Analysis Overview
SHA256
0400cef226621ad00d51b8880025664e3a916c0c3c3207f3525b8423af52a5f6
Threat Level: Known bad
The file d02593c2d119e8b68052587cb446943a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Netwire
NetWire RAT payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Deletes itself
Command and Scripting Interpreter: PowerShell
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-06 18:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-06 18:04
Reported
2024-09-06 18:07
Platform
win7-20240708-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\firefox.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Videolan\\vlc.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2280 set thread context of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2664 set thread context of 600 | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc.exe' -Value '"C:\Users\Admin\AppData\Roaming\Videolan\vlc.exe"' -PropertyType 'String' -Force
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp22DC.tmp.bat" "
C:\Users\Admin\AppData\Local\Temp\firefox.exe
"C:\Users\Admin\AppData\Local\Temp\firefox.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'firefox.exe' -Value '"C:\Users\Admin\AppData\Roaming\Mozilla\firefox.exe"' -PropertyType 'String' -Force
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp.bat" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tracyll.ddns.net | udp |
| US | 8.8.8.8:53 | nybenlord.duckdns.org | udp |
| NG | 105.112.39.114:1972 | nybenlord.duckdns.org | tcp |
Files
memory/2280-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
memory/2280-1-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/2280-2-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/2280-3-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
memory/2280-4-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/2280-5-0x0000000005040000-0x00000000050EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp22DC.tmp.bat
| MD5 | 491596e35202b4e2298ab341fc17a92d |
| SHA1 | f817832093e6527c36686e1687ba0e5e8537cd49 |
| SHA256 | ceda2545743c03b1faa3775719e2f549428d9def4ccb3845d6179046d3312bfd |
| SHA512 | 2be5da8c2570eb472461ae4a2c3db363610736e8f23cbdeb0600908784aa4063b2f49bd151259af3ac440ac0a6e417dd8beb195418dd14a1c294776d16559ad5 |
\Users\Admin\AppData\Local\Temp\firefox.exe
| MD5 | 4a9ca14c5b711f3b09d52d6ddaf54b4c |
| SHA1 | 92b3955e6b96418f0c404c23f87192ac01990e3d |
| SHA256 | 0ca7a365b20014122144d6c389855a0393b9295c94d751866381f29160b9deb4 |
| SHA512 | 8827ef565ca8f1cb638d0c5acb7195ad4c9ba72c05b827570278eac42f0a3a6122d35f70847feaf7dce474c4d1bf54e8f8ea08ea0f490ad05b592ee34e7dbace |
memory/2664-24-0x0000000000400000-0x000000000047C000-memory.dmp
memory/1620-31-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1620-26-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1620-28-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1620-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1620-39-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1620-40-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1620-36-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1620-34-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1620-32-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2280-41-0x0000000073F90000-0x000000007467E000-memory.dmp
memory/1620-43-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2664-44-0x00000000048B0000-0x00000000048E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\firefox.exe
| MD5 | 215ed4463d4c5c5fa19446295d3be4d6 |
| SHA1 | b3b06fb42b144a543c2fddbf5af8f03f5e84dbb6 |
| SHA256 | 6ce9ddd7e33651d629918d9a28d04e7178e1d9121287901389b59e90ee2f8edb |
| SHA512 | ad96c451a1e4cf700efafba4efd61657d31622f2d87a477e84062aa623c0846ded390c77f9f24b321b467ff6737c351219b05f11b74f33d45774e037a47d3002 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 429e8c295876d5b45af0bbc03506c5ad |
| SHA1 | c4517fbc3181d63517fb57cc58f66190d1e62aae |
| SHA256 | 9cfecc10e733c129c4d0767b125fcba2fa2b8336bca36b82df215e65544480ad |
| SHA512 | e9d140a32424aa5412878a4e32eec930c8e3e4905d2260ba18c951dac652333922bae16b564878de0d49bc87682d2bdbdbb7bb17700b2a7b18f7f9f8a2cba173 |
C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp.bat
| MD5 | 2d6a231a9316cfafd9897de656c8e831 |
| SHA1 | 6dd196336ef9f174423af2e04c23526865c1f205 |
| SHA256 | 23b8ace90097b121a5ca79557b9880d4cbb8ce14277a4fdc27ae7330afb41a01 |
| SHA512 | 21ad94af27884ff361ca544c08aed6f92c3c0da0154179f4c890700ac14d2348fd9a829d06a87052df9e31c5342e2439f4352dedb085676eb580c53bdafc1996 |
memory/600-67-0x0000000000400000-0x000000000042B000-memory.dmp
memory/600-69-0x0000000000400000-0x000000000042B000-memory.dmp
memory/600-75-0x0000000000400000-0x000000000042B000-memory.dmp
memory/600-73-0x0000000000400000-0x000000000042B000-memory.dmp
memory/600-72-0x0000000000400000-0x000000000042B000-memory.dmp
memory/600-65-0x0000000000400000-0x000000000042B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-06 18:04
Reported
2024-09-06 18:07
Platform
win10v2004-20240802-en
Max time kernel
114s
Max time network
140s
Command Line
Signatures
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Netwire
