Malware Analysis Report

2024-10-19 04:37

Sample ID 210924-w6rp4ahfc7
Target e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143
SHA256 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143
Tags
raccoon redline servhelper smokeloader xmrig 2k superstar 700$ f6d7183c9e82d2a9b81e6c0608450aa66cefb51f backdoor discovery infostealer miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143

Threat Level: Known bad

The file e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143 was found to be: Known bad.

Malicious Activity Summary

raccoon redline servhelper smokeloader xmrig 2k superstar 700$ f6d7183c9e82d2a9b81e6c0608450aa66cefb51f backdoor discovery infostealer miner persistence spyware stealer trojan

ServHelper

Raccoon

RedLine Payload

SmokeLoader

xmrig

RedLine

Grants admin privileges

Modifies RDP port number used by Windows

Downloads MZ/PE file

Sets DLL path for service in the registry

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Reads user/profile data of local email clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry key

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Runs net.exe

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-24 18:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-24 18:32

Reported

2021-09-24 18:34

Platform

win10v20210408

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe"

Signatures

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ServHelper

trojan backdoor servhelper

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

Grants admin privileges

Downloads MZ/PE file

Modifies RDP port number used by Windows

Sets DLL path for service in the registry

persistence

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rdpclip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance N/A N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E29F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E00E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe
PID 912 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe
PID 912 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe
PID 912 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe
PID 912 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe
PID 912 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe
PID 2740 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDCD.exe
PID 2740 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDCD.exe
PID 2740 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\Temp\BDCD.exe
PID 2740 wrote to memory of 2172 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe
PID 2740 wrote to memory of 2172 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe
PID 2740 wrote to memory of 2172 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe
PID 1368 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\BDCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\BDCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\BDCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\BDCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1368 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\BDCD.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2740 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe
PID 2740 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe
PID 2740 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe
PID 2740 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9B4.exe
PID 2740 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9B4.exe
PID 2740 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9B4.exe
PID 2740 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\E00E.exe
PID 2740 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\E00E.exe
PID 2740 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\E00E.exe
PID 2740 wrote to memory of 3844 N/A N/A C:\Users\Admin\AppData\Local\Temp\E29F.exe
PID 2740 wrote to memory of 3844 N/A N/A C:\Users\Admin\AppData\Local\Temp\E29F.exe
PID 3844 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\E29F.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\E29F.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2172 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\CB3B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4116 wrote to memory of 4408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4116 wrote to memory of 4408 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4408 wrote to memory of 4576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4408 wrote to memory of 4576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4408 wrote to memory of 4576 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2196 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe
PID 2196 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe
PID 2196 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe
PID 2196 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\D09B.exe C:\Windows\SysWOW64\cmd.exe
PID 4696 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4696 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4696 wrote to memory of 4748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4672 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe C:\Windows\SysWOW64\schtasks.exe
PID 4672 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe C:\Windows\SysWOW64\schtasks.exe
PID 4672 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe C:\Windows\SysWOW64\schtasks.exe
PID 4116 wrote to memory of 4960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4960 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4464 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4464 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 4464 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\E29F.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3844 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\E29F.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4116 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\D9B4.exe C:\Users\Admin\AppData\Local\Temp\D9B4.exe
PID 3712 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\D9B4.exe C:\Users\Admin\AppData\Local\Temp\D9B4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe

"C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe"

C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe

"C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143.exe"

C:\Users\Admin\AppData\Local\Temp\BDCD.exe

C:\Users\Admin\AppData\Local\Temp\BDCD.exe

C:\Users\Admin\AppData\Local\Temp\CB3B.exe

C:\Users\Admin\AppData\Local\Temp\CB3B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\D09B.exe

C:\Users\Admin\AppData\Local\Temp\D09B.exe

C:\Users\Admin\AppData\Local\Temp\D9B4.exe

C:\Users\Admin\AppData\Local\Temp\D9B4.exe

C:\Users\Admin\AppData\Local\Temp\E00E.exe

C:\Users\Admin\AppData\Local\Temp\E00E.exe

C:\Users\Admin\AppData\Local\Temp\E29F.exe

C:\Users\Admin\AppData\Local\Temp\E29F.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqm1hxf2\aqm1hxf2.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1DCF.tmp" "c:\Users\Admin\AppData\Local\Temp\aqm1hxf2\CSCCC51D4BECFA84DC79486D9ACD8F7FBA.TMP"

