Malware Analysis Report

2024-11-15 08:41

Sample ID 220718-w2ak1seaam
Target CFDI_826271.zip
SHA256 7da358abbfdb15dcb4f1c3ffca1aaf5c801c82bd77ea3a3d1a397741c176b13d
Tags
betabot backdoor botnet evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7da358abbfdb15dcb4f1c3ffca1aaf5c801c82bd77ea3a3d1a397741c176b13d

Threat Level: Known bad

The file CFDI_826271.zip was found to be: Known bad.

Malicious Activity Summary

betabot backdoor botnet evasion persistence trojan

Modifies firewall policy service

BetaBot

Executes dropped EXE

Sets file execution options in registry

Checks BIOS information in registry

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer Protected Mode

Checks processor information in registry

Modifies Internet Explorer Protected Mode Banner

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-18 18:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-18 18:24

Reported

2022-07-18 18:28

Platform

win10-20220414-es

Max time kernel

152s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe"

Signatures

BetaBot

trojan backdoor botnet betabot

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "xik.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\31y731ug351gw7i.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\31y731ug351gw7i.exe\DisableExceptionChainValidation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\explorer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java10 = "C:\\ProgramData\\Java10\\31y731ug351gw7i.exe" C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java10 = "\"C:\\ProgramData\\Java10\\31y731ug351gw7i.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1032 set thread context of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1232 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1232 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1032 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
PID 1536 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\explorer.exe
PID 1536 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\explorer.exe
PID 1536 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe

"C:\Users\Admin\AppData\Local\Temp\CFDI 826271 71074.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA3AA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 20.42.65.88:443 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 4hmn.short.gy udp
DE 52.59.165.42:443 4hmn.short.gy tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp

Files

memory/1032-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

MD5 f51a742f76121dd26e772ddbd8ae7621
SHA1 5f7c14aca06c7d6a56fb33339fd6f118a68f5751
SHA256 4703f4ade6f2469b9c785d4ebbca86bee3bb53405d58e553dbf70b9edc151a64
SHA512 644522827ba22afd8db0c501c5ecdf9a14c9a1dbb33c8cc3c0a1ba02346f1266d5d75e4fdc0fff8c880acd889cad523377b3bfd158eb4e710fe338d49957b4e0

memory/1032-120-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-121-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-122-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-123-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-124-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-125-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-126-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-127-0x00000000773A0000-0x000000007752E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

MD5 f51a742f76121dd26e772ddbd8ae7621
SHA1 5f7c14aca06c7d6a56fb33339fd6f118a68f5751
SHA256 4703f4ade6f2469b9c785d4ebbca86bee3bb53405d58e553dbf70b9edc151a64
SHA512 644522827ba22afd8db0c501c5ecdf9a14c9a1dbb33c8cc3c0a1ba02346f1266d5d75e4fdc0fff8c880acd889cad523377b3bfd158eb4e710fe338d49957b4e0

memory/1032-129-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-130-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-131-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-132-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-133-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-134-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-135-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-136-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-137-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-138-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-139-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-140-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-141-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-142-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-144-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-143-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-145-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-146-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-147-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-148-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-149-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-150-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-151-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-152-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-153-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-154-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-155-0x00000000007D0000-0x00000000007F6000-memory.dmp

memory/1032-156-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-157-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-158-0x0000000005660000-0x0000000005B5E000-memory.dmp

memory/1032-159-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-160-0x0000000005030000-0x00000000050C2000-memory.dmp

memory/1032-161-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-162-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-163-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-164-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-165-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-166-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-167-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-168-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-169-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-170-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-171-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-172-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-173-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-174-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-175-0x0000000005000000-0x000000000500A000-memory.dmp

memory/1032-176-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-177-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-178-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-179-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-180-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-181-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-182-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-183-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-184-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-185-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-186-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-187-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-188-0x00000000773A0000-0x000000007752E000-memory.dmp

