000-mapping.dmp

Download