Analysis Overview
SHA256
67e3a815d433caef4c284c7a9289fd647bda469f4f005a398f9766bc3fae0ff6
Threat Level: Known bad
The file scandoc0327002.zip was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 23:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 23:38
Reported
2024-03-30 00:13
Platform
win7-20240221-en
Max time kernel
1557s
Max time network
1560s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescot = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescott2 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1920 wrote to memory of 960 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1920 wrote to memory of 960 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1920 wrote to memory of 960 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1920 wrote to memory of 960 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1920 wrote to memory of 2528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1920 wrote to memory of 2528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1920 wrote to memory of 2528 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"
Network
Files
memory/2528-5-0x000000001B170000-0x000000001B452000-memory.dmp
memory/2528-6-0x00000000023A0000-0x00000000023A8000-memory.dmp
memory/2528-8-0x0000000002470000-0x00000000024F0000-memory.dmp
memory/2528-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp
memory/2528-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp
memory/2528-10-0x0000000002470000-0x00000000024F0000-memory.dmp
memory/2528-11-0x0000000002470000-0x00000000024F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0V9LTNYOF7JJHOJB4I98.temp
| MD5 | 828658ac2db51839ee4dda61679a2e2f |
| SHA1 | 0c20bb64e6cbf6088d1621a547d15dd74da45be3 |
| SHA256 | 584d03a0ce2ec0c67801c25665f37f644225d3db2e120dc7fc0d0a6c81871103 |
| SHA512 | ab52b1d9423e7c3a9b6e5ca8ed2f58c4c23f6144e7a7a8c64aa13a9ebcea0af00a192a03f0a4587902113540d16d1a89000c9d3fc2307d4147624d641eeaf964 |
memory/960-14-0x00000000739B0000-0x0000000073F5B000-memory.dmp
memory/960-15-0x0000000002150000-0x0000000002190000-memory.dmp
memory/960-16-0x0000000002150000-0x0000000002190000-memory.dmp
memory/960-17-0x0000000002150000-0x0000000002190000-memory.dmp
memory/2528-18-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp
memory/960-19-0x00000000739B0000-0x0000000073F5B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 23:38
Reported
2024-03-30 00:13
Platform
win10-20240221-en
Max time kernel
467s
Max time network
442s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescott2 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescot = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4380 wrote to memory of 4980 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4380 wrote to memory of 4980 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4380 wrote to memory of 4980 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4380 wrote to memory of 3288 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4380 wrote to memory of 3288 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wahc3252\wahc3252.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3D.tmp" "c:\Users\Admin\AppData\Local\Temp\wahc3252\CSCBE51DBA44E604148AFFD394BA92278CD.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0sm4ml2g\0sm4ml2g.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1968.tmp" "c:\Users\Admin\AppData\Local\Temp\0sm4ml2g\CSC1A41F622A19B4FDFBDE5D3253992B7A7.TMP"
