Analysis Overview
SHA256
3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9
Threat Level: Shows suspicious behavior
The file 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 22:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 22:11
Reported
2024-11-07 22:13
Platform
win7-20240903-en
Max time kernel
144s
Max time network
117s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2844 wrote to memory of 2696 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2844 wrote to memory of 2696 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2844 wrote to memory of 2696 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2844 wrote to memory of 2696 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2844 wrote to memory of 2696 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2844 wrote to memory of 2696 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2844 wrote to memory of 2696 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe
"C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2EFC99C9C4A4812446F4C7F8DCDFFD6E C
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| US | 199.232.210.172:443 | download.visualstudio.microsoft.com | tcp |
Files
memory/2204-0-0x0000000000310000-0x0000000000311000-memory.dmp
C:\Users\Admin\AppData\Roaming\Tech Rider\BotMaster 9.6.0.2\install\BotMaster.msi
| MD5 | e91c8022c878fa58ae6eca30e6f49eda |
| SHA1 | f2daa2901f12893ef1d2623c1f066ad9252edc48 |
| SHA256 | 243236bb49beaa70cd4a8fba55941597213fc18ab444b8aa992c80f2d5ec05e6 |
| SHA512 | abe25ba5c90a14c622773e257b0b330696985d0182090716ac1e2843dda20e9b19229fc45612e1eead708d17bd9b79615139a31cca072769d3dbd50f7389d55a |
C:\Users\Admin\AppData\Local\Temp\MSICEE3.tmp
| MD5 | 5788efa607d26332d6d7f5e6a1f6bd6f |
| SHA1 | e7749843cc3e89bc81649087de4ad44c93d48bc6 |
| SHA256 | 9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d |
| SHA512 | ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104 |
C:\Users\Admin\AppData\Local\Temp\MSICF42.tmp
| MD5 | 01ab8034f722cbac50b8bcfc36e5b2e8 |
| SHA1 | b25868af5713e37c398b712f19692edd7db2d858 |
| SHA256 | e5c41b1af4d865b1b4b09a9fcb99a1f6eb2b2a75b148f4390298aff1ea348689 |
| SHA512 | 25e24e4d691b1fecc6991997ace400682bb812d48374f95a14e21a9045d7905f4630f4672e88b41afd7933b11fb81c10935e49aba337b15924cfc7e814ca2558 |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2204\dialog.jpg
| MD5 | 5f6253cff5a8b031bfb3b161079d0d86 |
| SHA1 | 7645b13610583fb67247c74cf5af08ff848079e7 |
| SHA256 | 36d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0 |
| SHA512 | d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3 |
C:\Users\Admin\AppData\Local\Temp\MSICFDF.tmp
| MD5 | 8c1a778e0754301c97a660dbf3e8303b |
| SHA1 | f489c45cde796de0d23ee862948f5e50379dee60 |
| SHA256 | 000b773a448b107cbf3268fea3a0eec388daa71c5f911979c5d21f0cd8d6da54 |
| SHA512 | 010e76ed659f73cc263ce9b2d2635d775b296c10e53ba133fba6aacde02ed409b19f4c4e2ba6df7730ddc8669c818e99773f25854a1916ccf8acf9e459482fea |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2204\banner.jpg
| MD5 | d5a55a78cd38f45256807c7851619b7d |
| SHA1 | 9d8269120d1d096e9ab0192348f3b8f81f5f73d9 |
| SHA256 | be83c8592906fd9651634b0823a2f45abe96aae082674568944c639b5b4a95dc |
| SHA512 | 959e7410e3006cfef9d14315e8741e34b6e81c4f9160c5d66f3abd77ce72f55f907ab3a0e500780b5c0e0e017e8639f135cc258976b4ab4b9d1aaed6242ce9f1 |
memory/2204-56-0x0000000000310000-0x0000000000311000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabE29.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE4B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 22:11
Reported
2024-11-07 22:14
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
143s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e583350.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI341C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI342C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI36CE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3A1B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e583350.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI33CD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3537.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{601C1884-2829-48C4-970E-C3FD2A252226} | C:\Windows\system32\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe
"C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 02681DBC0707EC86E0D141F3CE8218E6 C
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Tech Rider\BotMaster 9.6.0.2\install\BotMaster.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1730776862 "
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0D56101BF89E87F15F8356480548481 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A7D6F75C074FD859B9452EE3BF633888
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3A67.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3A26.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3A27.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3A28.txt" -propSep " :<->: " -testPrefix "_testValue."
