djvu | 3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60

Analysis

max time kernel
36s
max time network
122s
platform
windows7_x64
resource
win7v20210408
submitted
10-06-2021 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b7829cb6f27c9382e48822f36ce2b03.exe
Size

859KB
MD5

6b7829cb6f27c9382e48822f36ce2b03
SHA1

190cd052a6de77dfa081172a7917dde892632d97
SHA256

3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60
SHA512

3a1f2edd75ed62939cfe4a3becef1cf844fbd9e04786e007f13688812dd8f292561b2092153f1ab19d46fa1a20163805184ddbdea9dda8dbc23963525362909b

Score

10^/10

djvu vidar 517 discovery evasion persistence ransomware stealer

Malware Config

Extracted

Family

vidar

Version

39.3

Botnet

517

https://bandakere.tumblr.com/

Attributes

profile_id
517

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

580 mpcmdrun.exe

pid	process
580	mpcmdrun.exe

Detected Djvu ransomeware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-60-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1700-61-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1644-63-0x0000000001DB0000-0x0000000001ECB000-memory.dmp	family_djvu
behavioral1/memory/1700-64-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1620-69-0x0000000000424141-mapping.dmp	family_djvu
behavioral1/memory/1620-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1104-161-0x0000000000400000-0x000000000049B000-memory.dmp	family_vidar
behavioral1/memory/1656-165-0x0000000000220000-0x00000000002B8000-memory.dmp	family_vidar
behavioral1/memory/1104-162-0x00000000004680AD-mapping.dmp	family_vidar

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

updatewin2.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts updatewin2.exe
Executes dropped EXE 5 IoCs

Processes:

updatewin1.exeupdatewin1.exeupdatewin2.exe5.exe5.exe

pid process

964 updatewin1.exe
944 updatewin1.exe
580 updatewin2.exe
1656 5.exe
1104 5.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

pid	process
964	updatewin1.exe
944	updatewin1.exe
580	updatewin2.exe
1656	5.exe
1104	5.exe

Loads dropped DLL 12 IoCs

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exeupdatewin1.exeupdatewin1.exe

pid	process
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
964	updatewin1.exe
964	updatewin1.exe
964	updatewin1.exe
964	updatewin1.exe
964	updatewin1.exe
944	updatewin1.exe
944	updatewin1.exe
944	updatewin1.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1584 icacls.exe

pid	process
1584	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\30f22ef8-8950-4b66-ba63-da3c8a0b51cb\\6b7829cb6f27c9382e48822f36ce2b03.exe\" --AutoStart"	6b7829cb6f27c9382e48822f36ce2b03.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.2ip.ua
5 api.2ip.ua
13 api.2ip.ua

flow	ioc
4	api.2ip.ua
5	api.2ip.ua
13	api.2ip.ua

Suspicious use of SetThreadContext 3 IoCs

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe5.exe

description	pid	process	target process
PID 1644 set thread context of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 set thread context of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1656 set thread context of 1104	1656	5.exe	5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

524 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

328 taskkill.exe

pid	process
524	timeout.exe

pid	process
328	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6b7829cb6f27c9382e48822f36ce2b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6b7829cb6f27c9382e48822f36ce2b03.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6b7829cb6f27c9382e48822f36ce2b03.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6b7829cb6f27c9382e48822f36ce2b03.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6b7829cb6f27c9382e48822f36ce2b03.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exepowershell.exepowershell.exe

pid	process
1700	6b7829cb6f27c9382e48822f36ce2b03.exe
1700	6b7829cb6f27c9382e48822f36ce2b03.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
1620	6b7829cb6f27c9382e48822f36ce2b03.exe
1908	powershell.exe
1908	powershell.exe
1908	powershell.exe
1408	powershell.exe
1408	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1908 powershell.exe
Token: SeDebugPrivilege 1408 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exe6b7829cb6f27c9382e48822f36ce2b03.exeupdatewin1.exeupdatewin1.exe