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Videolan\\vlc.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\firefox.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3252 set thread context of 3872 | N/A | C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 316 set thread context of 4144 | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d02593c2d119e8b68052587cb446943a_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc.exe' -Value '"C:\Users\Admin\AppData\Roaming\Videolan\vlc.exe"' -PropertyType 'String' -Force
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp466A.tmp.bat" "
C:\Users\Admin\AppData\Local\Temp\firefox.exe
"C:\Users\Admin\AppData\Local\Temp\firefox.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'firefox.exe' -Value '"C:\Users\Admin\AppData\Roaming\Mozilla\firefox.exe"' -PropertyType 'String' -Force
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.bat" "
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracyll.ddns.net | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nybenlord.duckdns.org | udp |
| NG | 105.112.39.114:1972 | nybenlord.duckdns.org | tcp |
Files
memory/3252-0-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/3252-1-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/3252-2-0x0000000004A70000-0x0000000005014000-memory.dmp
memory/3252-3-0x0000000005020000-0x00000000050B2000-memory.dmp
memory/3252-4-0x00000000050F0000-0x00000000050FA000-memory.dmp
memory/3252-5-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/3252-6-0x0000000005350000-0x00000000053EC000-memory.dmp
memory/3252-7-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/3252-8-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/3252-9-0x00000000058D0000-0x000000000597A000-memory.dmp
memory/116-12-0x0000000002720000-0x0000000002756000-memory.dmp
memory/116-13-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/116-14-0x0000000005160000-0x0000000005788000-memory.dmp
memory/116-15-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/116-16-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/116-18-0x0000000004F50000-0x0000000004F72000-memory.dmp
memory/116-19-0x00000000050F0000-0x0000000005156000-memory.dmp
memory/116-20-0x00000000059C0000-0x0000000005A26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2sepxi4t.xxn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/116-30-0x0000000005A30000-0x0000000005D84000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\firefox.exe
| MD5 | 4a9ca14c5b711f3b09d52d6ddaf54b4c |
| SHA1 | 92b3955e6b96418f0c404c23f87192ac01990e3d |
| SHA256 | 0ca7a365b20014122144d6c389855a0393b9295c94d751866381f29160b9deb4 |
| SHA512 | 8827ef565ca8f1cb638d0c5acb7195ad4c9ba72c05b827570278eac42f0a3a6122d35f70847feaf7dce474c4d1bf54e8f8ea08ea0f490ad05b592ee34e7dbace |
memory/3872-44-0x0000000000400000-0x000000000042B000-memory.dmp
memory/316-45-0x0000000000400000-0x000000000047C000-memory.dmp
memory/3872-48-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3872-51-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3252-50-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/316-43-0x00000000749D0000-0x0000000075180000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp466A.tmp.bat
| MD5 | b4953e0832254e4988446a65b5a95302 |
| SHA1 | c8722bcf1d8c29cc05662421f3f3114784b277d4 |
| SHA256 | 4a8b3a14d5cdb04f43ee15d9ed12d0905c654614279de6b8375bb2f11cbbe4cc |
| SHA512 | 40f9b12e455e3b2ca0f2a7de985c9299f6312eaa625d5a26921c97b34693c480deda1de9f81be9e2c2e0cb1147b6ac627fa140bf884fba5c7ce0c068e208cfa2 |
memory/116-53-0x0000000006030000-0x000000000604E000-memory.dmp
memory/116-54-0x00000000065B0000-0x00000000065FC000-memory.dmp
memory/116-55-0x0000000007090000-0x0000000007126000-memory.dmp
memory/116-56-0x00000000064A0000-0x00000000064BA000-memory.dmp
memory/116-57-0x0000000006520000-0x0000000006542000-memory.dmp
memory/116-60-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/316-61-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/3872-62-0x0000000000400000-0x000000000042B000-memory.dmp
memory/316-63-0x00000000056C0000-0x00000000056F8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
memory/4144-69-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4144-72-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4144-70-0x0000000000400000-0x000000000042B000-memory.dmp
memory/316-74-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/1472-84-0x0000000005BB0000-0x0000000005F04000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 933a85a7589f71afae46856f1879e75d |
| SHA1 | 2323644b499c5c3615c4d950052148cef9921cf8 |
| SHA256 | e1a54727fbe3c3ed91bbfde566f5285fa685907e49c9690a7686842e9f849f2e |
| SHA512 | f1242d386b39d1d3bc77ba10cfe7889161987770dd2d5dcfc6f618bb8117c2dbeaea3b0d29d8dfd0e6f36084f6d7c9180d7d74bc8e04a5d28aa5185626d1ab93 |
C:\Users\Admin\AppData\Local\Temp\tmpE819.tmp.bat
| MD5 | 64b434cc25c6dacb58c1f0891110130c |
| SHA1 | 2d647639c96aa1b3ecedf3d9f22a866ed883854e |
| SHA256 | 12c902b58face996b74c9688a253b916c2c9ddce9b13ad4dbf81fa2951400f85 |
| SHA512 | 1656d1d998dc5c0bd8b43ce671c78d1c4283926b5580de31fa772a68c92639ad7e736e48a566a971e2b0cb7aedf5d3b46fe3d5e0b30d712dead2f03a15ab56a2 |
memory/1472-87-0x0000000006540000-0x000000000658C000-memory.dmp