C:\Windows\system32\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.141.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.135.221.88.in-addr.arpa | udp |
Files
memory/3288-5-0x00007FFB64800000-0x00007FFB651EC000-memory.dmp
memory/4980-8-0x0000000073C30000-0x000000007431E000-memory.dmp
memory/4980-10-0x0000000006590000-0x00000000065C6000-memory.dmp
memory/3288-11-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
memory/3288-9-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
memory/4980-12-0x00000000066A0000-0x00000000066B0000-memory.dmp
memory/4980-13-0x00000000066A0000-0x00000000066B0000-memory.dmp
memory/3288-15-0x000001FF6FAD0000-0x000001FF6FAF2000-memory.dmp
memory/4980-16-0x0000000006CE0000-0x0000000007308000-memory.dmp
memory/4980-20-0x0000000006A20000-0x0000000006A42000-memory.dmp
memory/3288-21-0x000001FF6FC80000-0x000001FF6FCF6000-memory.dmp
memory/4980-22-0x0000000006BC0000-0x0000000006C26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2cctiso.mtg.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4980-31-0x0000000007310000-0x0000000007376000-memory.dmp
memory/4980-36-0x00000000074F0000-0x0000000007840000-memory.dmp
memory/4980-45-0x0000000006CB0000-0x0000000006CCC000-memory.dmp
memory/4980-46-0x0000000007900000-0x000000000794B000-memory.dmp
memory/4980-47-0x0000000007C10000-0x0000000007C86000-memory.dmp
memory/4980-64-0x0000000009420000-0x0000000009A98000-memory.dmp
memory/4980-65-0x00000000089B0000-0x00000000089CA000-memory.dmp
memory/4980-71-0x0000000008DA0000-0x0000000008E34000-memory.dmp
memory/4980-72-0x0000000008C90000-0x0000000008CB2000-memory.dmp
memory/4980-73-0x0000000009AA0000-0x0000000009F9E000-memory.dmp
memory/3288-78-0x00007FFB64800000-0x00007FFB651EC000-memory.dmp
memory/4980-79-0x0000000073C30000-0x000000007431E000-memory.dmp
memory/3288-80-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
memory/4980-81-0x00000000066A0000-0x00000000066B0000-memory.dmp
memory/3288-82-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
memory/4980-83-0x00000000066A0000-0x00000000066B0000-memory.dmp
memory/3288-85-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wahc3252\wahc3252.cmdline
| MD5 | 7d3f602461fd8d45b0961650cac195b4 |
| SHA1 | 97d500e9b5a405954dc440ae7d957a7a07feb6d5 |
| SHA256 | fc33fd3902e1d2de287a7f855845f6b1d1a6b630fa5ef3df511d8c25df83b32b |
| SHA512 | 2c43bee0d3420bcb794f78897e5894264de237063f4c27d9fb8af04db5e6be4e0c22a305a7a1edae3e899dd5734d2b1bc58498c750273626f3ebb68e71cb54fe |
\??\c:\Users\Admin\AppData\Local\Temp\wahc3252\wahc3252.0.cs
| MD5 | 0c6b6122e65041da2deb106419c81970 |
| SHA1 | 8a12628dc5ad5d9f522bba863c7a42da8fdc6c47 |
| SHA256 | afb856249a4eab1884344e28058ce5a3495364270f4f88799cf872ec82cf348a |
| SHA512 | a65b157dc5202a07cac7656c69fcba17329aef97282fabcdd359a28f47214b1babebf7a1107045a12586513b8e59a9826b3fb4e35796b7b91630023926950651 |
\??\c:\Users\Admin\AppData\Local\Temp\wahc3252\CSCBE51DBA44E604148AFFD394BA92278CD.TMP
| MD5 | 4fd6459269e73fa7b516b37e95d928b3 |
| SHA1 | 3ec6e36efed09bc0be36e00e8584c38b749ef32c |
| SHA256 | bc1dd2d80e2a5d3fb6bbd6ba9569e23b494d25d62ca06fd574d0b4b3e5e61e08 |
| SHA512 | 4f8c7b522d56cf5630894451cc284b2de138eed4c15e4f054882df130216b26b6a075e7f1cda7fcafd08255cc9a880deef48554c4a166eea53c9e0c31d18b648 |
C:\Users\Admin\AppData\Local\Temp\RESE3D.tmp
| MD5 | 608796b77120d6aacd8da6780f6ad863 |
| SHA1 | d1291b28c8ac3b8d96f407da167ad9d97e972700 |
| SHA256 | e392f9a84d4d25ca2889fb385ad30fe401ff5b3fc88ed4ee343530a6568f54c6 |