description	pid	process	target process
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1644 wrote to memory of 1700	1644	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1700 wrote to memory of 1584	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	icacls.exe
PID 1700 wrote to memory of 1584	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	icacls.exe
PID 1700 wrote to memory of 1584	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	icacls.exe
PID 1700 wrote to memory of 1584	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	icacls.exe
PID 1700 wrote to memory of 1100	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1700 wrote to memory of 1100	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1700 wrote to memory of 1100	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1700 wrote to memory of 1100	1700	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1100 wrote to memory of 1620	1100	6b7829cb6f27c9382e48822f36ce2b03.exe	6b7829cb6f27c9382e48822f36ce2b03.exe
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 1620 wrote to memory of 964	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin1.exe
PID 964 wrote to memory of 944	964	updatewin1.exe	updatewin1.exe
PID 964 wrote to memory of 944	964	updatewin1.exe	updatewin1.exe
PID 964 wrote to memory of 944	964	updatewin1.exe	updatewin1.exe
PID 964 wrote to memory of 944	964	updatewin1.exe	updatewin1.exe
PID 964 wrote to memory of 944	964	updatewin1.exe	updatewin1.exe
PID 964 wrote to memory of 944	964	updatewin1.exe	updatewin1.exe
PID 964 wrote to memory of 944	964	updatewin1.exe	updatewin1.exe
PID 944 wrote to memory of 1908	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1908	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1908	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1908	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1908	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1908	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1908	944	updatewin1.exe	powershell.exe
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 1620 wrote to memory of 580	1620	6b7829cb6f27c9382e48822f36ce2b03.exe	updatewin2.exe
PID 944 wrote to memory of 1408	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1408	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1408	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1408	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1408	944	updatewin1.exe	powershell.exe
PID 944 wrote to memory of 1408	944	updatewin1.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\30f22ef8-8950-4b66-ba63-da3c8a0b51cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1584

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe
"C:\Users\Admin\AppData\Local\Temp\6b7829cb6f27c9382e48822f36ce2b03.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
"C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
"C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe" --Admin
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
8⤵
PID:1968

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
7⤵
- Deletes Windows Defender Definitions
PID:580

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
7⤵
PID:820

C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin2.exe
"C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin2.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:580

C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
"C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1656

C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
"C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe"
6⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:884

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
8⤵
- Kills process with taskkill
PID:328

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
6c9d7335581aad68a97c8651f474f247

SHA1
c85ceebbfc152ee38955e1e677c6c0529383d442

SHA256
1ced81b3342e00024e68783e8c12177553655371248312d887410b1069734d37

SHA512
db983e883dbe5ac06482f54460d8395fbe11cb7fc22aa78d6cfe239f3c45316f8024655ab7a8dd7fd8f28d881150fe1bb8611a21b36af869b5a1fecdb89538ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
6045baccf49e1eba0e674945311a06e6

SHA1
379c6234849eecede26fad192c2ee59e0f0221cb

SHA256
65830a65cb913bee83258e4ac3e140faf131e7eb084d39f7020c7acc825b0a58

SHA512
da32af6a730884e73956e4eb6bff61a1326b3ef8ba0a213b5b4aad6de4fbd471b3550b6ac2110f1d0b2091e33c70d44e498f897376f8e1998b1d2afac789abeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
6eec4fd7b63862772cd27236afa8df42

SHA1
3e88ba24bd67164a7a23b12479bb2240d9bbe396

SHA256
c8dbf29a64bd19425d670fa773a0de234fe3af8eac26d1b87e3ac2afa7cd938d

SHA512
6a160db1c792e72b3571248d1f0c47f2ebcbc23edb64546b201a2f27655e560532e85c3515b93619062333c261e8fefb40384fb548546f016f2776b3819da940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
dc30000130468201bf69bc5d7e927371

SHA1
efcf704b21a2735ad3753160756c1f2c1b3b339c

SHA256
6f0dad1af029d2cc848ab8720754427b559f591c08f7c18db086ae9d3fad1c69

SHA512
db04932c35202d25d93a3a77e4de93636485ef1f460edb52b48dedbe3ed9a5f2cc5628d408c8340498d1ba8569f8fcec347d6f418e2f913fd1f63800c1f0babd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a646c1f3e5f1a16cd2726e22ed71ee0b

