Analysis Overview
SHA256
08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712
Threat Level: Known bad
The file 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
HiveRAT
Warzone RAT Payload
HiveRAT Payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops startup file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-11 02:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-11 02:40
Reported
2022-05-11 04:00
Platform
win7-20220414-en
Max time kernel
151s
Max time network
43s
Command Line
Signatures
HiveRAT
WarzoneRat, AveMaria
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Warzone RAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
Loads dropped DLL
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1472 set thread context of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe |
| PID 888 set thread context of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | C:\Users\Admin\AppData\Local\Temp\2.exe |
| PID 940 set thread context of 112 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Users\Admin\AppData\Local\Temp\1.exe |
| PID 428 set thread context of 852 | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | C:\Users\Admin\AppData\Local\Temp\3.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 532
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
Files
memory/1472-54-0x0000000000060000-0x0000000000236000-memory.dmp
memory/1472-55-0x0000000074F21000-0x0000000074F23000-memory.dmp
memory/1472-56-0x0000000004DC0000-0x0000000004F90000-memory.dmp
\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
| MD5 | 31431004556597a633f858c122c85b60 |
| SHA1 | fea5847bb6a5daae2688e349c827e30c51b4485f |
| SHA256 | 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712 |
| SHA512 | 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd |
memory/1712-58-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1712-59-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1712-61-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1712-62-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1712-63-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1712-64-0x000000000058B57E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
| MD5 | 31431004556597a633f858c122c85b60 |
| SHA1 | fea5847bb6a5daae2688e349c827e30c51b4485f |
| SHA256 | 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712 |
| SHA512 | 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd |
memory/1712-67-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1712-69-0x0000000000400000-0x0000000000590000-memory.dmp
memory/1712-70-0x00000000006D0000-0x00000000006D8000-memory.dmp
\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
memory/940-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
memory/940-76-0x0000000000F10000-0x0000000000F7A000-memory.dmp
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | e1dd367f1baa8889afca69a79dd43abd |
| SHA1 | 786dc0378d1008490c9110cc30bcc6a11f6c3c3e |
| SHA256 | 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9 |
| SHA512 | b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a |
memory/888-78-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | e1dd367f1baa8889afca69a79dd43abd |
| SHA1 | 786dc0378d1008490c9110cc30bcc6a11f6c3c3e |
| SHA256 | 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9 |
| SHA512 | b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a |
memory/940-81-0x0000000000CD0000-0x0000000000D32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | e1dd367f1baa8889afca69a79dd43abd |
| SHA1 | 786dc0378d1008490c9110cc30bcc6a11f6c3c3e |
| SHA256 | 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9 |
| SHA512 | b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a |
memory/888-83-0x0000000000080000-0x0000000000118000-memory.dmp
memory/428-86-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
memory/428-89-0x0000000000BD0000-0x0000000000C68000-memory.dmp
memory/888-91-0x0000000000830000-0x00000000008C2000-memory.dmp
memory/428-92-0x0000000004710000-0x00000000047A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | e1dd367f1baa8889afca69a79dd43abd |
| SHA1 | 786dc0378d1008490c9110cc30bcc6a11f6c3c3e |
| SHA256 | 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9 |
| SHA512 | b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a |
memory/1264-95-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-96-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-98-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-99-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-101-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-100-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-102-0x000000000044C85E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | e1dd367f1baa8889afca69a79dd43abd |
| SHA1 | 786dc0378d1008490c9110cc30bcc6a11f6c3c3e |
| SHA256 | 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9 |
| SHA512 | b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a |
memory/1264-105-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-107-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-110-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-109-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-111-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
memory/1264-112-0x0000000000400000-0x0000000000454000-memory.dmp
\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
memory/112-119-0x0000000000400000-0x0000000000554000-memory.dmp
memory/112-122-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1264-123-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
memory/112-126-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1264-129-0x0000000000400000-0x0000000000454000-memory.dmp
memory/112-130-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1264-131-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1264-133-0x0000000000400000-0x0000000000454000-memory.dmp
memory/112-132-0x0000000000400000-0x0000000000554000-memory.dmp
memory/112-136-0x0000000000400000-0x0000000000554000-memory.dmp
memory/112-138-0x0000000000400000-0x0000000000554000-memory.dmp
memory/112-140-0x0000000000400000-0x0000000000554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
memory/112-142-0x0000000000405CE2-mapping.dmp
memory/112-147-0x0000000000400000-0x0000000000554000-memory.dmp
\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
memory/852-153-0x0000000000400000-0x0000000000454000-memory.dmp
memory/852-155-0x0000000000400000-0x0000000000454000-memory.dmp
