Malware Analysis Report

2024-10-24 18:09

Sample ID 220613-abkseagff5
Target 05a2b5a48fb1622a603ed5b1ad81630a166ff6ee8455f2030d947c73ea6fc925
SHA256 05a2b5a48fb1622a603ed5b1ad81630a166ff6ee8455f2030d947c73ea6fc925
Tags
jupyter backdoor stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05a2b5a48fb1622a603ed5b1ad81630a166ff6ee8455f2030d947c73ea6fc925

Threat Level: Known bad

The file 05a2b5a48fb1622a603ed5b1ad81630a166ff6ee8455f2030d947c73ea6fc925 was found to be: Known bad.

Malicious Activity Summary

jupyter backdoor stealer trojan

Jupyter Backdoor/Client Payload

Jupyter, SolarMarker

Blocklisted process makes network request

Executes dropped EXE

Drops startup file

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-13 00:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-13 00:02

Reported

2022-06-13 00:08

Platform

win10-20220414-en

Max time kernel

280s

Max time network

272s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jupyter.exe"

Signatures

Jupyter Backdoor/Client Payload

Description Indicator Process Target
N/A N/A N/A N/A

Jupyter, SolarMarker

backdoor trojan stealer jupyter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\microsoft\windows\start menu\programs\startup\a6ee8c157724e7945bfcd9eb64fa3.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\jupyter.exe C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp
PID 1404 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\jupyter.exe C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp
PID 1404 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Local\Temp\jupyter.exe C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp
PID 3688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe
PID 3688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe
PID 3688 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe
PID 3688 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 188 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 188 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 188 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3688 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\jupyter.exe

"C:\Users\Admin\AppData\Local\Temp\jupyter.exe"

C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp" /SL5="$60070,118835448,809472,C:\Users\Admin\AppData\Local\Temp\jupyter.exe"

C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe

"C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -command "$p='C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt';$c=get-content $p;remove-item $p;iex $c"

Network

Country Destination Domain Proto
US 20.189.173.1:443 tcp
NL 178.79.208.1:80 tcp
BE 91.241.19.21:80 tcp
BE 91.241.19.21:80 tcp
BE 91.241.19.21:80 tcp
BE 91.241.19.21:80 tcp
BE 91.241.19.21:80 tcp

Files

memory/1404-119-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-120-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-121-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-122-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-124-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-125-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-123-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-126-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-127-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-128-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-130-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-131-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-132-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-133-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-134-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-135-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-136-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-129-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-137-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-138-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-139-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-140-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-141-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-142-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-143-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-144-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-145-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-146-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-147-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-148-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-149-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-150-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-151-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-152-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1404-154-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-155-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-156-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/1404-157-0x0000000077080000-0x000000007720E000-memory.dmp

memory/1404-158-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-159-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-BO4VV.tmp\jupyter.tmp

MD5 26fcf4debd7de2d67fc0289257d02300
SHA1 e31cf43e9a8346e320e19618f9d8c9de2b641c20
SHA256 aab26ce34cd22bdfab7aa5270218f5af2e34276bfc155a7f51c26dc53c14d3f2
SHA512 bf24ffd2fef7f72b853f44b477ee70c8c721a7411e928ab7719dc0f208e687bed8f47883033e658a0a04735a42640398ee5e7e486b38e46254f16fb2154cb67a

memory/3688-161-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-162-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-163-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-164-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-166-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-165-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-167-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-168-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-169-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-170-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-171-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-172-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-173-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-174-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-175-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-176-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-177-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-178-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-179-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-180-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-181-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-182-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-183-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-184-0x0000000077080000-0x000000007720E000-memory.dmp

memory/3688-185-0x0000000077080000-0x000000007720E000-memory.dmp

memory/2548-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe

MD5 ba95ebd0d6f6e7861b75149561f1fbd3
SHA1 639a1e699d3aea6a0a204e4023f87ef05b4df5fb
SHA256 caf8e546f8c6ce56009d28b96c4c8229561d10a6dd89d12be30fa9021b1ce2f4
SHA512 7c1f01685bb73865e954a8629712c8183cdd9416d7eadf478dfb54eef18424c71c9f9e9d40e7d5889a7212a45585c6f22726bfa81160eedf5b7a6ab450a2cd51