| SHA512 | da452093436d5f89beff3db6df1800fd9cbb0f4c2b249a93241e1306a53af7eeb17cfe9d30a72e2f566801bca0e6c24c7f846a6e2375fc2033ef78c1d258955d |
C:\Users\Admin\AppData\Local\Temp\wahc3252\wahc3252.dll
| MD5 | 5e8644237d264175cf40dbc31c72968d |
| SHA1 | 374bf2ec21d198a2c29ee9de651f3e2adf20ccc7 |
| SHA256 | da7e7275008510d88ade9993423012721f886094fa2807fd3e1b361fe7e747dc |
| SHA512 | cd3fdbc6a7b749f65efa226ad90034188e6ffb5366053643e73344dd3e863a1fd2a2dea9fade3d9b570c294729a6e9f36a7dbd419c7dc2c23e2fe3851307f6c1 |
memory/3288-98-0x000001FF6FAC0000-0x000001FF6FAC8000-memory.dmp
memory/3288-112-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\0sm4ml2g\0sm4ml2g.cmdline
| MD5 | 34ce466e8813f5815e51bef98d2ccbc5 |
| SHA1 | 9d04bc9c76576742ab7c1a51851d3db6f25fdb06 |
| SHA256 | b121634abf91d502c8f9c91ca29b05944984aad4dac6fbf39427e2fb1cbb132e |
| SHA512 | 0be8e58cd3ff8ed8a1dbb0dd95b09d4fa292fb80d9b9c057d3316c118d4075b9ad52ce18c9539fc80630b9d7baee083de9b8f8cbde248c78107fa9cd9f165a15 |
\??\c:\Users\Admin\AppData\Local\Temp\0sm4ml2g\CSC1A41F622A19B4FDFBDE5D3253992B7A7.TMP
| MD5 | e6c329c319efe2c9095d967fdc78787e |
| SHA1 | 7d125264b9bc6ff65c8429efd276be88b954c9c7 |
| SHA256 | d689939f650f2fc0d8e1e6870122e66c8a680ccf031a43d3043382870f787a8f |
| SHA512 | 9878fb4b05254d52033c23b4026c1119c7b261e665dd0beae6bed4e65a9269d91e561c63f33a12294640854a0e887c23b009913bc873e0abd42f1ff15b67619f |
C:\Users\Admin\AppData\Local\Temp\RES1968.tmp
| MD5 | 883cacf8d678622b4a36272ff9d6a629 |
| SHA1 | 719953a277913c3a31647dbb6ffc1462da42cb82 |
| SHA256 | 620e4dcf75d82979943d4cbfb662bad3905badbc510c77f5bce6d2a69ac8b4d1 |
| SHA512 | dce960d05f3a0d39c070550c82557c90882954122ba3c3121030a11fa7791fa131d907411c1cd3177024e050f2c6e834e6b26f087259681c05097ad4b01bde79 |
C:\Users\Admin\AppData\Local\Temp\0sm4ml2g\0sm4ml2g.dll
| MD5 | e1d577ea6b35b615236d7e813ff66ea2 |
| SHA1 | 07e3a0614ba63afa2caa3c7915115ef234690596 |
| SHA256 | 353f7c9fab6a4e862a621bd1715469f9d1a114b0466df1ddaf352079187d77c9 |
| SHA512 | b74e32198f18954905eb1f1540efa81b7d4329853b38198243298b4c683853dce39081381303e91ca457741aa1dde0f5dad1a416cdd31af541f1457930b7b437 |
memory/4980-234-0x0000000002F30000-0x0000000002F38000-memory.dmp
memory/3288-1150-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
memory/3288-1160-0x000001FF70000000-0x000001FF700A3000-memory.dmp
memory/3288-1169-0x000001FF70000000-0x000001FF700A3000-memory.dmp
memory/4980-1323-0x00000000066A0000-0x00000000066B0000-memory.dmp
memory/4980-1439-0x00000000714B0000-0x00000000714BD000-memory.dmp
memory/4980-1440-0x0000000073C30000-0x000000007431E000-memory.dmp
memory/3288-1441-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
memory/3288-1443-0x000001FF70680000-0x000001FF706EB000-memory.dmp
memory/3288-1442-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
memory/3288-1444-0x000001FF6FC70000-0x000001FF6FC79000-memory.dmp
memory/3288-1446-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp
memory/3288-1445-0x000001FF706F0000-0x000001FF70AF0000-memory.dmp
memory/3288-1449-0x000001FF70680000-0x000001FF706EB000-memory.dmp
memory/3288-1451-0x000001FF706F0000-0x000001FF70AF0000-memory.dmp
memory/3288-1453-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp
memory/3288-1450-0x000001FF706F0000-0x000001FF70AF0000-memory.dmp
memory/3288-1454-0x00007FFB6EF90000-0x00007FFB6F03E000-memory.dmp
memory/3288-1455-0x00007FFB6D540000-0x00007FFB6D789000-memory.dmp
