Analysis Overview
SHA256
0612fc8d387aad923a531b5692aa3dc4fc7284247918b30f513053a8bebdeaae
Threat Level: Known bad
The file 4586a5013e4fc086f2881d08648cd096.exe was found to be: Known bad.
Malicious Activity Summary
Azorult
Netwire
NetWire RAT payload
UPX packed file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-06 10:29
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-06 10:29
Reported
2024-01-06 10:32
Platform
win7-20231129-en
Max time kernel
5s
Max time network
120s
Command Line
Signatures
Azorult
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4586a5013e4fc086f2881d08648cd096.exe
"C:\Users\Admin\AppData\Local\Temp\4586a5013e4fc086f2881d08648cd096.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 174.127.99.159:7882 | tcp | |
| US | 8.8.8.8:53 | gemateknindoperkasa.co.id | udp |
| US | 8.8.8.8:53 | gemateknindoperkasa.co.id | udp |
| US | 174.127.99.159:7882 | tcp |
Files
memory/756-0-0x0000000000400000-0x0000000000B9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 66df8cdadb4e66a263ece5a8cac97d17 |
| SHA1 | ae7c86636775b01d834d03c31d751d2540675f92 |
| SHA256 | 5d002e8d5dbde5461c8a2417aca5c66d2ebd7684db1526a7cfa29ec202d47673 |
| SHA512 | 3084fae57de89d20c6803f46da4a9625e18592f1e72214b494417ee0e4e607ab5f4f371fc2eee5feeb8c1e9088e1a175bec1f6f43159442e25b77919bdce4739 |
memory/1644-5-0x0000000000350000-0x000000000043E000-memory.dmp
memory/1644-6-0x0000000074E20000-0x000000007550E000-memory.dmp
memory/1644-7-0x00000000042D0000-0x0000000004310000-memory.dmp
memory/1644-8-0x0000000004310000-0x0000000004396000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 26bce1d49373c63b579cf6407d0cb3c9 |
| SHA1 | ef7f91c8d801f3e58a121220b669b0d30044f907 |
| SHA256 | 6039f54ecbac2793dea7b2f8079cf4b04f63e3e64791d331e8b3cd52df5df9a5 |
| SHA512 | 61534465299e3f8ee3414c0c74de443fc4fdf237d9cb9adcc8dfc81846204611f1f196d1d7d1457303d0c3509f580048db4c1a15ca7e7dfe835fa8f1096ae394 |
\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 2c49a35d9e9c37eefaa69ebf62e30b2f |
| SHA1 | af5733cedbf7e5c9438eb15d90db1c5e32c029e1 |
| SHA256 | bb89e04391ddb1c326eebec862acf641b3056dda2ef81265655b6ed6183e358b |
| SHA512 | dd15b6ec622552879bfd72135e8f06b9594998f07f0ee0adf6b5fa729f7a6e31094d380db40e3270a237f78c6c955e3ac78ee525fb27d39769c993d007d42bc4 |
memory/2092-16-0x0000000000040000-0x000000000009C000-memory.dmp
memory/2092-19-0x0000000004950000-0x0000000004990000-memory.dmp
memory/2092-18-0x0000000074E20000-0x000000007550E000-memory.dmp
memory/2092-17-0x0000000001D90000-0x0000000001DB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | 00c8e0b45441700976641cd1b085fbe2 |
| SHA1 | 8897d771b0be1828e53450180af449104c790e3e |
| SHA256 | 1d00e5233e225bf7663ef29b67bbdc2888885f27ebdd92e3f4ee2cd83f4581de |
| SHA512 | 91e061b6948ff34b590365754e41dc1ac9ebc76a7f0e025b6c274f2d584570f400828b58aac107bb98416f0262fdbf628de032b5b9475349e7720b9e4ccd7228 |
\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | a000732d1115c45d659583709829c959 |
| SHA1 | a74b0609c0edbe7af68835be2a2297ab0ff81372 |
| SHA256 | f8e9320640b618a5c8038e2c8a7bfce34b05cb621206bacbe499e266dd7fc96e |
| SHA512 | 5eefb046935a8662fc5b707b1eeddd3155c072a150a9982d785e663cc9e8555b84951925f8b93c07838d45c795711e783c1dfa8249f90b24fbf99dab03bc5f49 |
memory/2908-42-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2044-44-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2044-46-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2044-50-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2044-54-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2908-53-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2908-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2044-60-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2908-67-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2604-74-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2908-66-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2044-65-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2908-59-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2908-49-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2908-45-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2044-41-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2908-37-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2908-35-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2908-32-0x0000000000400000-0x0000000000433000-memory.dmp
