Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 01:50
Static task
static1
General
-
Target
2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe
-
Size
1.2MB
-
MD5
ffd87f2abdb8eb540ce899b1a25cc6ed
-
SHA1
81b3087989a3dadd745bcc53762d22334c05c20d
-
SHA256
2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847
-
SHA512
b497f9bff9d6515dca2423416a624b2ef75600ce06e53e39be79a146221f6933d49f3ebbab8454f6428464b24f6177182569ef5b13de0465a066c1aad73254d4
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\275448~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\275448~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\275448~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\275448~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3276 created 3952 3276 WerFault.exe RUNDLL32.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 30 3672 rundll32.exe 31 60 RUNDLL32.EXE 34 60 RUNDLL32.EXE 35 60 RUNDLL32.EXE 36 60 RUNDLL32.EXE 37 60 RUNDLL32.EXE -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 3672 rundll32.exe 60 RUNDLL32.EXE 3952 RUNDLL32.EXE 1280 RUNDLL32.EXE 1280 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 3952 set thread context of 2196 3952 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3276 3952 WerFault.exe RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 42 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\311A60E733B6A0987335BB1E726456CD7216533F RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\311A60E733B6A0987335BB1E726456CD7216533F\Blob = 030000000100000014000000311a60e733b6a0987335bb1e726456cd7216533f20000000010000003f0200003082023b308201a4a003020102020876141d3a25f951bb300d06092a864886f70d01010b050030433121301f06035504030c184d6963726f736f667420526f6a7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3139313032313031303732375a170d3233313032303031303732375a30433121301f06035504030c184d6963726f736f667420526f6a7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100c893f1ba9aa6910d569417ba852ea94f4af5f5de32cd25bcbc9a32816404c6200d398e8427969c86f5139c1853d5796d2b9d3edc47e3f2b5b315cdfc412ed66c04ae2b58e429e41fef3fe157c37715e0a720674a99e6531c5eb66bde9f3695fe17d787e72029d58c22c742c0ab9b18e7131b117d735a3f916f87e548ac80622d0203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6963726f736f667420526f6a7420417574686f72697479300d06092a864886f70d01010b0500038181000c72c1b46539e439d7197f03212a77a8259fe1c2bd80cc069fc883b64da96e49e5143bf5d13a421a27a43d45bbbfbe1fa56f0f051003779fd9bb6498dc5b98eab5f474680b6b8222f37a96fced623eddb3e509524979ec1512ac260c9a0db11c22127c66e71db2ce590b4810509c47dbbef32c91aba9a642668b750ec6518fe0 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
RUNDLL32.EXEpowershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exepid process 60 RUNDLL32.EXE 60 RUNDLL32.EXE 60 RUNDLL32.EXE 60 RUNDLL32.EXE 60 RUNDLL32.EXE 60 RUNDLL32.EXE 1220 powershell.exe 3952 RUNDLL32.EXE 3952 RUNDLL32.EXE 1220 powershell.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 3276 WerFault.exe 2000 powershell.exe 1220 powershell.exe 2000 powershell.exe 2000 powershell.exe 60 RUNDLL32.EXE 60 RUNDLL32.EXE 3564 powershell.exe 3564 powershell.exe 3564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1220 powershell.exe Token: SeDebugPrivilege 60 RUNDLL32.EXE Token: SeRestorePrivilege 3276 WerFault.exe Token: SeBackupPrivilege 3276 WerFault.exe Token: SeDebugPrivilege 3276 WerFault.exe Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 3564 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2196 rundll32.exe 60 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 1380 wrote to memory of 3672 1380 2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe rundll32.exe PID 1380 