memory/3288-1448-0x000001FF706F0000-0x000001FF70AF0000-memory.dmp
memory/884-1456-0x000001D2BFAC0000-0x000001D2BFAC9000-memory.dmp
memory/3288-1466-0x000001FF6F390000-0x000001FF6F3A0000-memory.dmp
memory/884-1468-0x000001D2C15F0000-0x000001D2C19F0000-memory.dmp
memory/884-1469-0x000001D2C15F0000-0x000001D2C19F0000-memory.dmp
memory/884-1476-0x00007FFB6EF90000-0x00007FFB6F03E000-memory.dmp
memory/884-1474-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp
memory/884-1479-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp
memory/884-1480-0x00007FFB6D540000-0x00007FFB6D789000-memory.dmp
memory/884-1477-0x000001D2C15F0000-0x000001D2C19F0000-memory.dmp
memory/3288-1473-0x000001FF70000000-0x000001FF700A3000-memory.dmp
memory/884-1502-0x00007FFB70F60000-0x00007FFB7113B000-memory.dmp
memory/884-1500-0x000001D2C15F0000-0x000001D2C19F0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-29 23:38
Reported
2024-03-30 00:13
Platform
win10v2004-20240226-en
Max time kernel
1160s
Max time network
1165s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2192 created 2564 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\sihost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prescott2 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prescot = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\system32\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xyz3xo2r\xyz3xo2r.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFAC4.tmp" "c:\Users\Admin\AppData\Local\Temp\xyz3xo2r\CSC155EABC788C14E8D84C1F82675C2966.TMP"
C:\Windows\system32\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4vxlj2ee\4vxlj2ee.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4F6C.tmp" "c:\Users\Admin\AppData\Local\Temp\4vxlj2ee\CSC948A045653934277AC1CC76DC76517.TMP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.34.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
memory/2192-1-0x00007FFE145C0000-0x00007FFE15081000-memory.dmp
memory/2192-2-0x000001D776950000-0x000001D776960000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_otql5kvc.eh2.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5072-13-0x0000000002740000-0x0000000002776000-memory.dmp
memory/2192-12-0x000001D778AD0000-0x000001D778AF2000-memory.dmp
memory/5072-14-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/5072-17-0x0000000005240000-0x0000000005868000-memory.dmp
memory/2192-16-0x000001D776950000-0x000001D776960000-memory.dmp
memory/5072-18-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/5072-15-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/5072-20-0x0000000005050000-0x0000000005072000-memory.dmp
memory/2192-19-0x000001D776950000-0x000001D776960000-memory.dmp
memory/5072-21-0x00000000050F0000-0x0000000005156000-memory.dmp
memory/5072-22-0x0000000005160000-0x00000000051C6000-memory.dmp
memory/5072-32-0x0000000005870000-0x0000000005BC4000-memory.dmp
memory/5072-33-0x0000000004E00000-0x0000000004E1E000-memory.dmp
memory/5072-34-0x00000000060B0000-0x00000000060FC000-memory.dmp
memory/5072-35-0x0000000007990000-0x000000000800A000-memory.dmp
memory/5072-36-0x0000000006560000-0x000000000657A000-memory.dmp
memory/5072-37-0x00000000073B0000-0x0000000007446000-memory.dmp
memory/5072-38-0x0000000006680000-0x00000000066A2000-memory.dmp
memory/5072-39-0x00000000085C0000-0x0000000008B64000-memory.dmp
memory/2192-41-0x00007FFE145C0000-0x00007FFE15081000-memory.dmp