C:\Users\Admin\AppData\Local\Temp\is-7EOMA.tmp\Docx2Rtf.exe

MD5 ba95ebd0d6f6e7861b75149561f1fbd3
SHA1 639a1e699d3aea6a0a204e4023f87ef05b4df5fb
SHA256 caf8e546f8c6ce56009d28b96c4c8229561d10a6dd89d12be30fa9021b1ce2f4
SHA512 7c1f01685bb73865e954a8629712c8183cdd9416d7eadf478dfb54eef18424c71c9f9e9d40e7d5889a7212a45585c6f22726bfa81160eedf5b7a6ab450a2cd51

memory/1404-309-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/628-311-0x0000000000000000-mapping.dmp

memory/2800-313-0x0000000000000000-mapping.dmp

memory/1436-318-0x0000000000000000-mapping.dmp

memory/1264-323-0x0000000000000000-mapping.dmp

memory/948-326-0x0000000000000000-mapping.dmp

memory/3668-331-0x0000000000000000-mapping.dmp

memory/2340-336-0x0000000000000000-mapping.dmp

memory/1144-344-0x0000000000000000-mapping.dmp

memory/2324-364-0x0000000000000000-mapping.dmp

memory/188-353-0x0000000000000000-mapping.dmp

memory/1404-545-0x0000000000400000-0x00000000004D3000-memory.dmp

memory/628-624-0x00000000068E0000-0x0000000006916000-memory.dmp

memory/2800-668-0x00000000075E0000-0x0000000007C08000-memory.dmp

memory/2800-833-0x0000000007510000-0x0000000007532000-memory.dmp

memory/1436-849-0x0000000007460000-0x00000000074C6000-memory.dmp

memory/1436-855-0x00000000074D0000-0x0000000007536000-memory.dmp

memory/2800-864-0x0000000007D70000-0x00000000080C0000-memory.dmp

memory/628-914-0x0000000007810000-0x000000000782C000-memory.dmp

memory/628-916-0x0000000008410000-0x000000000845B000-memory.dmp

memory/1264-955-0x0000000007EA0000-0x0000000007F16000-memory.dmp

memory/628-1038-0x00000000090B0000-0x0000000009144000-memory.dmp

memory/628-1039-0x00000000084F0000-0x000000000850A000-memory.dmp

memory/628-1041-0x0000000008FC0000-0x0000000008FE2000-memory.dmp

memory/628-1045-0x0000000009860000-0x0000000009D5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\edda5c2fe3700f0fe6b4d173ff5d6dc0.txt

MD5 26942684201095254e6aee50776bb73b
SHA1 ec2621c613329473f1959fa0f3f0d4349c6ba337
SHA256 90c979adbe5d7b7d340dd0ed6743445f0bd666bb969cd880ef9bee95aaadcf41
SHA512 bff53f547699ddca929d7bc6b2f6737c555fcf477264e773c873883e7927176bca33f0c085b0dc6fa0e70bd0a10cf68997d1730a1c18024e822c3178cc03027f

memory/1264-1075-0x000000000A0B0000-0x000000000A728000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c4450de6375575b24ae56719d680e437.txt

MD5 1d4806a4758ef9a5aa52f542468faf88
SHA1 75ef7bfd2e46486a05c38e7857be00fd69131929
SHA256 e17d7f14dc48bebbf4635d070e09801d71d93280f8ab6df92e498fbc215fc7cb
SHA512 bcb4e44e95a64c496e2efbc5bb640ed4ce937dae592c7cd8ea67890b5c01f2daa4b15db5019151fb861047257434089c7d3556acb54bca7969b0b850a7e8f68d