wrote to memory of 3672 1380 2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe rundll32.exe PID 1380 wrote to memory of 3672 1380 2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe rundll32.exe PID 3672 wrote to memory of 60 3672 rundll32.exe RUNDLL32.EXE PID 3672 wrote to memory of 60 3672 rundll32.exe RUNDLL32.EXE PID 3672 wrote to memory of 60 3672 rundll32.exe RUNDLL32.EXE PID 60 wrote to memory of 1220 60 RUNDLL32.EXE powershell.exe PID 60 wrote to memory of 1220 60 RUNDLL32.EXE powershell.exe PID 60 wrote to memory of 1220 60 RUNDLL32.EXE powershell.exe PID 60 wrote to memory of 3952 60 RUNDLL32.EXE RUNDLL32.EXE PID 60 wrote to memory of 3952 60 RUNDLL32.EXE RUNDLL32.EXE PID 60 wrote to memory of 3952 60 RUNDLL32.EXE RUNDLL32.EXE PID 3952 wrote to memory of 2196 3952 RUNDLL32.EXE rundll32.exe PID 3952 wrote to memory of 2196 3952 RUNDLL32.EXE rundll32.exe PID 3952 wrote to memory of 2196 3952 RUNDLL32.EXE rundll32.exe PID 60 wrote to memory of 1280 60 RUNDLL32.EXE RUNDLL32.EXE PID 60 wrote to memory of 1280 60 RUNDLL32.EXE RUNDLL32.EXE PID 60 wrote to memory of 1280 60 RUNDLL32.EXE RUNDLL32.EXE PID 2196 wrote to memory of 3252 2196 rundll32.exe ctfmon.exe PID 2196 wrote to memory of 3252 2196 rundll32.exe ctfmon.exe PID 60 wrote to memory of 2000 60 RUNDLL32.EXE powershell.exe PID 60 wrote to memory of 2000 60 RUNDLL32.EXE powershell.exe PID 60 wrote to memory of 2000 60 RUNDLL32.EXE powershell.exe PID 60 wrote to memory of 3564 60 RUNDLL32.EXE powershell.exe PID 60 wrote to memory of 3564 60 RUNDLL32.EXE powershell.exe PID 60 wrote to memory of 3564 60 RUNDLL32.EXE powershell.exe PID 3564 wrote to memory of 3208 3564 powershell.exe nslookup.exe PID 3564 wrote to memory of 3208 3564 powershell.exe nslookup.exe PID 3564 wrote to memory of 3208 3564 powershell.exe nslookup.exe PID 60 wrote to memory of 2448 60 RUNDLL32.EXE schtasks.exe PID 60 wrote to memory of 2448 60 RUNDLL32.EXE schtasks.exe PID 60 wrote to memory of 2448 60 RUNDLL32.EXE schtasks.exe PID 60 wrote to memory of 2456 60 RUNDLL32.EXE schtasks.exe PID 60 wrote to memory of 2456 60 RUNDLL32.EXE schtasks.exe PID 60 wrote to memory of 2456 60 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe"C:\Users\Admin\AppData\Local\Temp\2754480dc85bc4b2beb1eb6637945d1c8643cf43df940fa614e94635b1227847.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\275448~1.DLL,s C:\Users\Admin\AppData\Local\Temp\275448~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\275448~1.DLL,o09U3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\275448~1.DLL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\275448~1.DLL,QxooZ2s24⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 176595⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 8085⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp883.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp52BD.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
2def7e89943100cf26d70ef373b1260e
SHA1d90f028ae9ac9f8edc26445639752acbcacc70e7
SHA256178020d76bd88c4681056aeb6a693e8db6afe0f6283466c687c0ca0d04ed1549
SHA512a65902089d46d2dcaca02caa028cc288e287de7a315ab631c532cf8c584850c2c896d3e8820ff338ab86e177b79d828c4fe1c8606e690477714a1afd65750624
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
215771e6a0398a9818667d79c06163e3
SHA196adf9e778b2141255d34685c1139ceb68389cc4
SHA256a0a7ef1b8d898c4552786bf90c6e1e96a2a1e609c9184183f28d9d4dde063233
SHA512b0aa22f13b4d5d9d6fc76440bc02935bb5d0fa109c27f5f5a5e168871957115ff232f57207a090f7e6a0c0799f4367fdc40d411d94854af5d3d21894616605fe
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
f7a808b5711f58fb4f85476c1bb24ac3
SHA1fbdf9670d622e8fc3446ad4f53fbbd83016f03d1
