Analysis Overview
SHA256
7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92
Threat Level: Likely malicious
The file setup.msi was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in System32 directory
Executes dropped EXE
Drops file in Windows directory
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-29 07:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-29 07:56
Reported
2024-05-21 13:03
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f760732.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI78F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f760735.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f760735.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f760737.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f760732.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI84B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8E8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI957.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID3E.tmp | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AD15DBC04DDF5263A70E43D327F874F1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss9F3.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi9F0.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr9F1.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr9F2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Network
Files
C:\Windows\Installer\MSI78F.tmp
| MD5 | b158d8d605571ea47a238df5ab43dfaa |
| SHA1 | bb91ae1f2f7142b9099e3cc285f4f5b84de568e4 |
| SHA256 | ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504 |
| SHA512 | 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591 |
C:\Windows\Installer\MSI957.tmp
| MD5 | fb4665320c9da54598321c59cc5ed623 |
| SHA1 | 89e87b3cc569edd26b5805244cfacb2f9c892bc7 |
| SHA256 | 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59 |
| SHA512 | b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf |
C:\Users\Admin\AppData\Local\Temp\pss9F3.ps1
| MD5 | 30c30ef2cb47e35101d13402b5661179 |
| SHA1 | 25696b2aab86a9233f19017539e2dd83b2f75d4e |
| SHA256 | 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f |
| SHA512 | 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458 |
C:\Users\Admin\AppData\Local\Temp\scr9F1.ps1
| MD5 | 753240f3d0c58563dcba1244db69b0d7 |
| SHA1 | 4a0f248fccc2431ece50f717cbf80f6681504932 |
| SHA256 | e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a |
| SHA512 | 03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9 |
C:\Users\Admin\AppData\Local\Temp\msi9F0.txt
| MD5 | 0fb609a6d2027ec24eb33cf64bd95b20 |
| SHA1 | ec07f4535b17f362ba12924d62fd952a93e61547 |
| SHA256 | b9227e3366d64bcf11da5683b8fc1d5e10afa40b66434ddb7b279f835a9401c9 |
| SHA512 | cc522dfac8b6958b97cc495af936b7c716199d1b257f3aa4f9eaf08a78f003c5a4ea8b90ab506db46ea751988d51b0f99bea9fdbcc46037b4c0997ccb86557b3 |
C:\Config.Msi\f760736.rbs
| MD5 | f0f7ef7aa6e815942a2841caa8173519 |
| SHA1 | e0edd7c333a9577e33e51bc52f07bb6315acf261 |
| SHA256 | ea5cdb578178b4e2e5cf9b3e4cfe72ec126ad3c013e82810d03a9a9c2474a83f |
| SHA512 | 402b47b7cbf4c06dfb3186bc1cc00518fb2bb8205d7cdb397c4685b11923eb1e309f27b1cd85afb7c0e11d991178381d3bf6ac6f22a6dbbf9d7c06046c5c4e28 |
C:\Windows\Installer\f760732.msi
| MD5 | 86a68878633d570e195609fe33640561 |
| SHA1 | 5a5355a80750693493c4ff9d4184d3234ad62b73 |
| SHA256 | 7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92 |
| SHA512 | 502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll
| MD5 | f74e6b15bbb4d3a8decb9fe17175d056 |
| SHA1 | 20a67c7d020bce3adcbd34cb0044771ae0bcb2ba |
| SHA256 | 50235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3 |
| SHA512 | 5c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-29 07:56
Reported
2024-05-21 13:01
Platform
win10v2004-20240508-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1656 set thread context of 1080 | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | C:\Windows\SysWOW64\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI4AC4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4BA1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5C01.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e574a6b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{40687992-D47D-43B1-8A2C-57D30E7D9D88} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e574a67.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4C8E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4D1B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e574a67.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4B33.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4C10.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86D1FCD26481CA5821B57A0FCDD26059
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss4EBF.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi4EAC.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr4EAD.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr4EAE.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
"C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"
C:\Windows\SysWOW64\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thecurl.monster | udp |
| US | 172.67.176.123:80 | thecurl.monster | tcp |
| US | 172.67.176.123:443 | thecurl.monster | tcp |
| US | 8.8.8.8:53 | 123.176.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | death1488.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSI4AC4.tmp
| MD5 | b158d8d605571ea47a238df5ab43dfaa |
| SHA1 | bb91ae1f2f7142b9099e3cc285f4f5b84de568e4 |
| SHA256 | ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504 |
| SHA512 | 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591 |