C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe

"C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\D09B.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /T 10 /NOBREAK

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Users\Admin\AppData\Local\Temp\D9B4.exe

"C:\Users\Admin\AppData\Local\Temp\D9B4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\SysWOW64\cmd.exe

cmd /c net start rdpdr

C:\Windows\SysWOW64\net.exe

net start rdpdr

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\SysWOW64\cmd.exe

cmd /c net start TermService

C:\Windows\SysWOW64\net.exe

net start TermService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

Network

Country Destination Domain Proto
US 8.8.8.8:53 naghenrietti1.top udp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
US 8.8.8.8:53 jqueri-web.at udp
BG 194.61.25.77:443 jqueri-web.at tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
US 8.8.8.8:53 t.me udp
RU 176.119.147.245:80 naghenrietti1.top tcp
NL 149.154.167.99:443 t.me tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
HU 185.163.204.37:80 185.163.204.37 tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
RU 176.119.147.245:80 naghenrietti1.top tcp
FI 65.21.231.57:60751 tcp
RU 185.244.180.224:39957 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 internetbeacon.msedge.net udp
BG 194.61.25.77:443 jqueri-web.at tcp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 google.com udp
NL 109.234.38.212:6677 109.234.38.212 tcp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp

Files

memory/1148-114-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1148-115-0x0000000000402FA5-mapping.dmp

memory/912-116-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2740-117-0x0000000001070000-0x0000000001086000-memory.dmp

memory/1368-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BDCD.exe

MD5 66418c1bbdff03a57d27110d51372efc
SHA1 a60da2e4052136b89a2d1f8c8a80f5694700f9da
SHA256 f5b28d8533842deac03a82b2f72bcf1d4b72a4aad1445b53558a3b01f7ef4c90
SHA512 dcf1e46c62e4db49b069866fd0ce50cd612e13a979f4bfe5ac78ccf6ac6b91850f3fa79c644409248d08d98ff4536422d2842ce04f3061edd0c2effde8e61875

C:\Users\Admin\AppData\Local\Temp\BDCD.exe

MD5 66418c1bbdff03a57d27110d51372efc
SHA1 a60da2e4052136b89a2d1f8c8a80f5694700f9da
SHA256 f5b28d8533842deac03a82b2f72bcf1d4b72a4aad1445b53558a3b01f7ef4c90
SHA512 dcf1e46c62e4db49b069866fd0ce50cd612e13a979f4bfe5ac78ccf6ac6b91850f3fa79c644409248d08d98ff4536422d2842ce04f3061edd0c2effde8e61875

memory/1368-121-0x00000000009F0000-0x0000000000A64000-memory.dmp

memory/1368-122-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1368-123-0x0000000074B40000-0x0000000074D02000-memory.dmp

memory/1368-124-0x0000000000B70000-0x0000000000BB3000-memory.dmp

memory/1368-125-0x0000000000820000-0x000000000096A000-memory.dmp

memory/2172-126-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CB3B.exe

MD5 90016ecad97ba699b5c10829b6f5e192
SHA1 2850da5bc078de19f2bbb074bacb831a79dcbd8a
SHA256 bf75c5d542560ffdc9ba7014234b2eca31e0430fab759c105df26cd12633c2cb
SHA512 cc8ee80b561661b33300450ad30e4c6d7d796ee139c949dcd44af6d58f7d584de2679585580ea6a366176c02ac1ada3d138423cf8fa44c7f067e0ac356ba360e

C:\Users\Admin\AppData\Local\Temp\CB3B.exe

MD5 90016ecad97ba699b5c10829b6f5e192
SHA1 2850da5bc078de19f2bbb074bacb831a79dcbd8a
SHA256 bf75c5d542560ffdc9ba7014234b2eca31e0430fab759c105df26cd12633c2cb
SHA512 cc8ee80b561661b33300450ad30e4c6d7d796ee139c949dcd44af6d58f7d584de2679585580ea6a366176c02ac1ada3d138423cf8fa44c7f067e0ac356ba360e

memory/1812-129-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1812-134-0x000000000041C5CA-mapping.dmp

memory/2196-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D09B.exe

MD5 1e2495491c1503e9f2a1bd5cd73b7951
SHA1 1c0b44ce0a229d68b612389bd96a3c809b005828
SHA256 ab52a71b3ffb4a0af77fb8d4bc687f9c296e20f78bac27e05e69ddd0e54446c7
SHA512 1665003b7e1336c3ad554fb26b7d46b51b2a1f8c8ebef33d80d88e51e28719f9a36d972e37c8f3332b49867bf5bb839db044a1617215acfa90b3ac77cfb3f5d9