SHA256de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec
SHA512866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b2267c70a0e1c04ab802cf792b8e18f1
SHA1fedd43729e4fd401b077345359d6554b6863f342
SHA2560df37c42fecacc545061ef27e128a8855df31d0de5f7caf0896214a871c95657
SHA512c29ffc0b5fcb8395c460ff34751beb18af8950fc5be48129293d873ae8149c13e77c3a42becddad39e35ca033e8c0ebcd1cd7a05c4371081e06059b5cc5bcb66
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
35d7863598143f9fa52ef3a06cf454aa
SHA155fbb0bd1605977edeaac36433d0962cce316092
SHA256ca040c47d97f655021326ece210d169b65d4f142843ff86150eb219c4bfcdab4
SHA5120fa3060f2ee119d7f9647056ab35d62f5da1bd0c47c3bbdd6d95daeaf8990bfa4b0e8ba68806f2d9a0d992e432a8cc99a961b0e68d33355231abeb4bcd41ff64
-
C:\Users\Admin\AppData\Local\Temp\275448~1.DLLMD5
04125fbe0b2fa02ebb26b56083ab3a92
SHA1c0bca6b2197c8e38f021776cc629adc38388a807
SHA256100827abff7d734b60bce0c810671cac321c5d56e688e524f95d110ef12c4922
SHA51260c2fd6d8d7ad2ea17b1296eb02af417cd1aa00950b099cefecaaed974a4d87ebf47e149c89cf3e190208f576104491315d0c82d7baadf80f73877b5e42ebb7b
-
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
C:\Users\Admin\AppData\Local\Temp\tmp52BD.tmp.ps1MD5
f6d89dc67d8c83b56ddbf168d6167717
SHA16217d3e0b54b51837470fe22d4fe0a47c59ea3b4
SHA25653ce40ccb2b53b026f983d4e2c6312ce16512181a148014afc49e102a3cb5a03
SHA512ef7f6c81aa014a1853649b0b824ebcfc8e04e1c8ebe2a340a4fd4a559bf4f6edd293e323042c76e6f42dddde453a89f3c72d6aa5c5572bf6afc75f646d49df8e
-
C:\Users\Admin\AppData\Local\Temp\tmp52BE.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmp883.tmp.ps1MD5
c389286bb83ab555f9f80b5362b2da21
SHA137434995fa1ef3fc066eb418ff50c470876e69cc
SHA256b17053aa38feda85fa7486688fd4fd2c7a5eb83d36b7377bdaf2146e9b350369
SHA51203fb2ae9ffafcdd07de312e4d8ec8e2d0b312866025ddec55c13ad037ad1f3d10cd863bb69ddde88f60e298896a9cfbf0e9309614c4e5ff958c6d8589a7a4e8f
-
C:\Users\Admin\AppData\Local\Temp\tmp893.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
\Users\Admin\AppData\Local\Temp\275448~1.DLLMD5
04125fbe0b2fa02ebb26b56083ab3a92
SHA1c0bca6b2197c8e38f021776cc629adc38388a807
SHA256100827abff7d734b60bce0c810671cac321c5d56e688e524f95d110ef12c4922
SHA51260c2fd6d8d7ad2ea17b1296eb02af417cd1aa00950b099cefecaaed974a4d87ebf47e149c89cf3e190208f576104491315d0c82d7baadf80f73877b5e42ebb7b
-
\Users\Admin\AppData\Local\Temp\275448~1.DLLMD5
04125fbe0b2fa02ebb26b56083ab3a92
SHA1c0bca6b2197c8e38f021776cc629adc38388a807
SHA256100827abff7d734b60bce0c810671cac321c5d56e688e524f95d110ef12c4922
SHA51260c2fd6d8d7ad2ea17b1296eb02af417cd1aa00950b099cefecaaed974a4d87ebf47e149c89cf3e190208f576104491315d0c82d7baadf80f73877b5e42ebb7b
-
\Users\Admin\AppData\Local\Temp\275448~1.DLLMD5
04125fbe0b2fa02ebb26b56083ab3a92
SHA1c0bca6b2197c8e38f021776cc629adc38388a807
SHA256100827abff7d734b60bce0c810671cac321c5d56e688e524f95d110ef12c4922
SHA51260c2fd6d8d7ad2ea17b1296eb02af417cd1aa00950b099cefecaaed974a4d87ebf47e149c89cf3e190208f576104491315d0c82d7baadf80f73877b5e42ebb7b
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
memory/60-126-0x00000000050D1000-0x00000000060B5000-memory.dmpFilesize
15.9MB
-
memory/60-127-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/60-123-0x0000000000000000-mapping.dmp
-
memory/1220-191-0x0000000009830000-0x0000000009863000-memory.dmpFilesize
204KB
-
memory/1220-212-0x0000000004D83000-0x0000000004D84000-memory.dmpFilesize
4KB
-
memory/1220-137-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/1220-138-0x0000000004D82000-0x0000000004D83000-memory.dmpFilesize
4KB
-
memory/1220-128-0x0000000000000000-mapping.dmp
-
memory/1220-129-0x0000000003470000-0x0000000003471000-memory.dmpFilesize
4KB
-
