Analysis Overview
SHA256
918bd8df4133a9c6a279757baf27e33ce33c0d115e405178c4563a556e26b647
Threat Level: Known bad
The file 50695a48edcc2576675a4d862311b28b.exe was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Sets DLL path for service in the registry
Modifies Windows Firewall
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Modifies WinLogon
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 09:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 09:41
Reported
2023-02-24 09:44
Platform
win7-20230220-en
Max time kernel
142s
Max time network
142s
Command Line
Signatures
WarzoneRat, AveMaria
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\350.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\ktoxhdmv = "C:\\Users\\Admin\\AppData\\Roaming\\vrbkgpxtd\\yrrnwgclhqavfo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\giuiwxga.exe\" C:\\Users\\Admin\\AppDat" | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\K.mAzfJ = "0" | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\rfxvmt.dll | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1900 set thread context of 544 | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft DN1\sqlmap.dll | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| File created | C:\Program Files\Microsoft DN1\rdpwrap.ini | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe
"C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe"
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
"C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe" C:\Users\Admin\AppData\Local\Temp\xmfqciidksw.w
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
"C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe"
C:\Users\Admin\AppData\Local\Temp\350.exe
"C:\Users\Admin\AppData\Local\Temp\350.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
C:\Users\Admin\AppData\Local\Temp\350.exe
"C:\Users\Admin\AppData\Local\Temp\350.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mylab.wshrt.sbs | udp |
| US | 104.223.19.96:80 | mylab.wshrt.sbs | tcp |
| N/A | 10.127.0.1:5351 | udp | |
| N/A | 127.0.0.1:3389 | tcp | |
| N/A | 10.127.0.1:5351 | udp |
Files
\Users\Admin\AppData\Local\Temp\giuiwxga.exe
| MD5 | 7e14ab7fdec2ba5ca24b6a3af21c430b |
| SHA1 | 8621b145ec2936a18a57ec5296c7b3ed088ba692 |
| SHA256 | 85c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e |
| SHA512 | 3b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06 |
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
| MD5 | 7e14ab7fdec2ba5ca24b6a3af21c430b |
| SHA1 | 8621b145ec2936a18a57ec5296c7b3ed088ba692 |
| SHA256 | 85c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e |
| SHA512 | 3b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06 |
C:\Users\Admin\AppData\Local\Temp\xmfqciidksw.w
| MD5 | 0407fc904cad9de15d803cb22985308a |
| SHA1 | 047eb49d90a212bd61ff6fa8b0f813e6899a0f3d |
| SHA256 | 238df51fccc66a32a3d082766a3642939a4422c6ed658936d2e365dbcc7cb264 |
| SHA512 | 3625e85b843f378ea18dc2d5ec66fbbf96784cfc5ceb5a93e90249fab9ec25dd1ba84ff1c7d6329d53fc6e97338f90e59f53c21110f117e424c9b2054dff8055 |
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
| MD5 | 7e14ab7fdec2ba5ca24b6a3af21c430b |
| SHA1 | 8621b145ec2936a18a57ec5296c7b3ed088ba692 |
| SHA256 | 85c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e |
| SHA512 | 3b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06 |
C:\Users\Admin\AppData\Local\Temp\lfdaorq.t
| MD5 | 6bf7158a9b5dc387e0dd79895abf1e52 |
| SHA1 | 4dbffcaf9ea9b37d32b173af246532a13f71d1a6 |
| SHA256 | aef63c8e0201a2975249852a6c7a11f256e615020ac04b5c31a5906b2bd30d2a |
| SHA512 | 3aa3926ca6a8a772f66193a5a590720205f40b13656990935abcad1ac2faff6dad71f15bf1558fbd807d9479ece65da26181dbdc3ee88de59081ccc344c7f1b5 |
\Users\Admin\AppData\Local\Temp\giuiwxga.exe
| MD5 | 7e14ab7fdec2ba5ca24b6a3af21c430b |
| SHA1 | 8621b145ec2936a18a57ec5296c7b3ed088ba692 |
| SHA256 | 85c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e |
| SHA512 | 3b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06 |
memory/544-66-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
| MD5 | 7e14ab7fdec2ba5ca24b6a3af21c430b |
| SHA1 | 8621b145ec2936a18a57ec5296c7b3ed088ba692 |
| SHA256 | 85c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e |
| SHA512 | 3b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06 |
memory/1900-67-0x0000000000110000-0x0000000000113000-memory.dmp
memory/544-71-0x0000000000400000-0x000000000055C000-memory.dmp
memory/544-72-0x0000000000400000-0x000000000055C000-memory.dmp
memory/544-73-0x0000000000400000-0x000000000055C000-memory.dmp
memory/544-75-0x0000000000400000-0x000000000055C000-memory.dmp
\Users\Admin\AppData\Local\Temp\350.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
C:\Users\Admin\AppData\Local\Temp\350.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
C:\Users\Admin\AppData\Local\Temp\350.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
memory/544-86-0x0000000004F80000-0x0000000004FAD000-memory.dmp
memory/2004-87-0x0000000000810000-0x000000000083D000-memory.dmp