memory/852-159-0x000000000044CB3E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
memory/852-165-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1296-166-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
memory/112-172-0x0000000000400000-0x0000000000554000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-11 02:40
Reported
2022-05-11 04:01
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
HiveRAT
WarzoneRat, AveMaria
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Warzone RAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1484 set thread context of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe |
| PID 3588 set thread context of 4924 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Users\Admin\AppData\Local\Temp\1.exe |
| PID 4184 set thread context of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | C:\Users\Admin\AppData\Local\Temp\3.exe |
| PID 4368 set thread context of 1712 | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | C:\Users\Admin\AppData\Local\Temp\2.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\3.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
"C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4716 -ip 4716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 772
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 20.42.73.26:443 | tcp | |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| NL | 8.238.21.126:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
Files
memory/1484-130-0x0000000000C70000-0x0000000000E46000-memory.dmp
memory/1484-131-0x0000000005E90000-0x0000000006434000-memory.dmp
memory/1484-132-0x00000000057E0000-0x0000000005872000-memory.dmp
memory/1484-133-0x00000000058A0000-0x00000000058AA000-memory.dmp
memory/1484-134-0x0000000005D10000-0x0000000005DAC000-memory.dmp
memory/1168-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
| MD5 | 31431004556597a633f858c122c85b60 |
| SHA1 | fea5847bb6a5daae2688e349c827e30c51b4485f |
| SHA256 | 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712 |
| SHA512 | 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd |
memory/3540-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
| MD5 | 31431004556597a633f858c122c85b60 |
| SHA1 | fea5847bb6a5daae2688e349c827e30c51b4485f |
| SHA256 | 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712 |
| SHA512 | 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd |
memory/992-139-0x0000000000000000-mapping.dmp
memory/2080-141-0x0000000000000000-mapping.dmp
memory/2080-142-0x0000000000400000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
| MD5 | 31431004556597a633f858c122c85b60 |
| SHA1 | fea5847bb6a5daae2688e349c827e30c51b4485f |
| SHA256 | 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712 |
| SHA512 | 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd |
C:\Users\Admin\AppData\Local\Temp\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe
| MD5 | 31431004556597a633f858c122c85b60 |
| SHA1 | fea5847bb6a5daae2688e349c827e30c51b4485f |
| SHA256 | 08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712 |
| SHA512 | 7ea9edb6586a04f95de3522bd6a9aac661a04bfdd66af9c5d76fc38c5412deee8053db2e3906bfebbcae3d80141aee263bc73ac12de13f1f1f3df8f72241c8bd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\08771e45538f2faa1cc9b890f5dbea6ed4ccf1f0a2a7524029f2845ecc99b712.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/3588-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
memory/4368-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | e1dd367f1baa8889afca69a79dd43abd |
| SHA1 | 786dc0378d1008490c9110cc30bcc6a11f6c3c3e |
| SHA256 | 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9 |
| SHA512 | b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a |
memory/4184-152-0x0000000000000000-mapping.dmp
memory/4368-153-0x00000000000F0000-0x0000000000188000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
memory/3588-151-0x0000000000DE0000-0x0000000000E4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | e1dd367f1baa8889afca69a79dd43abd |
| SHA1 | 786dc0378d1008490c9110cc30bcc6a11f6c3c3e |
| SHA256 | 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9 |
| SHA512 | b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a |
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
memory/4184-156-0x0000000000F70000-0x0000000001008000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
memory/4924-158-0x0000000000000000-mapping.dmp
memory/4924-159-0x0000000000400000-0x0000000000554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 36c32cd064db3a4769d8b8bd99c8500e |
| SHA1 | 09d5ddbfa1b429db36dc0321b0767f783bc0cd3e |
| SHA256 | fcc7fa3b71e82d54ed232db389161d5c22c6a3de5f6e68e4486d266f5df3399f |
| SHA512 | 1b7f9bebff9d89a6c8f7791fe1a0e267233e7814ee47808d7516acb24fe0fed2e7cd0e95b832f50b20a531563748f88795dd92c6b7ccd46782c4d5bd5ce2154e |
memory/4924-162-0x0000000000400000-0x0000000000554000-memory.dmp
memory/4716-163-0x0000000000000000-mapping.dmp
memory/1712-165-0x0000000000000000-mapping.dmp
memory/1712-168-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | e1dd367f1baa8889afca69a79dd43abd |
| SHA1 | 786dc0378d1008490c9110cc30bcc6a11f6c3c3e |
| SHA256 | 56780e680f9185584bade0a79f8541ce4544e3f10a3d13b97d7a722b5809e6f9 |
| SHA512 | b618f0b5d0609b60b426a46c230bf11b4f514a83aff4e3a02e111cfbcb9df16fd10389e57817b4d51848f71acba879f09e0ad6831f586e3beab5acc1e53b781a |
memory/4716-169-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | d03c9c3cef97ff26426d84a056fbd5f6 |
| SHA1 | 37bb280fd041626ff9b6ecdda4f323b91fa8445a |
| SHA256 | d25a364cefd6108e009ebdf3225c5047d38af1145cc25b5895dffc7d5f7ee816 |
| SHA512 | 37d7fe347165facdbd95935d154992999aee002e89f47a1b48f2cb741d8322fafbdc83b982c670dcf58369cb0893b4ac08e9be118313d1c364255f91052fcdfb |
memory/4716-164-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/1712-173-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/1712-176-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1712-177-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1712-179-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1712-178-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1712-183-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1712-186-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1712-187-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1712-188-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4924-189-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1712-195-0x0000000004F90000-0x0000000004FF6000-memory.dmp