memory/5072-42-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/5072-44-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/2192-43-0x000001D776950000-0x000001D776960000-memory.dmp
memory/2192-46-0x000001D776950000-0x000001D776960000-memory.dmp
memory/5072-47-0x00000000027A0000-0x00000000027B0000-memory.dmp
memory/2192-48-0x000001D776950000-0x000001D776960000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\xyz3xo2r\xyz3xo2r.cmdline
| MD5 | efb62d351c5d67de9ed71e99f7bdc501 |
| SHA1 | fbe9e20901c3040084572043b4e4c227a6d62184 |
| SHA256 | e186ce0b13ca4f18b4d9fd824c6d78fd30f97744a7d912eecf536f77559f047c |
| SHA512 | 53fd18e0d1b05ceb4415221a0981b7eb437a5b8eb433a626359f119b8215c53cfd060cf1febdf3ee0664ec9a232e7645ab61f93da9ad0788bc6564594ffe8f24 |
\??\c:\Users\Admin\AppData\Local\Temp\xyz3xo2r\xyz3xo2r.0.cs
| MD5 | 0c6b6122e65041da2deb106419c81970 |
| SHA1 | 8a12628dc5ad5d9f522bba863c7a42da8fdc6c47 |
| SHA256 | afb856249a4eab1884344e28058ce5a3495364270f4f88799cf872ec82cf348a |
| SHA512 | a65b157dc5202a07cac7656c69fcba17329aef97282fabcdd359a28f47214b1babebf7a1107045a12586513b8e59a9826b3fb4e35796b7b91630023926950651 |
\??\c:\Users\Admin\AppData\Local\Temp\xyz3xo2r\CSC155EABC788C14E8D84C1F82675C2966.TMP
| MD5 | 6e7512a0ffdbb35dc4a8719de9d776d8 |
| SHA1 | 8987a1c784ac84825a1ba42f430edd71bb4207d3 |
| SHA256 | 11756aad0f6784dcd0d14575495952912191d0e1ee716fa9eecfa6cb20cb5751 |
| SHA512 | 9d42c38f1dcc2ec2e9775fbd8100a98e3ff6294c1753e7b9b194eb2615f5b018daa444b51cbd8a8564d4c682dda351eee5093cb7b17dc75f8bd30b40955a09b0 |
C:\Users\Admin\AppData\Local\Temp\RESFAC4.tmp
| MD5 | 043f32750df05893f9c33408613c0fdd |
| SHA1 | 8863856befe48845472ac0aa9dd1c9b72129d269 |
| SHA256 | 6515453ea722bf2cc94788da31b47867b378b443614ba73baf0cc6a88085ada9 |
| SHA512 | 39c137370b29439305aefe03e804943f2464ad0b481be4c5c3193027d31da9d7c2a38e72cd4116477a40a60a6ac2765fcc095055bc3e5d4f310a5bd0c059d948 |
memory/2192-61-0x000001D778D40000-0x000001D778D48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xyz3xo2r\xyz3xo2r.dll
| MD5 | 085359a1da4de3cc26f9631a3c2297d8 |
| SHA1 | 733883a65e8a07834e9392ee4c3d7d2be4a361c3 |
| SHA256 | 7207bc0d5dbbd51bb8276318d6e3d7a8c53bf41902b960d2e6bd4fb799b6e988 |
| SHA512 | f925f8cf6679a3bd35b15dd8960a2097437f14a58b69e78c2986004fa7ecfa201705072ee3d90c5f1a36d4778bcd73fe0f67269ed2a4147f93298c09b9604bc6 |
memory/2192-63-0x000001D776950000-0x000001D776960000-memory.dmp
memory/2192-64-0x000001D778D50000-0x000001D778DF3000-memory.dmp
memory/2192-65-0x000001D778D50000-0x000001D778DF3000-memory.dmp
memory/2192-66-0x000001D7793A0000-0x000001D77940B000-memory.dmp
memory/2192-67-0x00007FFE33A30000-0x00007FFE33C25000-memory.dmp
memory/2192-68-0x000001D779410000-0x000001D779419000-memory.dmp
memory/2192-69-0x000001D7793A0000-0x000001D77940B000-memory.dmp
memory/2192-70-0x000001D779430000-0x000001D779830000-memory.dmp
memory/2192-71-0x000001D779430000-0x000001D779830000-memory.dmp
memory/2192-73-0x00007FFE33A30000-0x00007FFE33C25000-memory.dmp
memory/2192-72-0x000001D779430000-0x000001D779830000-memory.dmp
memory/2192-74-0x00007FFE330D0000-0x00007FFE3318E000-memory.dmp
memory/2192-75-0x00007FFE31300000-0x00007FFE315C9000-memory.dmp
memory/864-76-0x0000025E95F50000-0x0000025E95F59000-memory.dmp
memory/864-79-0x0000025E97AC0000-0x0000025E97EC0000-memory.dmp
memory/864-80-0x00007FFE33A30000-0x00007FFE33C25000-memory.dmp
memory/864-82-0x00007FFE330D0000-0x00007FFE3318E000-memory.dmp
memory/864-81-0x0000025E97AC0000-0x0000025E97EC0000-memory.dmp