memory/756-82-0x0000000000400000-0x0000000000B9D000-memory.dmp
memory/756-85-0x0000000000400000-0x0000000000B9D000-memory.dmp
memory/1644-84-0x0000000074E20000-0x000000007550E000-memory.dmp
memory/2092-83-0x0000000074E20000-0x000000007550E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-06 10:29
Reported
2024-01-06 10:32
Platform
win10v2004-20231215-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
Azorult
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3672 set thread context of 4572 | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
| PID 3876 set thread context of 1124 | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | C:\Users\Admin\AppData\Local\Temp\svhost.exe |
Enumerates physical storage devices
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\test.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\File.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4586a5013e4fc086f2881d08648cd096.exe
"C:\Users\Admin\AppData\Local\Temp\4586a5013e4fc086f2881d08648cd096.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 174.127.99.159:7882 | tcp | |
| US | 8.8.8.8:53 | gemateknindoperkasa.co.id | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gemateknindoperkasa.co.id | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 174.127.99.159:7882 | tcp | |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/4316-0-0x0000000000400000-0x0000000000B9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 44c8839b5f9e9c8fedc8c8aad769e402 |
| SHA1 | b4d86a224fb6c9fdee293be986397e5bfceb33a4 |
| SHA256 | 6357d1060e47d2c09f8fa5c9bdbf3b9358ed87f45f0796bd0fd57cbf21fe4a29 |
| SHA512 | 504e9f6a53a046b276ee8582daf60f1a75badefe04e1d40e679d1a6b1846e6de849401f3d584ec5c3edee0a9eb0eba4b858a0588854ac7ccb11071c0273d41c7 |
C:\Users\Admin\AppData\Local\Temp\test.exe
| MD5 | 1bab359b0a4e99c1bf3aa82d42e5b76c |
| SHA1 | cbfc0a70cfae6924da41c1323110409780d67392 |
| SHA256 | 6d1e06f6da374c17412b52550908525ce61c12b4ce77a6da88c9c39b3a8a300e |
| SHA512 | f3779caeeea12364c68c5dc66966c1fed6e522c1974c34c39548ad1fc7cdd94d2b3629e21fe1b39817acd2d9e80811b8d57c188e0658bdf3b15f7c5b0b15488c |
memory/3672-6-0x0000000000AB0000-0x0000000000B9E000-memory.dmp
memory/3672-5-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/3672-7-0x00000000054C0000-0x000000000555C000-memory.dmp
memory/3672-8-0x0000000002E20000-0x0000000002E30000-memory.dmp
memory/3672-9-0x0000000005410000-0x0000000005496000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | 8ba864d0e74fca4f8867294a8c95329d |
| SHA1 | 97b805ed4ebf4b93b4edc8b53e8f492a3ca9f474 |
| SHA256 | c339f0001e722f0b824bebb4e7ba8fc2b095ab82a6b65951ebca19057423d0f0 |
| SHA512 | 830ed3b55c02037f997f92f9b8b471a11d0a22c2b167604f2ed3da0f1a4bd7e75c4b3225b089310903cad94d0da8edb5cb70a359ab4220673c7a62f24d4377d8 |
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | 887d3e16bc55489fef8b5fb945d9204b |
| SHA1 | 0258a4bdbd2ad7bbb8b8beb63bd1d89a605c0807 |
| SHA256 | 48e4c0e4c6053be13d89ddc50ea667cce57a624806531fe383b6dcff0cb694e5 |
| SHA512 | bd9a5daac68fad16c4df14372299f41e1e65e51decd4737455af268ad4d22e5a01246a67081300005d493757d69401bcd4f60365ce6c5da4e20f277c7c797274 |
C:\Users\Admin\AppData\Local\Temp\File.exe
| MD5 | 260676cbbd704d208586578791be77f8 |
| SHA1 | 5e064ff5a331c6ef24a2efba5caca9475c162d85 |
| SHA256 | 8689923e0970f7b000d4de79b3fadb4a6d6484aa763e01c3ce28cfa427ee37ae |
| SHA512 | 05ec2814343b572f805a167833262121d716f0a0f77f8893f77ae986a72af7f5a4d966145156ac5a401ea426444ea48124d01f2fb8baf17123599f181f971af8 |
memory/3876-21-0x0000000000DE0000-0x0000000000E3C000-memory.dmp
memory/3876-22-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/3876-24-0x0000000005680000-0x00000000056A4000-memory.dmp