SHA1
606fb6ef92e09284fc7a65f1e148effdda8ed002

SHA256
8a0eefe72f8fb719cbf0951d90dd51344c6f36ac089c200b8e76a63e3f5c4437

SHA512
a4c2e538242b5f307cd1b55c72b9db1ce10dcb503b5f77d1e2b68c6e2e54987ba1d8be8b89a8250b9264690ca0470cfb6ff378809f65890d4a841e75ba532ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e8e440e3636e3710c2965c02a4eacf4c

SHA1
d563b4e91758687402306b2b39937f33c580654b

SHA256
96fbf8d829db43878cfb7ff2cc45a48fcf85ee65de225a0ad5707cdb6494022b

SHA512
5605d0ea18a15de1005fbe15836044614eeede0e8062bf865ee7dc9c491002b8f5a407ce3bbf2de564569202f407fe7be36d88025e6bbeaa7ec8e460f002d0ff

Download Submit
C:\Users\Admin\AppData\Local\30f22ef8-8950-4b66-ba63-da3c8a0b51cb\6b7829cb6f27c9382e48822f36ce2b03.exe
MD5
6b7829cb6f27c9382e48822f36ce2b03

SHA1
190cd052a6de77dfa081172a7917dde892632d97

SHA256
3e4676b65c821a9509ba52b43e12248a75cc8f68b212d9852786cc6424003d60

SHA512
3a1f2edd75ed62939cfe4a3becef1cf844fbd9e04786e007f13688812dd8f292561b2092153f1ab19d46fa1a20163805184ddbdea9dda8dbc23963525362909b

Download Submit
C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
MD5
a9b0f21cb30e239e1f3af96eb376a0ba

SHA1
d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

SHA256
18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

SHA512
8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

Download Submit
C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
MD5
a9b0f21cb30e239e1f3af96eb376a0ba

SHA1
d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

SHA256
18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

SHA512
8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

Download Submit
C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
MD5
a9b0f21cb30e239e1f3af96eb376a0ba

SHA1
d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

SHA256
18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

SHA512
8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

Download Submit
C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
C:\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f6697622d1be5e3766e5221748d9186e

SHA1
0ed32b78ce2df2f113e890398bc6fbd1cf5caf82

SHA256
cc3e27bfd4e0531fa2b818dc65ba4c58cc07cd5c096a69a8f1c9a65e3f8d5688

SHA512
644a327a1accf2e29cf8c1ff49a7160a78395031c0d993884dae6898241161c10e2251cf4100caeb92247d753d55ceaa9777c23423443f2a5c9fe84d46cd8582

Download Submit
C:\Users\Admin\AppData\Local\Temp\delself.bat
MD5
07b94fa60db1fbe29b53f1ca6cd99878

SHA1
ec612a15a95defa2a1a1965b0fcf281599b6495e

SHA256
b93abc1b19d182f458826934df0fbc86955308388e1f16f081397c170529d889

SHA512
d4a06dfc107eb8fe9e5d210717daf2396567f2e24fa534dc895bdc69fe447bc389424f44944bf9d71a3761397ec378d8008f8806e9c9b31b5f469cf15b734219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
20716abcfce826dad8d67c561515c4b0

SHA1
d95a17f8c7323039c502e389a7fa0d71abb04633

SHA256
c1bf93f6a047a318fa91960b11e6364613001435d9c7f717dc3f8955ee002717

SHA512
5302e10dff7974f47c42a33c2bce7271bd2629fd7510b0e42501f28a513041dde8cae7bb71361d4c8c9ad12c7cf1fdfe13af28064221aa2f881ec895ff13cc32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
20716abcfce826dad8d67c561515c4b0