C:\Users\Admin\AppData\Local\Temp\D09B.exe

MD5 1e2495491c1503e9f2a1bd5cd73b7951
SHA1 1c0b44ce0a229d68b612389bd96a3c809b005828
SHA256 ab52a71b3ffb4a0af77fb8d4bc687f9c296e20f78bac27e05e69ddd0e54446c7
SHA512 1665003b7e1336c3ad554fb26b7d46b51b2a1f8c8ebef33d80d88e51e28719f9a36d972e37c8f3332b49867bf5bb839db044a1617215acfa90b3ac77cfb3f5d9

memory/1812-138-0x0000000000400000-0x0000000000401000-memory.dmp

memory/1812-140-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

memory/1812-141-0x0000000005700000-0x0000000005701000-memory.dmp

memory/1812-142-0x0000000005830000-0x0000000005831000-memory.dmp

memory/2172-143-0x0000000003740000-0x0000000003B42000-memory.dmp

memory/2196-144-0x0000000002D00000-0x0000000002E4A000-memory.dmp

memory/3712-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D9B4.exe

MD5 6ee2375aace01c21a41dc6fd0977eba3
SHA1 50b633f7c67e77df751d5653de9f457a8212dc5c
SHA256 c706df1a29b23ffe6175eaab8b6634121bf65935fe4ae5705156f946ff00ea06
SHA512 7b7e2d0db25d167f6da119241253dc6a66fc113fdeda120e554f19b871826554b64255f6f7e8a0fb21bbd5a49e6919a884c693b372c9e59f3310c188e83eeabc

memory/1812-148-0x0000000005760000-0x0000000005761000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D9B4.exe

MD5 6ee2375aace01c21a41dc6fd0977eba3
SHA1 50b633f7c67e77df751d5653de9f457a8212dc5c
SHA256 c706df1a29b23ffe6175eaab8b6634121bf65935fe4ae5705156f946ff00ea06
SHA512 7b7e2d0db25d167f6da119241253dc6a66fc113fdeda120e554f19b871826554b64255f6f7e8a0fb21bbd5a49e6919a884c693b372c9e59f3310c188e83eeabc

memory/3712-149-0x0000000000830000-0x0000000000831000-memory.dmp

memory/3712-151-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/2172-152-0x00000000081A0000-0x000000000859F000-memory.dmp

memory/1812-154-0x00000000056C0000-0x0000000005CC6000-memory.dmp

memory/2172-155-0x0000000000400000-0x0000000002F86000-memory.dmp

memory/2172-156-0x0000000007D80000-0x0000000007D81000-memory.dmp

memory/2196-157-0x0000000000400000-0x0000000002BD0000-memory.dmp

memory/3712-160-0x0000000005290000-0x0000000005291000-memory.dmp

memory/2172-161-0x0000000007D82000-0x0000000007D83000-memory.dmp

memory/2172-158-0x0000000007D83000-0x0000000007D84000-memory.dmp

memory/1812-163-0x00000000057A0000-0x00000000057A1000-memory.dmp

memory/3712-164-0x0000000005200000-0x0000000005201000-memory.dmp

memory/3116-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E00E.exe

MD5 4266f72b05afa83f395e890b76eadf69
SHA1 489386ba56760821f6e35712028410da476fe258
SHA256 6b1e04d8ef0395166da7d784c80ec3b8e85593ec862e54c07976ef14b28c70e4
SHA512 a375f17bc9283e7edb8f492d616ec3f192d9943251a4323138c99b565dbb03a5734b4116b7b47830680dea16713155cb96e51ea32ce96f479c48e9bd0bb9556a