C:\Windows\Installer\MSI4D1B.tmp
| MD5 | fb4665320c9da54598321c59cc5ed623 |
| SHA1 | 89e87b3cc569edd26b5805244cfacb2f9c892bc7 |
| SHA256 | 9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59 |
| SHA512 | b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf |
memory/4228-28-0x0000000004B50000-0x0000000004B86000-memory.dmp
memory/4228-29-0x00000000052E0000-0x0000000005908000-memory.dmp
memory/4228-30-0x0000000005140000-0x0000000005162000-memory.dmp
memory/4228-31-0x0000000005A40000-0x0000000005AA6000-memory.dmp
memory/4228-32-0x0000000005AB0000-0x0000000005B16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zrw5otqp.ypt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4228-42-0x0000000005B20000-0x0000000005E74000-memory.dmp
memory/4228-43-0x00000000060E0000-0x00000000060FE000-memory.dmp
memory/4228-44-0x0000000006130000-0x000000000617C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pss4EBF.ps1
| MD5 | 30c30ef2cb47e35101d13402b5661179 |
| SHA1 | 25696b2aab86a9233f19017539e2dd83b2f75d4e |
| SHA256 | 53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f |
| SHA512 | 882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458 |
memory/4228-46-0x0000000007860000-0x0000000007EDA000-memory.dmp
memory/4228-47-0x0000000006630000-0x000000000664A000-memory.dmp
memory/4228-48-0x00000000073E0000-0x0000000007476000-memory.dmp
memory/4228-49-0x00000000066D0000-0x00000000066F2000-memory.dmp
memory/4228-50-0x0000000008490000-0x0000000008A34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\scr4EAD.ps1
| MD5 | 753240f3d0c58563dcba1244db69b0d7 |
| SHA1 | 4a0f248fccc2431ece50f717cbf80f6681504932 |
| SHA256 | e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a |
| SHA512 | 03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9 |
memory/4228-52-0x00000000080B0000-0x0000000008272000-memory.dmp
memory/4228-53-0x0000000008F70000-0x000000000949C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\msi4EAC.txt
| MD5 | eb0046beb949b23b97dccd59c4b8f131 |
| SHA1 | c084a9c15a323cd51d24122681a494e52577487f |
| SHA256 | b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467 |
| SHA512 | 8dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0 |
C:\Config.Msi\e574a6a.rbs
| MD5 | 56ba654a24a4e3993067ebc33c64076e |
| SHA1 | 1385b360a999ba9ed9d0ea4ca49f3c57f483205a |
| SHA256 | 7b640836eccfe29bb9abf5708cbcfff212fb14b4e615cd2d0f7d3e43ec2a1f70 |
| SHA512 | fe6f8e650c9abcbaf0b86c15d9a1eeab65cdd0d8607e0aa3ae829f6ae3b26da7e36c88b283a4c45760fe45e02ab73c817726cc12b1023468cbb96bcdeaa49650 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
| MD5 | 35365d3713500bde4e2e1422c54f04fa |
| SHA1 | 0b24b1de060caa7be51404d82da5fef05958a1da |
| SHA256 | 5f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19 |
| SHA512 | 3e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375 |
C:\Windows\Installer\e574a67.msi
| MD5 | 86a68878633d570e195609fe33640561 |
| SHA1 | 5a5355a80750693493c4ff9d4184d3234ad62b73 |
| SHA256 | 7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92 |
| SHA512 | 502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\zlib1.dll
| MD5 | 8f4cdaed2399204619310cd76fd11056 |
| SHA1 | 0f06ef5acde4f1e99a12cfc8489c1163dba910d1 |
| SHA256 | df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213 |
| SHA512 | 3d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libsqlite3-0.dll
| MD5 | 0381964390751461a5d79d26ca7cedaa |
| SHA1 | 3b17b9dca5060f9b22920737165a6bd1de5e8941 |
| SHA256 | 7b307806698bfe2b8a81cf0d04cfd0df4a9916cba30707ce3934b9ee06bd75da |
| SHA512 | 381e6c2d49016ca2c4435526eb2ac4997f0c43c9bbe3ce56bc0ade3b5cc14677101c1297bbf2a10cec16242124a9246ca5e46003512719dc8360af007fb79b05 |
memory/1656-151-0x0000000000800000-0x0000000000801000-memory.dmp
memory/1656-152-0x0000000000830000-0x0000000000855000-memory.dmp
memory/1080-155-0x0000000000D00000-0x0000000000D28000-memory.dmp
memory/1656-161-0x0000000063080000-0x00000000630A9000-memory.dmp
memory/1656-160-0x0000000066580000-0x00000000666AA000-memory.dmp
memory/1656-159-0x000000006A800000-0x000000006A80F000-memory.dmp
memory/1656-158-0x000000006B480000-0x000000006B4C1000-memory.dmp
memory/1656-157-0x0000000065A80000-0x0000000065AAA000-memory.dmp
memory/1656-156-0x0000000000400000-0x000000000054C000-memory.dmp
memory/1080-154-0x0000000000D00000-0x0000000000D28000-memory.dmp
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libnpth-0.dll
| MD5 | b7b148054a2818699d93f96139b4d0d0 |
| SHA1 | 0a5187b37bd84c19a7d2d84f328fa0adbc75123c |
| SHA256 | 25fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915 |
| SHA512 | 4f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll
| MD5 | f74e6b15bbb4d3a8decb9fe17175d056 |
| SHA1 | 20a67c7d020bce3adcbd34cb0044771ae0bcb2ba |
| SHA256 | 50235ec9328d759d9adceb1224999bcf5d602594b2c6260c4f793b84c533e6d3 |
| SHA512 | 5c896a916537cbf6e4f6c995a240b3e651356e5a5fc549058cc60892c5905e64a3fd78cf0998149ca88f474f9ce78c94ea398bd245735a1b242f497adb44bbf4 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgpg-error-0.dll
| MD5 | 72498f59c8c580707a0a3839c332f51b |
| SHA1 | fb09b912912610d243066cc8b71435f689e6a449 |
| SHA256 | 51b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d |
| SHA512 | 116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022 |
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libassuan-0.dll
| MD5 | a2dd12a8ecef27ca0e524e9bb4bdb8f5 |
| SHA1 | a4f5718c8bc1cc1fba49332d767ad296f7156dbc |
| SHA256 | e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada |
| SHA512 | b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c |
memory/1080-163-0x0000000000D00000-0x0000000000D28000-memory.dmp