memory/3876-23-0x00000000055F0000-0x0000000005600000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 48000424e9bae86296ac6c58374b3044 |
| SHA1 | 1c5c36e81d77f85040346a0b5e791d490a3bd5e3 |
| SHA256 | e7f5bba581eab85758ac0a9b8e48af13de2667471133075366f4ac69f6aee2d5 |
| SHA512 | fefe083503e293ee5cfc3d595048d0867bcae0397ebc88baca8aeaafb9f8501e3cfe288b13c3e21155bf7727f183be751d076c86c09fa214832ce02bc35a78ca |
memory/4572-27-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4572-32-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Roaming\tmp.exe
| MD5 | 6d4e31ecd8650daa07286209b747b7fd |
| SHA1 | b383a0ffdc61cba5dd6891e4b9442188cc4a8270 |
| SHA256 | 26ff3150e56d72f6445c038782ae19ef762e8da94eb91cce3498625aa4fb941f |
| SHA512 | 03e2a8688b9abb71cd32d7df9f6ca2ea0ce1067e382881db2781ba96b47b88007005caea530b29101e098e4b8e2ef7f6df7e8dbbc6c10024b81430aa4ba487c3 |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | 466be9381a6f99238b9c250b97c5f244 |
| SHA1 | 1175ef50bc6e2cfadc3851e5e54531cb64eb2068 |
| SHA256 | b4a81352cce81687a36b9a21ded5df6bc0bc5fd96b226d37207243d16089cfe5 |
| SHA512 | 9e195db815e53f373ca9013b0e4e3423160f7b6beb88976f64fef201b0e5d85e30e7b5834a65ebf15e978afaeeaeb00e180a82e7d0736980f894b9934e2bb146 |
C:\Users\Admin\AppData\Local\Temp\svhost.exe
| MD5 | fc47627179ea5dd82defd184ccb6d8e4 |
| SHA1 | 3e14d19ba68cba9c774874c184e3286fa59e7b84 |
| SHA256 | c8a5ec776cd16b083813e80b644ca5aec395f1460e139ea7ae3f0b90120a05a4 |
| SHA512 | 77abfa24e36914d2891d68e1212a9717972015f4809f83f68c81a2d35fb596272860908bd36a518b436455ed9c67d0b85d8fe7f9704d8d8cde3134e1f0f5ef1b |
memory/1124-46-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1124-43-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1124-47-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk
| MD5 | 9cd51c7d5ea68046514ab0f4700286ef |
| SHA1 | cad69ffbf1f3c31de61eff57c65f8f62108a05bd |
| SHA256 | 9751bcaa41efa48d32d9552f456a80fddc70a51d6e4485ad1b2ffe917a6b1d1a |
| SHA512 | 195a823c92c3a7398f4ccc0cf2ef7b8627f683668ceeeb26435027ab18c79049433856c8cb988bfe07d920b2f9ec519a471a5163236d2ff028af513fe54e7521 |
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
| MD5 | 173876fb56fc439dea9559c0be9b3fff |
| SHA1 | 5b301040a34c69615e8afb7c9a4750768c444c7e |
| SHA256 | 787c471a9c3264564d942489ecc4065531377ed5d32938538c4aef1ce60a088b |
| SHA512 | a2d67c023cab13f85d94d13c85bf335cd518bbffaad7853300bcfbe57b1a33e82ec2c361792f6c3e60f5585c83fecee90caed2bddb3da4458ca645d405216261 |
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier
| MD5 | 130a75a932a2fe57bfea6a65b88da8f6 |
| SHA1 | b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c |
| SHA256 | f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e |
| SHA512 | 6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed |
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
| MD5 | 3bcf7445b94716ea621be0d0e8afebbc |
| SHA1 | e9b66188da0eddfdca4faa7d1b30ed910f15b5b1 |
| SHA256 | adb72cb3270b445361a8a9b1b1404a7e723d1746ca0f9c82023dc6337a434813 |
| SHA512 | 0b83b24862a130380f515f79b647d6d9688386466268048b0940dde3020c35c819de6289fa9e7d596d3afbfc790997d4fdefdbeaef3011c85bf4f98b308a50bf |
C:\Users\Admin\AppData\Roaming\tmp.exe
| MD5 | bae2b04e1160950e570661f55d7cd6f8 |
| SHA1 | f4abc073a091292547dda85d0ba044cab231c8da |
| SHA256 | ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59 |
| SHA512 | 1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6 |
memory/4572-31-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3220-58-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4316-59-0x0000000000400000-0x0000000000B9D000-memory.dmp
memory/3672-60-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/3672-61-0x0000000002E20000-0x0000000002E30000-memory.dmp
memory/3876-62-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/3672-64-0x00000000745F0000-0x0000000074DA0000-memory.dmp
memory/4316-65-0x0000000000400000-0x0000000000B9D000-memory.dmp
memory/3876-67-0x00000000745F0000-0x0000000074DA0000-memory.dmp