memory/1220-206-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/1220-199-0x00000000089E0000-0x00000000089E1000-memory.dmpFilesize
4KB
-
memory/1220-194-0x000000007E930000-0x000000007E931000-memory.dmpFilesize
4KB
-
memory/1220-130-0x0000000003470000-0x0000000003471000-memory.dmpFilesize
4KB
-
memory/1220-179-0x0000000003470000-0x0000000003471000-memory.dmpFilesize
4KB
-
memory/1220-147-0x00000000077B0000-0x00000000077B1000-memory.dmpFilesize
4KB
-
memory/1220-168-0x0000000008850000-0x0000000008851000-memory.dmpFilesize
4KB
-
memory/1220-135-0x00000000077E0000-0x00000000077E1000-memory.dmpFilesize
4KB
-
memory/1220-166-0x0000000008900000-0x0000000008901000-memory.dmpFilesize
4KB
-
memory/1220-134-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/1220-165-0x0000000008460000-0x0000000008461000-memory.dmpFilesize
4KB
-
memory/1220-163-0x0000000008110000-0x0000000008111000-memory.dmpFilesize
4KB
-
memory/1220-161-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/1220-160-0x0000000007E80000-0x0000000007E81000-memory.dmpFilesize
4KB
-
memory/1280-149-0x0000000000000000-mapping.dmp
-
memory/1380-117-0x0000000000400000-0x0000000002E86000-memory.dmpFilesize
42.5MB
-
memory/1380-116-0x0000000004E40000-0x0000000004F49000-memory.dmpFilesize
1.0MB
-
memory/1380-115-0x0000000004CA8000-0x0000000004D9A000-memory.dmpFilesize
968KB
-
memory/2000-167-0x0000000000000000-mapping.dmp
-
memory/2000-200-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/2000-254-0x0000000006B23000-0x0000000006B24000-memory.dmpFilesize
4KB
-
memory/2000-190-0x0000000006DC0000-0x0000000006DC1000-memory.dmpFilesize
4KB
-
memory/2000-178-0x0000000006B22000-0x0000000006B23000-memory.dmpFilesize
4KB
-
memory/2000-177-0x0000000006B20000-0x0000000006B21000-memory.dmpFilesize
4KB
-
memory/2000-170-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/2000-169-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/2196-159-0x000001EBC8D10000-0x000001EBC8D12000-memory.dmpFilesize
8KB
-
memory/2196-157-0x0000000000C50000-0x0000000000DF0000-memory.dmpFilesize
1.6MB
-
memory/2196-152-0x00007FF6EDBF5FD0-mapping.dmp
-
memory/2196-164-0x000001EBC8F30000-0x000001EBC90E2000-memory.dmpFilesize
1.7MB
-
memory/2196-158-0x000001EBC8D10000-0x000001EBC8D12000-memory.dmpFilesize
8KB
-
memory/2448-453-0x0000000000000000-mapping.dmp
-
memory/2456-454-0x0000000000000000-mapping.dmp
-
memory/3208-438-0x0000000000000000-mapping.dmp
-
memory/3252-162-0x0000000000000000-mapping.dmp
-
memory/3564-452-0x0000000004AB3000-0x0000000004AB4000-memory.dmpFilesize
4KB
-
memory/3564-353-0x0000000004AB2000-0x0000000004AB3000-memory.dmpFilesize
4KB
-
memory/3564-351-0x0000000004AB0000-0x0000000004AB1000-memory.dmpFilesize
4KB
-
memory/3564-327-0x0000000000000000-mapping.dmp
-
memory/3672-122-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/3672-121-0x0000000004E21000-0x0000000005E05000-memory.dmpFilesize
15.9MB
-
memory/3672-118-0x0000000000000000-mapping.dmp
-
memory/3952-141-0x0000000005C30000-0x0000000005D70000-memory.dmpFilesize
1.2MB
-
memory/3952-140-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/3952-150-0x0000000005C30000-0x0000000005D70000-memory.dmpFilesize
1.2MB
-
memory/3952-136-0x0000000004B81000-0x0000000005B65000-memory.dmpFilesize
15.9MB
-
memory/3952-139-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/3952-148-0x0000000005C30000-0x0000000005D70000-memory.dmpFilesize
1.2MB
-
memory/3952-142-0x0000000005C30000-0x0000000005D70000-memory.dmpFilesize
1.2MB
-
memory/3952-144-0x0000000005C30000-0x0000000005D70000-memory.dmpFilesize
1.2MB
-
memory/3952-145-0x0000000005C30000-0x0000000005D70000-memory.dmpFilesize
1.2MB
-
memory/3952-146-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/3952-131-0x0000000000000000-mapping.dmp