C:\Users\Admin\AppData\Local\Temp\E00E.exe

MD5 4266f72b05afa83f395e890b76eadf69
SHA1 489386ba56760821f6e35712028410da476fe258
SHA256 6b1e04d8ef0395166da7d784c80ec3b8e85593ec862e54c07976ef14b28c70e4
SHA512 a375f17bc9283e7edb8f492d616ec3f192d9943251a4323138c99b565dbb03a5734b4116b7b47830680dea16713155cb96e51ea32ce96f479c48e9bd0bb9556a

memory/3712-169-0x0000000005040000-0x0000000005041000-memory.dmp

memory/2172-170-0x0000000007D84000-0x0000000007D85000-memory.dmp

memory/3712-171-0x00000000075F0000-0x00000000075F1000-memory.dmp

memory/3844-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E29F.exe

MD5 dc76f9db59067352088afd4d1dcdf902
SHA1 9aa1e3ddc42638127ea6df2c846fa87064217264
SHA256 82886239600afdacc926461535d164093072e6d0ba0cdd370a61b94faf5c503f
SHA512 15d3d6f0c6fdc6e441cb19a96c23bb436126cdfc671a761d69814919ebc59a05fea569d3c81c76073eafca57a60b7fe9e601022aa0ade05598bf0af83657443e

memory/2172-172-0x000000000A610000-0x000000000A611000-memory.dmp

memory/3712-175-0x0000000005640000-0x0000000005647000-memory.dmp

memory/3844-177-0x00000000000E0000-0x00000000000E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E29F.exe

MD5 dc76f9db59067352088afd4d1dcdf902
SHA1 9aa1e3ddc42638127ea6df2c846fa87064217264
SHA256 82886239600afdacc926461535d164093072e6d0ba0cdd370a61b94faf5c503f
SHA512 15d3d6f0c6fdc6e441cb19a96c23bb436126cdfc671a761d69814919ebc59a05fea569d3c81c76073eafca57a60b7fe9e601022aa0ade05598bf0af83657443e

\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 f964811b68f9f1487c2b41e1aef576ce
SHA1 b423959793f14b1416bc3b7051bed58a1034025f
SHA256 83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512 565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

memory/1548-180-0x0000000000000000-mapping.dmp

memory/3844-185-0x00000000026E0000-0x00000000026E2000-memory.dmp

memory/1548-186-0x0000018C049D0000-0x0000018C049D2000-memory.dmp

memory/3116-187-0x00000000001C0000-0x00000000001F0000-memory.dmp

memory/1548-188-0x0000018C049D3000-0x0000018C049D5000-memory.dmp

memory/1548-189-0x0000018C1CEC0000-0x0000018C1CEC1000-memory.dmp

memory/3116-190-0x0000000002DC0000-0x0000000002DDF000-memory.dmp

memory/3116-194-0x0000000004C60000-0x0000000004C7E000-memory.dmp

memory/1548-195-0x0000018C1D440000-0x0000018C1D441000-memory.dmp

memory/3116-202-0x0000000000400000-0x0000000002BA3000-memory.dmp

memory/3116-203-0x0000000007260000-0x0000000007261000-memory.dmp

memory/3116-204-0x0000000007262000-0x0000000007263000-memory.dmp

memory/3116-205-0x0000000007263000-0x0000000007264000-memory.dmp

memory/3116-210-0x0000000007264000-0x0000000007266000-memory.dmp

memory/1548-211-0x0000018C049D6000-0x0000018C049D8000-memory.dmp

memory/4116-215-0x0000000000000000-mapping.dmp

memory/4116-230-0x00000000011A0000-0x00000000011A1000-memory.dmp

memory/4116-235-0x0000000006D80000-0x0000000006D81000-memory.dmp

memory/4116-238-0x0000000001190000-0x0000000001191000-memory.dmp

memory/4116-240-0x0000000001192000-0x0000000001193000-memory.dmp

memory/4116-268-0x0000000006B50000-0x0000000006B51000-memory.dmp

memory/4116-272-0x0000000007420000-0x0000000007421000-memory.dmp

memory/4116-300-0x0000000007490000-0x0000000007491000-memory.dmp

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\nss3.dll

MD5 02cc7b8ee30056d5912de54f1bdfc219
SHA1 a6923da95705fb81e368ae48f93d28522ef552fb
SHA256 1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA512 0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\mozglue.dll

MD5 eae9273f8cdcf9321c6c37c244773139
SHA1 8378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256 a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA512 06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\softokn3.dll