\Users\Admin\AppData\Local\Temp\350.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
C:\Users\Admin\AppData\Local\Temp\350.exe
| MD5 | ca96229390a0e6a53e8f2125f2c01114 |
| SHA1 | a54b1081cf58724f8cb292b4d165dfee2fb1c9f6 |
| SHA256 | 0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c |
| SHA512 | e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef |
memory/544-99-0x0000000005140000-0x000000000516D000-memory.dmp
memory/1148-100-0x0000000000810000-0x000000000083D000-memory.dmp
\Program Files\Microsoft DN1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/544-104-0x0000000000400000-0x000000000055C000-memory.dmp
memory/544-106-0x0000000005140000-0x000000000516D000-memory.dmp
memory/2004-108-0x0000000000810000-0x000000000083D000-memory.dmp
memory/1148-109-0x0000000000810000-0x000000000083D000-memory.dmp
memory/544-111-0x0000000000400000-0x000000000055C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-24 09:41
Reported
2023-02-24 09:44
Platform
win10v2004-20230220-en
Max time kernel
96s
Max time network
147s
Command Line
Signatures
WarzoneRat, AveMaria
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ktoxhdmv = "C:\\Users\\Admin\\AppData\\Roaming\\vrbkgpxtd\\yrrnwgclhqavfo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\giuiwxga.exe\" C:\\Users\\Admin\\AppDat" | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\bbc.pdu = "0" | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\rfxvmt.dll | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3656 set thread context of 4404 | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft DN1\sqlmap.dll | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| File created | C:\Program Files\Microsoft DN1\rdpwrap.ini | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe
"C:\Users\Admin\AppData\Local\Temp\50695a48edcc2576675a4d862311b28b.exe"
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
"C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe" C:\Users\Admin\AppData\Local\Temp\xmfqciidksw.w
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
"C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mylab.wshrt.sbs | udp |
| US | 104.223.19.96:80 | mylab.wshrt.sbs | tcp |
| US | 8.8.8.8:53 | 96.19.223.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:3389 | tcp | |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
| MD5 | 7e14ab7fdec2ba5ca24b6a3af21c430b |
| SHA1 | 8621b145ec2936a18a57ec5296c7b3ed088ba692 |
| SHA256 | 85c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e |
| SHA512 | 3b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06 |
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
| MD5 | 7e14ab7fdec2ba5ca24b6a3af21c430b |
| SHA1 | 8621b145ec2936a18a57ec5296c7b3ed088ba692 |
| SHA256 | 85c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e |
| SHA512 | 3b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06 |
C:\Users\Admin\AppData\Local\Temp\xmfqciidksw.w
| MD5 | 0407fc904cad9de15d803cb22985308a |
| SHA1 | 047eb49d90a212bd61ff6fa8b0f813e6899a0f3d |
| SHA256 | 238df51fccc66a32a3d082766a3642939a4422c6ed658936d2e365dbcc7cb264 |
| SHA512 | 3625e85b843f378ea18dc2d5ec66fbbf96784cfc5ceb5a93e90249fab9ec25dd1ba84ff1c7d6329d53fc6e97338f90e59f53c21110f117e424c9b2054dff8055 |
memory/3656-140-0x0000000001380000-0x0000000001383000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lfdaorq.t
| MD5 | 6bf7158a9b5dc387e0dd79895abf1e52 |
| SHA1 | 4dbffcaf9ea9b37d32b173af246532a13f71d1a6 |
| SHA256 | aef63c8e0201a2975249852a6c7a11f256e615020ac04b5c31a5906b2bd30d2a |
| SHA512 | 3aa3926ca6a8a772f66193a5a590720205f40b13656990935abcad1ac2faff6dad71f15bf1558fbd807d9479ece65da26181dbdc3ee88de59081ccc344c7f1b5 |
memory/4404-143-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\giuiwxga.exe
| MD5 | 7e14ab7fdec2ba5ca24b6a3af21c430b |
| SHA1 | 8621b145ec2936a18a57ec5296c7b3ed088ba692 |
| SHA256 | 85c5b0156d4043daaad9128b437c0124895a15678c155c3f3583003e1f16095e |
| SHA512 | 3b5d524326b84664a9ebe67dcd66ad61c4764dd2940d6ade22c963719c7c697d82c0f2e0784b79fae3fb36322586c325781c3e9fb8a30cf6ddb6e3dbf5f65f06 |
memory/4404-147-0x0000000000400000-0x000000000055C000-memory.dmp
memory/4404-148-0x0000000000400000-0x000000000055C000-memory.dmp
memory/4404-149-0x0000000000400000-0x000000000055C000-memory.dmp
memory/4404-151-0x0000000000400000-0x000000000055C000-memory.dmp
C:\Program Files\Microsoft DN1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
\??\c:\program files\microsoft dn1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
\??\c:\program files\microsoft dn1\rdpwrap.ini
| MD5 | fca6ba93c780afa00a5703df9ac65754 |
| SHA1 | 3ed423763fdd9722ff8bed3667ffa93f77390138 |
| SHA256 | 1c4930123ec2a809b3bd93969967d6c321d8d65fc7b886e062b2581c741944e5 |
| SHA512 | 538b0995be3796737575a2fd3aaa1644b3e6566e4cd5ed5c4df9e0a586368e7ceea8f0284de53f7c3f0874fc90b9a194d2ea1438bc9d7779eb12d00b8807f595 |
memory/4404-161-0x0000000000400000-0x000000000055C000-memory.dmp
memory/4404-162-0x0000000000400000-0x000000000055C000-memory.dmp
memory/4404-163-0x0000000000400000-0x000000000055C000-memory.dmp