memory/1032-206-0x0000000008020000-0x0000000008122000-memory.dmp

memory/1032-209-0x0000000007F10000-0x0000000007F8C000-memory.dmp

memory/1032-210-0x0000000008130000-0x000000000817C000-memory.dmp

memory/2796-220-0x0000000000000000-mapping.dmp

memory/2796-256-0x0000000004EE0000-0x0000000004F16000-memory.dmp

memory/2796-261-0x0000000007A80000-0x00000000080A8000-memory.dmp

memory/2796-265-0x0000000007770000-0x00000000077F2000-memory.dmp

memory/2796-281-0x00000000080B0000-0x00000000080D2000-memory.dmp

memory/2796-282-0x0000000008330000-0x0000000008396000-memory.dmp

memory/2796-283-0x0000000008250000-0x00000000082B6000-memory.dmp

memory/2796-284-0x0000000007A50000-0x0000000007A60000-memory.dmp

memory/2796-285-0x00000000083A0000-0x00000000086F0000-memory.dmp

memory/2796-288-0x00000000082F0000-0x000000000830C000-memory.dmp

memory/2796-289-0x0000000008E10000-0x0000000008E5B000-memory.dmp

memory/2796-293-0x0000000008B30000-0x0000000008BA6000-memory.dmp

memory/2796-304-0x000000000A2C0000-0x000000000A938000-memory.dmp

memory/2796-305-0x0000000009A00000-0x0000000009A1A000-memory.dmp

memory/4864-310-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 b42b8394f52b01b93879625688c3d79d
SHA1 3ed5877ab13e7655482c19e8b7511f8b2bfcdbb3
SHA256 b7b0a0ab5e777b74a8d7ec285804091eb3a4c71fcc2c57cddfa8541d05409cdd
SHA512 86357e54c29ee9c107b5655d457121f35117565fae4fdd018e56079eb7ca012e4afe0a5d5562bc2996b932b02450ad0fbb7f27047315b524138a0fe08c4f79c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3091e669afaea28bddb5ecacae736cdf
SHA1 30bed888f86a67553184dd3231e31b81ce0267a3
SHA256 037181cfc8fd9470761f9ee34e3dd40872c1980e943d88f393029d4b22887f88
SHA512 068e2f6e69950884ac2edc8ccc3475c45862378a7746c2fd0bed093cc062ea2875b39bd8d3953b563f2e5729b24dafc2af4abf78c0b349e046a585bdb7ac822d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 5f640bd48e2547b4c1a7421f080f815f
SHA1 a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a
SHA256 916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c
SHA512 a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

memory/4864-392-0x00000000073F0000-0x0000000007423000-memory.dmp

memory/4864-393-0x0000000006830000-0x000000000684E000-memory.dmp

memory/4864-402-0x0000000009190000-0x0000000009235000-memory.dmp

memory/4864-406-0x00000000092A0000-0x00000000092EA000-memory.dmp

memory/4864-407-0x0000000009390000-0x0000000009424000-memory.dmp

memory/4864-610-0x0000000009310000-0x000000000932A000-memory.dmp

memory/4864-615-0x00000000092F0000-0x00000000092F8000-memory.dmp

memory/1536-634-0x00000000004015C6-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

MD5 5d6188c63f1575fce9fb4bee4340999c
SHA1 7abfc8cb3a48e18943ece9b0ebb2e7ad71386eeb
SHA256 70e200068fe9e79c48e584232041d82dd29c7f5658f5cc1a2f69e839bc5addd0
SHA512 9c3c452b4cc2f0ece75de7c2465e08c7ddc6501f5aed7db8c48d11c2475a43e553ac102e4eccab5ec73b163fdddd7f890a1858efc68a5182641e0865061f284a

memory/1536-670-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1536-687-0x0000000000F70000-0x0000000000FD6000-memory.dmp

memory/1536-689-0x00000000013B0000-0x00000000013BD000-memory.dmp

memory/1536-693-0x0000000003050000-0x000000000305C000-memory.dmp

memory/3312-697-0x0000000000000000-mapping.dmp

memory/1536-699-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1536-719-0x0000000000F70000-0x0000000000FD6000-memory.dmp

memory/3312-766-0x0000000000C20000-0x000000000105F000-memory.dmp

memory/3312-767-0x0000000003060000-0x0000000004060000-memory.dmp

memory/3312-768-0x0000000000780000-0x000000000078D000-memory.dmp

memory/3312-771-0x0000000003060000-0x0000000004060000-memory.dmp