MD5 4e8df049f3459fa94ab6ad387f3561ac
SHA1 06ed392bc29ad9d5fc05ee254c2625fd65925114
SHA256 25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA512 3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

\Users\Admin\AppData\LocalLow\uS0wV5wY9qH3\freebl3.dll

MD5 60acd24430204ad2dc7f148b8cfe9bdc
SHA1 989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA256 9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512 626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

memory/1812-332-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

memory/1812-335-0x00000000074E0000-0x00000000074E1000-memory.dmp

memory/4116-342-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

memory/1812-351-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

memory/1812-362-0x0000000007010000-0x0000000007011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/4116-406-0x00000000092A0000-0x00000000092A1000-memory.dmp

memory/4408-412-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\aqm1hxf2\aqm1hxf2.cmdline

MD5 fb4300f7d91bf0aa3c9d797e5aafe880
SHA1 f8f79e72b1b99d0adb05124202a359708f8e4327
SHA256 d448ccf9cc48e8d7e035c64da14031264695347b31c63c4a1a0013c2faf278fe
SHA512 3f3ecfef923cace4b39847c8507a77a247205949402bf70c9bb418e4b75646f67844a7c9837e04b0433bcd5e05280aca1868632457e7c592baa369ea979f63a3

\??\c:\Users\Admin\AppData\Local\Temp\aqm1hxf2\aqm1hxf2.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/4576-443-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\aqm1hxf2\CSCCC51D4BECFA84DC79486D9ACD8F7FBA.TMP

MD5 026cd43b381cfb10b3e85dfcc47d6d00
SHA1 f1b1f897afc2a6f22904c3593baa1c0d6832d12f
SHA256 180be194b3caeec0ea43486bfe8662dd6b5b658df135a0f85f394bf7214665ec
SHA512 b7841b00f76100599ad362832a3148776bb24183c6780e25b908da852dda3d2dcce23341fd0a9aa2cdfb330f3d4cd3fd2e50863afae1e3a64693f2ea2e8bd9f2

C:\Users\Admin\AppData\Local\Temp\RES1DCF.tmp

MD5 743d84d643d469422d654ff6463bb71a
SHA1 b0061b7c661757bed98981b233728c8ba473fd31
SHA256 821ff9b37bf1f02b571837902c30d3e8a9ebd49ef228b0304428a6af7aa316af
SHA512 656be291b7c70eb79e91a089379ab1ba9bf52492570b98acbb506f84fe7abb06974e124cf8992d00842a455b8ffc217bfc2a43587f512088d30be4950e3c188e

C:\Users\Admin\AppData\Local\Temp\aqm1hxf2\aqm1hxf2.dll

MD5 d59bef04d83056fa92d370b98e173895
SHA1 4921890089dec572765735ca0214664dca9c8c1b
SHA256 97ed328d086112db581a6426da12fc14aedc23b696879960355369289b14571a
SHA512 281115358298bf4c5e302025540784f2afcf82f409145bcfa63c61382ff48d48190a34adee87c359dcc729dee2071449a3f2c1567d78a06ce807c2824bb3077a

memory/4672-452-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe

MD5 361a173daef3d005eeff13944c530b54
SHA1 27bc8356bce101f9a5cc6b86dd2c2fe01dcb2f63
SHA256 9317a50da3b8bbfdfe637f73c3256bb4e7cb04309d3d5108bd796ea497a89c74
SHA512 8d5ce80bdb029038378ebf220bc459519ca8981919f92a17fee8529f272e57360b0f55f1b9b290a2b704c5dbe15eaa1815ad8b72234e45713f522209df6666bc

memory/4696-455-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 794bf0ae26a7efb0c516cf4a7692c501
SHA1 c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA256 97753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA512 20c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75

C:\Users\Admin\AppData\Local\Temp\92ciiS6sSA.exe

MD5 361a173daef3d005eeff13944c530b54
SHA1 27bc8356bce101f9a5cc6b86dd2c2fe01dcb2f63
SHA256 9317a50da3b8bbfdfe637f73c3256bb4e7cb04309d3d5108bd796ea497a89c74
SHA512 8d5ce80bdb029038378ebf220bc459519ca8981919f92a17fee8529f272e57360b0f55f1b9b290a2b704c5dbe15eaa1815ad8b72234e45713f522209df6666bc