memory/1264-1273-0x0000000009240000-0x0000000009256000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 58674177538f6429aa51bfd9e78f5944
SHA1 526a419a8307f9b89da9785e4da42840ff77f136
SHA256 5830ff840bc14ca7b2c355b00144eaa63594197bfdcc21075204123bfa89396d
SHA512 ed30996df8bdf0d07a4360264fb022ac62fce82654fe99fcb6c777f1c2eee82b78da183588bab5264fadb7c53924ed023bbd8469d7616c3e7f8f4586bcdef94d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a4022a7d2b113226b000be0705680813
SHA1 599e22d03201704127a045ca53ffb78f9ea3b6c3
SHA256 2557a14e476d55330043af2858dbf1377e24dba3fa9aedc369d5feefefb7f9a7
SHA512 40ef88632a4ad38a7d21c640a7f0c8cd7c76b8451f55dd758c15baa5a90f4f0938de409426570c4405362fd2d90fadd96d23d190e09692b5fbe2c87ebc8d3c60

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c89d1a9b85641c339615d5530922b7ea
SHA1 8031ab43eaaf15a1aa1470ab17ec8641441009e9
SHA256 1ea443496f1eb9488a58466b7848d8826a78761ed7221e0e8ab087c62b5dab87
SHA512 d51dad3b5817b1bf3e38445fe103964561cfff605591e2b366ebd37fbc29dae011486b13c132b70d3d2dcfd0ca16357287a86d009eb345c83f1c1ff34e13e656

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aba356db37cff7efff4b164f32999d25
SHA1 4766c9fdf2312d1ad1f284878c8985356ff4673f
SHA256 6d7091f75056a643abb46463f782d1f0e8d2c90eb606b6bd0718d87a2dd69c79
SHA512 1d2f8f69a18d34be44c2395a075476a3244d7d9c40e0f74177f20969dc78c19776fe9086dcad1b2c16db60d7b46dd9eb33d9282635d42f2a652ad3dc5f5dd2f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aba356db37cff7efff4b164f32999d25
SHA1 4766c9fdf2312d1ad1f284878c8985356ff4673f
SHA256 6d7091f75056a643abb46463f782d1f0e8d2c90eb606b6bd0718d87a2dd69c79
SHA512 1d2f8f69a18d34be44c2395a075476a3244d7d9c40e0f74177f20969dc78c19776fe9086dcad1b2c16db60d7b46dd9eb33d9282635d42f2a652ad3dc5f5dd2f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f130d92dd726381553c3a1d84a9ec517
SHA1 540549fb700db937119878a60c4cc55d3c91a7cf
SHA256 bfa14677838a83fc2b2f06d46959611bd31b533b1d1f362fb4c6342a45509b6e
SHA512 570734ab8eca6bdf6c5ba8f7ee7ed00b764c5dc9720b7598d4b77c98559dffa6cc97f793e29b7169d66d5e7c3125675d56904bdebfc90726c691af227b00668a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 547011490e62c87690f84c16496de184
SHA1 5b9d6a2eb1fdb9ba2fe5dfef4591ee03071fea1d
SHA256 240dee229f739faf33f238dd45450f25cc2c243ae6918730c030876f9051cd68
SHA512 3a663215f71e31ae296089ef422770b465e62155e572684b5a3e9696510c315b4f665ca61767773dfedfd6ff5a4fdf3c73ea5259fcca8f9b5290805edcd4618a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8a597654625ca54d94b482c0eb9a0232
SHA1 7ec11737640d334f703ccf79ac35d575ccb2014d
SHA256 4a8ce3a76f8c9ce8edfdd530773b1e7f9efa644154ac3e121f1164bafc40af07
SHA512 2fb09e2503e8097decc3e80dfa06756b2dbf2159a10525af2c6d51fdb995a4ec72ee9d190fc9837445608805afecc4338e60902b93a18d9dc4db02f0c076f009

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 efce47f23fc8ee486cae60306030c461
SHA1 11040ac1ad1ef7b5b88630e13bd101cc7aede34d
SHA256 ba6c35afaa143fb36c42a5c87ace348557f938fac0e243fc6303ddc33936a44f
SHA512 e48debee07bc2fd0e23196153c60f05ee0bee42cf97575bcc99ca37b78c38b850698bed8477fb5d7cbc0824e19880545e9b8a98789dba5bab39e4eb7a7c75767