memory/864-83-0x00007FFE31300000-0x00007FFE315C9000-memory.dmp
memory/864-84-0x0000025E97AC0000-0x0000025E97EC0000-memory.dmp
memory/2192-88-0x000001D778D50000-0x000001D778DF3000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\4vxlj2ee\4vxlj2ee.cmdline
| MD5 | 9a24b21fb7067bccefab06bbf70e7745 |
| SHA1 | e3bddbca8a99f353d7285d299f649295a8653d9b |
| SHA256 | 2597119f3623a5a3ce3edba7d46ed39f6b43156104d3a055a7fa93e5f60c60c9 |
| SHA512 | 61a71981029bd0f8ed5ea26cc61efa61919bba965a9082ec276a738682f0e9f239e9ab24fdaff88ff9f106757a0f762a9f2c05fcc1a3a5a15f7e78b2aaf59519 |
\??\c:\Users\Admin\AppData\Local\Temp\4vxlj2ee\CSC948A045653934277AC1CC76DC76517.TMP
| MD5 | 87cef804ff787048722ba36345a058ba |
| SHA1 | c34ce8086a7a313dce4afaadfab2700440eabaad |
| SHA256 | 40422e0d70fcd61c6eb33c01b759ced4b369bce46781b5b44dbb1845c2896fa7 |
| SHA512 | 96c23e8e96abc326089c7c4fa983878d380834f3d97cb9a8e76663d9e9a70e9f94f2b3159114043978e6e27eab10367b7089c61768d83ae0e6b5f3218966398c |
C:\Users\Admin\AppData\Local\Temp\RES4F6C.tmp
| MD5 | 83f7811d5d5e662ee620f7000bd9558b |
| SHA1 | 4e07e8ca1372c542e624258e8574cdc431ff1f5b |
| SHA256 | 6ba2aed718c8fd250291744b34a68c94f876df77c4ece38371ffe0100bcf5ddc |
| SHA512 | fa46cc7b113c010d528d5875bfb851272e0745a1758f3a5e4550af77c5e3c03fa88344ebb223d92762254e401eeb54e929ecf1ff28f3386bca7e89ac5aa250cc |
C:\Users\Admin\AppData\Local\Temp\4vxlj2ee\4vxlj2ee.dll
| MD5 | c2600b0ff8c75c37a8a19b778111b571 |
| SHA1 | 9cfbd5e2ca30e2ddf1ea5ca3364b265bb9afd962 |
| SHA256 | 5c24cbbaa6908e0cafae9f0248a23fbbb33475cb9033d3bae9ca02ac14ebcec2 |
| SHA512 | 4f9a2091064022fc45fde1fa456fffe202bc616cb660c49fca820516ed89d5e45b8ed4549bb0a2ee04e03897546ee283025beea7fd412169a9156f2d447b351d |
memory/5072-98-0x0000000000980000-0x0000000000988000-memory.dmp
memory/5072-102-0x00000000749A0000-0x0000000075150000-memory.dmp
memory/5072-103-0x0000000072130000-0x0000000072142000-memory.dmp
memory/2192-104-0x00007FFE33A30000-0x00007FFE33C25000-memory.dmp
memory/2192-105-0x000001D779430000-0x000001D779830000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-29 23:38
Reported
2024-03-30 00:13
Platform
win11-20240221-en
Max time kernel
1336s
Max time network
1169s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2976 created 2484 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\sihost.exe |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescot = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\prescott2 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -windowstyle hidden -Command \"IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))\"" | C:\Windows\system32\wscript.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\dialer.exe | N/A |
| N/A | N/A | C:\Windows\system32\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\scandoc0327002.js
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "IEX([Environment]::GetEnvironmentVariable('prescot', 'User'))"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5ttumtpw\5ttumtpw.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA179.tmp" "c:\Users\Admin\AppData\Local\Temp\5ttumtpw\CSC42A52E25B82943AAAEC654395C3480B0.TMP"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jbxn3dkn\jbxn3dkn.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB00F.tmp" "c:\Users\Admin\AppData\Local\Temp\jbxn3dkn\CSCBF3AF1A2C8A04CE192F5872E87624DE0.TMP"
C:\Windows\system32\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uw0hthia.pju.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2976-9-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp
memory/2976-10-0x0000022FEA680000-0x0000022FEA690000-memory.dmp
memory/2976-11-0x0000022FEA650000-0x0000022FEA672000-memory.dmp
memory/2116-13-0x0000000074780000-0x0000000074F31000-memory.dmp
memory/2116-14-0x00000000026A0000-0x00000000026B0000-memory.dmp
memory/2116-12-0x00000000025D0000-0x0000000002606000-memory.dmp
memory/2116-15-0x00000000026A0000-0x00000000026B0000-memory.dmp
memory/2116-16-0x0000000005070000-0x000000000569A000-memory.dmp
memory/2116-17-0x0000000004EF0000-0x0000000004F12000-memory.dmp
memory/2116-18-0x0000000004FA0000-0x0000000005006000-memory.dmp
memory/2116-24-0x0000000005750000-0x00000000057B6000-memory.dmp
memory/2116-28-0x00000000058C0000-0x0000000005C17000-memory.dmp
memory/2116-29-0x0000000005DC0000-0x0000000005DDE000-memory.dmp
memory/2116-30-0x0000000005EA0000-0x0000000005EEC000-memory.dmp
memory/2116-31-0x0000000007510000-0x0000000007B8A000-memory.dmp
memory/2116-32-0x0000000006300000-0x000000000631A000-memory.dmp
memory/2116-33-0x0000000007090000-0x0000000007126000-memory.dmp
memory/2116-34-0x0000000006DA0000-0x0000000006DC2000-memory.dmp
memory/2116-35-0x0000000008140000-0x00000000086E6000-memory.dmp
memory/2976-37-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp
memory/2116-38-0x0000000074780000-0x0000000074F31000-memory.dmp
memory/2976-39-0x0000022FEA680000-0x0000022FEA690000-memory.dmp
memory/2976-40-0x0000022FEA680000-0x0000022FEA690000-memory.dmp
memory/2116-41-0x00000000026A0000-0x00000000026B0000-memory.dmp
memory/2976-42-0x0000022FEA680000-0x0000022FEA690000-memory.dmp
memory/2116-43-0x00000000026A0000-0x00000000026B0000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\5ttumtpw\5ttumtpw.cmdline
| MD5 | ab3203477b605ab98cf7a69a2ea72b76 |
| SHA1 | f488a639a585ab33eb866443031a7763e99c752c |
| SHA256 | 5c4e30faa4fc7bd0f13c14caf70d37716a899621d87d25c556196ad0377e34b1 |
| SHA512 | 346cf3d4ece735c99cb60bed6e8bc0cc2e34693f30dc2abe4f24d7273cc0131d0859d03502b2988b8f0ea1ecaf3decc423dfb5dc0a012165edde3f362c3b1968 |
\??\c:\Users\Admin\AppData\Local\Temp\5ttumtpw\5ttumtpw.0.cs
| MD5 | 0c6b6122e65041da2deb106419c81970 |
| SHA1 | 8a12628dc5ad5d9f522bba863c7a42da8fdc6c47 |
| SHA256 | afb856249a4eab1884344e28058ce5a3495364270f4f88799cf872ec82cf348a |
| SHA512 | a65b157dc5202a07cac7656c69fcba17329aef97282fabcdd359a28f47214b1babebf7a1107045a12586513b8e59a9826b3fb4e35796b7b91630023926950651 |
\??\c:\Users\Admin\AppData\Local\Temp\5ttumtpw\CSC42A52E25B82943AAAEC654395C3480B0.TMP
| MD5 | 8ba6016950fe1c55914a6c68c6cf6d6d |
| SHA1 | 025511811928d6bed45293e4cd267fd859e6bceb |
| SHA256 | 59eff0a399518930082da030e7f9e6f2a4bff7fe6a350cae124d3486db775de8 |
| SHA512 | ad5342d3358d197c301d65ce2fcd5a248d1dbdb93590bebae29ecf46225a887e76d6da9ffc03173e064656b41b6824b50ac3f28cd9c065ac095f5a9b9f6c6a10 |
C:\Users\Admin\AppData\Local\Temp\RESA179.tmp
| MD5 | d7e15f09b49dcfa6ed301cce1adcf805 |
| SHA1 | 9e1fb4310dcd2aa63bc8b9e87a4f2db60239c391 |
| SHA256 | 7d1e16e8efe2aa10086f71e122bccbeb01b1e6d5212119b6ef213e4a51c19224 |
| SHA512 | d696c4717df7eb3888c53b778c12e813e7996de8025d3b30fdf8ecd88796031476bcca6b8836d7b6d4baa101cbaa67adfe171c4ac2fffba9b4b019e74926e528 |
memory/2976-56-0x0000022FEA790000-0x0000022FEA798000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5ttumtpw\5ttumtpw.dll
| MD5 | e42c6c731e1a381cd0ffb14ab6e55d87 |
| SHA1 | 8369aa31417ebef7d94f72e3037c4359ea152dec |