memory/4748-457-0x0000000000000000-mapping.dmp

memory/4116-458-0x0000000001193000-0x0000000001194000-memory.dmp

memory/4784-459-0x0000000000000000-mapping.dmp

memory/4672-460-0x0000000000030000-0x0000000000034000-memory.dmp

memory/4672-461-0x0000000000400000-0x0000000002B90000-memory.dmp

memory/4960-492-0x0000000000000000-mapping.dmp

memory/4960-517-0x0000000006942000-0x0000000006943000-memory.dmp

memory/4960-515-0x0000000006940000-0x0000000006941000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 f3068198b62b4b70404ec46694d632be
SHA1 7b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256 bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512 ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795

memory/4960-733-0x000000007E940000-0x000000007E941000-memory.dmp

memory/4464-1058-0x0000000000000000-mapping.dmp

memory/4464-1073-0x0000000006D50000-0x0000000006D51000-memory.dmp

memory/1548-1075-0x0000018C049D8000-0x0000018C049DA000-memory.dmp

memory/4464-1074-0x0000000006D52000-0x0000000006D53000-memory.dmp

memory/3168-1080-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 77b727e852ce4ff43e1a824345703b5b
SHA1 e7e0d1d0f49b3beb6ad0cd17920374d3c73e282f
SHA256 014fba23480352b90b6dbee85229e2a1b36c3e37172334397ecafd3c70c54071
SHA512 f5b8c3987e2c326b538166aa2434585f65577162d83b2e1015e810791e9aa85ec399bb53ceda4f3e5c978da8d19c11487d37bfb9cef361cd264bd1ea14e855d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8b3e71799f5031ec98a2039b151b5a79
SHA1 d6c3583c223275ffeb35a257cf1294eb1c4e66ef
SHA256 f137f9aa242cbc42a70a6cc0c7110b63991304281be12c9fc07675153bec97c7
SHA512 73dc280429c329e9a39108b7ea4a15dd589c46624ee5745694726b8aaf21c660d4f7708f9e44905955b35e1b3d78042d6553473bbbdb2e726c42003c8d3842d0

memory/3168-1110-0x00000279DD160000-0x00000279DD162000-memory.dmp

memory/3168-1112-0x00000279DD163000-0x00000279DD165000-memory.dmp

memory/4464-1113-0x000000007F450000-0x000000007F451000-memory.dmp

memory/3168-1200-0x00000279DD166000-0x00000279DD168000-memory.dmp

memory/2332-1393-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D9B4.exe

MD5 6ee2375aace01c21a41dc6fd0977eba3
SHA1 50b633f7c67e77df751d5653de9f457a8212dc5c
SHA256 c706df1a29b23ffe6175eaab8b6634121bf65935fe4ae5705156f946ff00ea06
SHA512 7b7e2d0db25d167f6da119241253dc6a66fc113fdeda120e554f19b871826554b64255f6f7e8a0fb21bbd5a49e6919a884c693b372c9e59f3310c188e83eeabc

memory/804-1402-0x000000000041933E-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\D9B4.exe.log

MD5 0c2899d7c6746f42d5bbe088c777f94c
SHA1 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA256 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512 ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

memory/2332-1410-0x0000000006C82000-0x0000000006C83000-memory.dmp

memory/2332-1408-0x0000000006C80000-0x0000000006C81000-memory.dmp

memory/804-1434-0x00000000053F0000-0x00000000053F1000-memory.dmp

memory/2360-1439-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 878e79ee2debf5b524cbc44c6ef4a616
SHA1 8642e82a0a308485561daaa464898557ed2e27d1
SHA256 8980a8b8f613019cc19b6d50b8467baf37c8d26d392398ebc2018df5ef3fbcda
SHA512 b775ab98bb2268824aadda247f9d05585c94c455cdc666b94e2e222862305f5c525459a74c78984e9b4d69ed2e37717e2e1fffeda9164e3dc7659593cb52c489

memory/2360-1451-0x0000014B000E0000-0x0000014B000E2000-memory.dmp

memory/2360-1452-0x0000014B000E3000-0x0000014B000E5000-memory.dmp

memory/2332-1497-0x000000007F9C0000-0x000000007F9C1000-memory.dmp

memory/2360-1555-0x00007FF60C6B0000-0x00007FF60C6B1000-memory.dmp

memory/2360-1782-0x0000014B000E6000-0x0000014B000E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