SHA1
d95a17f8c7323039c502e389a7fa0d71abb04633

SHA256
c1bf93f6a047a318fa91960b11e6364613001435d9c7f717dc3f8955ee002717

SHA512
5302e10dff7974f47c42a33c2bce7271bd2629fd7510b0e42501f28a513041dde8cae7bb71361d4c8c9ad12c7cf1fdfe13af28064221aa2f881ec895ff13cc32

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
MD5
a9b0f21cb30e239e1f3af96eb376a0ba

SHA1
d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

SHA256
18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

SHA512
8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\5.exe
MD5
a9b0f21cb30e239e1f3af96eb376a0ba

SHA1
d72a31a0f8ade8bddab2f4bbc4b0c65886f09b92

SHA256
18076f163aef93f57db14eece15b18ca68f344da2f4c59a329de178752f14e2c

SHA512
8cee0ff718455d5d157f74ba2fda9e73d26b33319f9d98df2f9049910f5fe0c25aacdc066df3b65e5adbe22e2fb470498304481b440e15a487d1411ba69c429f

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin1.exe
MD5
5b4bd24d6240f467bfbc74803c9f15b0

SHA1
c17f98c182d299845c54069872e8137645768a1a

SHA256
14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

SHA512
a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Download Submit
\Users\Admin\AppData\Local\507d6186-c533-48bc-b4d4-716e92cc8dd4\updatewin2.exe
MD5
996ba35165bb62473d2a6743a5200d45

SHA1
52169b0b5cce95c6905873b8d12a759c234bd2e0

SHA256
5caffdc76a562e098c471feaede5693f9ead92d5c6c10fb3951dd1fa6c12d21d

SHA512
2a7fb9bdf8dcf577ac851752f8875a710a3694b99d107c397942fce1392fd99ee0b85f1fddc18c33fba56d7b8fd4dda5f40f28e64d8398e6048c2ab140780634

Download Submit
memory/328-171-0x0000000000000000-mapping.dmp

Download
memory/524-172-0x0000000000000000-mapping.dmp

Download
memory/580-153-0x0000000000000000-mapping.dmp

Download
memory/580-102-0x0000000000000000-mapping.dmp

Download
memory/580-107-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/820-157-0x0000000000000000-mapping.dmp

Download
memory/884-170-0x0000000000000000-mapping.dmp

Download
memory/944-98-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/944-89-0x0000000000000000-mapping.dmp

Download
memory/964-97-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/964-80-0x0000000000000000-mapping.dmp

Download
memory/1100-67-0x0000000000000000-mapping.dmp

Download
memory/1104-162-0x00000000004680AD-mapping.dmp

Download
memory/1104-161-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1408-147-0x00000000062A0000-0x00000000062A1000-memory.dmp

Filesize
4KB

Download
memory/1408-135-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/1408-130-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1408-131-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1408-132-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1408-133-0x0000000002090000-0x0000000002CDA000-memory.dmp

Filesize
12.3MB

Download
memory/1408-127-0x0000000000000000-mapping.dmp

Download
memory/1584-65-0x0000000000000000-mapping.dmp

Download
memory/1620-69-0x0000000000424141-mapping.dmp

Download
memory/1620-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1644-63-0x0000000001DB0000-0x0000000001ECB000-memory.dmp

Filesize
1.1MB

Download
memory/1656-165-0x0000000000220000-0x00000000002B8000-memory.dmp

Filesize
608KB

Download
memory/1656-138-0x0000000000000000-mapping.dmp

Download
memory/1700-64-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1700-61-0x0000000000424141-mapping.dmp

Download
memory/1700-62-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1700-60-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1908-112-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1908-106-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/1908-100-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1908-126-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/1908-95-0x0000000000000000-mapping.dmp

Download
memory/1908-119-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1908-118-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/1908-99-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1908-117-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1908-105-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/1908-108-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1908-109-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1968-148-0x0000000000000000-mapping.dmp

Download
memory/1968-152-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1968-155-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1968-156-0x0000000004B52000-0x0000000004B53000-memory.dmp

Filesize
4KB

Download