| SHA256 | c5556d2f763ed4cf72c17cd40d0e0e408bd521f4eb5982ba7812d8a948423b4e |
| SHA512 | 55bd96f542106e9ed20e671c7184db6fa35343f379fc74a1d86c8021fd532e62783d44c6f92ce8b0a0d6630799c5c6c6c04094a5f72825cae59f6ea9f1425b0b |
memory/2976-58-0x0000022FEA680000-0x0000022FEA690000-memory.dmp
memory/2976-59-0x0000022FEADF0000-0x0000022FEAE93000-memory.dmp
memory/2976-60-0x0000022FEADF0000-0x0000022FEAE93000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\jbxn3dkn\jbxn3dkn.cmdline
| MD5 | 23a134c2819e4661a7125f1b4691c79f |
| SHA1 | a6917ed2b2974205e6b9aa149d9325849a3fa3f7 |
| SHA256 | a66287c8a9a33763da4fa2f50e077db68d94196b37013c756bf86d6d2efcb78d |
| SHA512 | 29bedfecde86b262beb0c473cfc7092f9d0b665c1c74a69b64d2cc79220342c6846bfacb4dd490cb0df2468e11918bbb83faaaf3a7abee91db53749ef13d96ca |
\??\c:\Users\Admin\AppData\Local\Temp\jbxn3dkn\CSCBF3AF1A2C8A04CE192F5872E87624DE0.TMP
| MD5 | 1afec7c4d6a732db99009db6823baa84 |
| SHA1 | 83465f655bb066cba2be1ef6b63017aac6432ec2 |
| SHA256 | c1f4726d35b472b160c5cc13e91ea5b966e0fcc80770cc03a50c3fae0da0c8af |
| SHA512 | 38188c7d3180c3eadd1d4c0952ab442b257667fc69d03c08e7ee7bd52e1c67a974f36eb421e3e015e414f1a69d2ab14c9ba2d767eb3b2022fd90e3682eeeec08 |
C:\Users\Admin\AppData\Local\Temp\RESB00F.tmp
| MD5 | 6d981c71aa2c53148b8529ac4657728b |
| SHA1 | 57d4b066efda0789284bd1da3ce0106d1307ae01 |
| SHA256 | f6370063e465978d9cf0044822ceb94354a760ee682145918f78d548af632b6d |
| SHA512 | ddf3fc754bb500048b5dd56f2c40ed1056afee9d7a2d7709f1857224c5a20fc152ff57a51579f762ba22fddb88e7b48fc700bb15a5f6b681ee4f3ee3f001d956 |
C:\Users\Admin\AppData\Local\Temp\jbxn3dkn\jbxn3dkn.dll
| MD5 | 018175c97a3f244828c20c7d66c1a6a3 |
| SHA1 | ba43f2c16cf96e7c3685e2198e39e3c3d3930d74 |
| SHA256 | 11d7be2ba81a464a8449210f36bb93e40f761772f6327177c234779ae2026f45 |
| SHA512 | 8c64df444dbd7e04e179c466eaf270c879948a0488c552cec7b63bbd1280fb7e562eafe87c2093cd01d0fa45bc30cb0739186f671ed621b0302b833290f01697 |
memory/2116-73-0x0000000000A40000-0x0000000000A48000-memory.dmp
memory/2116-75-0x00000000026A0000-0x00000000026B0000-memory.dmp
memory/2116-78-0x0000000074780000-0x0000000074F31000-memory.dmp
memory/2976-79-0x0000022FEB020000-0x0000022FEB08B000-memory.dmp
memory/2976-80-0x0000022FEA7E0000-0x0000022FEA7E9000-memory.dmp
memory/2976-82-0x0000022FEB0A0000-0x0000022FEB4A0000-memory.dmp
memory/2976-81-0x0000022FEB020000-0x0000022FEB08B000-memory.dmp
memory/2976-84-0x0000022FEB0A0000-0x0000022FEB4A0000-memory.dmp
memory/2976-85-0x00007FFB76060000-0x00007FFB76269000-memory.dmp
memory/2976-87-0x0000022FEB0A0000-0x0000022FEB4A0000-memory.dmp
memory/2976-88-0x00007FFB73A60000-0x00007FFB73DD4000-memory.dmp
memory/2976-86-0x00007FFB74FE0000-0x00007FFB7509D000-memory.dmp
memory/4584-89-0x0000028EAAB20000-0x0000028EAAB29000-memory.dmp
memory/4584-91-0x0000028EAC6F0000-0x0000028EACAF0000-memory.dmp
memory/4584-92-0x00007FFB76060000-0x00007FFB76269000-memory.dmp
memory/4584-94-0x0000028EAC6F0000-0x0000028EACAF0000-memory.dmp
memory/4584-96-0x00007FFB73A60000-0x00007FFB73DD4000-memory.dmp
memory/4584-95-0x00007FFB76060000-0x00007FFB76269000-memory.dmp
memory/4584-93-0x00007FFB74FE0000-0x00007FFB7509D000-memory.dmp
memory/4584-97-0x0000028EAC6F0000-0x0000028EACAF0000-memory.dmp
memory/4584-98-0x00007FFB76060000-0x00007FFB76269000-memory.dmp
memory/2976-99-0x0000022FEADF0000-0x0000022FEAE93000-memory.dmp
memory/2976-100-0x0000022FEB0A0000-0x0000022FEB4A0000-memory.dmp
memory/2976-101-0x00007FFB76060000-0x00007FFB76269000-memory.dmp