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.197.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Tech Rider\BotMaster 9.6.0.2\install\BotMaster.msi
| MD5 | e91c8022c878fa58ae6eca30e6f49eda |
| SHA1 | f2daa2901f12893ef1d2623c1f066ad9252edc48 |
| SHA256 | 243236bb49beaa70cd4a8fba55941597213fc18ab444b8aa992c80f2d5ec05e6 |
| SHA512 | abe25ba5c90a14c622773e257b0b330696985d0182090716ac1e2843dda20e9b19229fc45612e1eead708d17bd9b79615139a31cca072769d3dbd50f7389d55a |
C:\Users\Admin\AppData\Local\Temp\MSIB0D2.tmp
| MD5 | 5788efa607d26332d6d7f5e6a1f6bd6f |
| SHA1 | e7749843cc3e89bc81649087de4ad44c93d48bc6 |
| SHA256 | 9fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d |
| SHA512 | ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104 |
C:\Users\Admin\AppData\Local\Temp\MSIB26A.tmp
| MD5 | 01ab8034f722cbac50b8bcfc36e5b2e8 |
| SHA1 | b25868af5713e37c398b712f19692edd7db2d858 |
| SHA256 | e5c41b1af4d865b1b4b09a9fcb99a1f6eb2b2a75b148f4390298aff1ea348689 |
| SHA512 | 25e24e4d691b1fecc6991997ace400682bb812d48374f95a14e21a9045d7905f4630f4672e88b41afd7933b11fb81c10935e49aba337b15924cfc7e814ca2558 |
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1080\dialog.jpg
| MD5 | 5f6253cff5a8b031bfb3b161079d0d86 |
| SHA1 | 7645b13610583fb67247c74cf5af08ff848079e7 |
| SHA256 | 36d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0 |
| SHA512 | d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3 |
C:\Users\Admin\AppData\Local\Temp\MSIB394.tmp
| MD5 | 8c1a778e0754301c97a660dbf3e8303b |
| SHA1 | f489c45cde796de0d23ee862948f5e50379dee60 |
| SHA256 | 000b773a448b107cbf3268fea3a0eec388daa71c5f911979c5d21f0cd8d6da54 |
| SHA512 | 010e76ed659f73cc263ce9b2d2635d775b296c10e53ba133fba6aacde02ed409b19f4c4e2ba6df7730ddc8669c818e99773f25854a1916ccf8acf9e459482fea |
C:\Users\Admin\AppData\Roaming\Tech Rider\BotMaster 9.6.0.2\install\BotMaster1.cab
| MD5 | 2354875ac8ab4d961a17a6405252e046 |
| SHA1 | 9dedcd3f475b19b12c5db109665aaa03c47816bf |
| SHA256 | b005f78df28e2acd32bdafce18631ca050384c0469b6621f5f9d16d21d4180da |
| SHA512 | 574c0d02986e99401f4871b327309a0f31140b1f885f8a5278e5990ea1a2909ecb68060e7049856817e2d48b22c373973494d973af28dd06de0066db36b7efd4 |
C:\Windows\Installer\MSI3A1B.tmp
| MD5 | 637c0f8f44f26ef0c736b8bbd0222334 |
| SHA1 | 81aea6f99d67ca19ae1e2a61e9e967ada53cd4c0 |
| SHA256 | 57dea716197079fad873b65ac02a6e002a43fe01202987541ab5295c0f69d28a |
| SHA512 | 24a2a827221b920e7133da56a79a8576e8205c884fda87b67f2821c00ccc99d194f90905dab49bb55b5595ff44d39f7cd38ef975de140bfc6299bad61da6c4d7 |
memory/5020-117-0x000001AFED680000-0x000001AFED6A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f2mn2kly.t0x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\pss3A67.ps1
| MD5 | fc1bb6c87fd1f08b534e52546561c53c |
| SHA1 | db402c5c1025cf8d3e79df7b868fd186243aa9d1 |
| SHA256 | a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b |
| SHA512 | 5495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86 |
C:\Users\Admin\AppData\Local\Temp\scr3A27.ps1
| MD5 | be3fd03e7358ce9870a780f4cbda6706 |
| SHA1 | 04d928b64dd995eda2b4dfafabe5066fac218cef |
| SHA256 | 5494436492efa6408565f0602abc17e496e35c80f133036dcc699580cf109914 |
| SHA512 | b1d9fa9f6f1af0cc0cf0a837cec3c2b1b553f9d02c45dfd86f34ab92b53e21100753edc96267cbeb1b69b4cc83094ffe66cc48587ec6ff56eadaf534c12669a9 |
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0be09f63-2769-4844-8542-0c3df0c7ca41}_OnDiskSnapshotProp
| MD5 | fbfb989d2d227c14eb23174a825ca4e7 |
| SHA1 | 248dd5f1c13f0263f1a62549605c2429b590ff49 |
| SHA256 | cb35d2d7e59a3fb5369712d4e0b693e3b2bd51f5ce8ba52bf71b6b3ce252eb2d |
| SHA512 | 8abdb05e2d84e2d5ebd3c52036346cf63e1caeef4ccaa8c096767dcb8cd93d49ad8b611109ae4ef8db882b5edf5f3173bcfc49f269de0e857eed0fc930d5c75b |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 114ba1374dad68eda69f64a2f23a4753 |
| SHA1 | 74ce9f781aaa3b4c6569454648be012edd055020 |
| SHA256 | 52be254101020eadd1d68cf3a27f61744cace3885dabae60732f01be5d244b25 |
| SHA512 | 7133f57091ea0e35fdbc57cd4e364b311c5767df7640d226f4b5894140abcfee4336dd8a51bbb987ec9ee6031669bccfef97dcb4d4ee36d2f1f4c8439e5f7d51 |