MD5 361a173daef3d005eeff13944c530b54
SHA1 27bc8356bce101f9a5cc6b86dd2c2fe01dcb2f63
SHA256 9317a50da3b8bbfdfe637f73c3256bb4e7cb04309d3d5108bd796ea497a89c74
SHA512 8d5ce80bdb029038378ebf220bc459519ca8981919f92a17fee8529f272e57360b0f55f1b9b290a2b704c5dbe15eaa1815ad8b72234e45713f522209df6666bc

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe

MD5 361a173daef3d005eeff13944c530b54
SHA1 27bc8356bce101f9a5cc6b86dd2c2fe01dcb2f63
SHA256 9317a50da3b8bbfdfe637f73c3256bb4e7cb04309d3d5108bd796ea497a89c74
SHA512 8d5ce80bdb029038378ebf220bc459519ca8981919f92a17fee8529f272e57360b0f55f1b9b290a2b704c5dbe15eaa1815ad8b72234e45713f522209df6666bc

memory/4604-2331-0x0000000000000000-mapping.dmp

memory/4684-2339-0x0000000000000000-mapping.dmp

memory/1160-2349-0x0000000000000000-mapping.dmp

memory/4964-2416-0x0000000000000000-mapping.dmp

memory/5100-2421-0x0000000000000000-mapping.dmp

memory/4616-2426-0x0000000000000000-mapping.dmp

memory/4212-2427-0x0000000000000000-mapping.dmp

memory/2276-2428-0x0000000000000000-mapping.dmp

memory/4084-2432-0x0000000000000000-mapping.dmp

memory/5056-2437-0x0000000000000000-mapping.dmp

memory/4488-2438-0x0000000000000000-mapping.dmp

memory/2360-2439-0x0000014B000E8000-0x0000014B000EA000-memory.dmp

memory/4492-2440-0x0000000000000000-mapping.dmp

memory/3548-2441-0x0000000000000000-mapping.dmp

memory/3792-2445-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 441b8d971f43d80f0c9ad1fce0c23aae
SHA1 fbf7902f05abc70c43d2565785461b3eb02a92ce
SHA256 1a672dfcd47c765cdfef87851adb83349c129a4f81077599ec92a1f1803c5759
SHA512 4bc4081eabe5df294b8e1a89f8d01c152c157e64d1a48a1f2126b529b971da6f23b0d366446ef0b3e94fdab648ffd249b3ee3db6cc5f22fbba7fdce283623bfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 95993cf508b1158b2bcc3eb7c5d41d2a
SHA1 56710b6beead562260f94b64915bc1c702a2a2d1
SHA256 b5a272e4e9cd0c5d98110ef787a78e5a99bb2164f6c47b48c0e67f933659082e
SHA512 783fb91859e0f6e686921eb421450df24e64b682fa5b6c50ab33fe210f10730a8851272c37347df58ba696e0aa7d2a83ec95340de5e438d681a8600970157220

memory/5056-2459-0x00000269DA230000-0x00000269DA232000-memory.dmp

memory/5056-2460-0x00000269DA236000-0x00000269DA238000-memory.dmp

memory/5056-2463-0x00000269DA233000-0x00000269DA235000-memory.dmp

memory/2316-2531-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c17a2975d4e15b3d097fcbf3e2027341
SHA1 a51b67036534472a4cd0d0d83bec5883473ab1d4
SHA256 342c7cd67b97ecb040b265c6930e9bcea7fa38cdc93804a3b63ee8ecb10b9bbc
SHA512 174f091834d99bc8b48e86e28a58cb8b03dc38c85f9390bd3f7294b55bf78b492c6c1ba1a80f600ef5b46450dab083c67cff692d3b31c1462666a91bd2774af4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 d158a1643c72939c92012443aad9eed3
SHA1 f9b364d45a7eead659e4098e1cfff474098b837d
SHA256 12782aa4a756a2e4b31a3dd88f9920a59b9a8a1b9ed020b7fabb62f586ccbc59
SHA512 4d292ad2ea53f485275635c654cdd746258d92671427373ae5f453100add7e7a9af23340448ac59c8ae786f50152315d7b1bebdfbef07b98fc0803fa9ceadc8c

memory/2316-2544-0x0000024CB7AC0000-0x0000024CB7AC2000-memory.dmp

memory/2316-2545-0x0000024CB7AC3000-0x0000024CB7AC5000-memory.dmp

memory/2316-2546-0x0000024CB7AC6000-0x0000024CB7AC8000-memory.dmp

memory/4592-2572-0x0000000000000000-mapping.dmp

memory/4796-2593-0x0000000000400000-0x0000000002B90000-memory.dmp

memory/2204-3059-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e2a121bb35dc9f81edca3f3d2d873f80
SHA1 2ad090de73fde5e178e51861973dd91eb3f2a3f8
SHA256 62cb683a9ced8e0a5e3765d5f3ff5e2a3568fe4abb2abe125184a5198043bb92
SHA512 3795cc245254c5e14b08a24ffdd11dd8d0af920881aa45ba0e227765fda5a000ac95907657ff5ad49f6cc48a894e6de4b48fa50c199aa972e4e83970c4774bda

memory/2316-3069-0x0000024CB7AC8000-0x0000024CB7ACA000-memory.dmp

memory/2204-3071-0x0000021153C23000-0x0000021153C25000-memory.dmp

memory/2204-3070-0x0000021153C20000-0x0000021153C22000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 e8ba157453e84049c671cb2290002bb4
SHA1 aea1a76455c088b9427cb3321948e2c963d21f93
SHA256 be09f824f3b983b807314eec5e81f9a5f2a967d31c45b99c03f68f96b5650efc
SHA512 100da14ae13474c2b155c57af6a8e5ab62bce07fb3baa49d5867e12286d7da2e92b583c23483828c47dbdf4f9af562af84d2f3a4b952dcbf5d0ea4e92c596879

memory/2204-3099-0x0000021153C26000-0x0000021153C28000-memory.dmp

memory/4892-3149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2a5f6c2d1264fb6542e1c99a3b52ac7
SHA1 029ca1ed55b81d597f0efb52a70d653a923c7f80
SHA256 22b11bec7cb809de3dee9623fb61a35d4e58c59ca7931460dacab09187645e6f
SHA512 43c05c3f3b0b5435a5fa9d690b93be6c873a7b049ef115927534ba1e36713efed697ad21f86833213a8f5b1614c23fe11d04c6f399af8b12637fcb5b5ae72dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 f49e210503b368695a3a3b3faa860fe6
SHA1 43303710a0192cd9647fe55cb2beece7ab5fa85b
SHA256 f19c67208383f5aefe6b513262c55ae176fe154489ac3f1763cd82845851b4dd
SHA512 e2ae5c006e331ac24c28dd587ebc21eefcfaa65238d0b08891b5eb593eb059e1796539dc5a44c3e48e14fd91d0de90df4a0f94eb5afd3b06dedc04c1bd29fa6d

memory/4892-3161-0x0000020975C00000-0x0000020975C02000-memory.dmp

memory/4892-3163-0x0000020975C03000-0x0000020975C05000-memory.dmp

memory/4892-3288-0x0000020975C06000-0x0000020975C08000-memory.dmp

memory/4656-3698-0x0000000000000000-mapping.dmp

memory/4436-3699-0x0000000000000000-mapping.dmp

memory/5000-3707-0x0000000000000000-mapping.dmp

memory/4892-3710-0x0000020975C08000-0x0000020975C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f3ef304166796a75dce3b970322b8d7a
SHA1 2f11527fb6c9c81cac2e62198d38dc2f448783a5
SHA256 3af4f81c5f896be9972f6a7e0215b7e07a78cefede575a87966465b87f8d8716
SHA512 85367ca34566bc42041ba9e1ea3d37769afeb035d9c639993d55b1018477eeecc25785ffed946546a6a37bc6607edfb6df4d4150137e4dd3f9249e398765688c

memory/5000-3752-0x0000014A41D50000-0x0000014A41D52000-memory.dmp

memory/4108-4034-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d69cd31641e0a0c67d7625ae30f32d
SHA1 b1a978a019f59064dc95a3e7097fc513a3e8890b
SHA256 68ce7391dd1dbf6bf3896ad9deae2f57b17e9f7dec788c10f68003acb6380e88
SHA512 d290e7403ddbf19c8b17de468ebee4784254b0637cdbdc57b0a854e8d9e35bcf1168bd30485e46145459d3ad061ce4b35f6546f57b7df725a190973cd9a72293