Analysis
-
max time kernel
142s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 04:32
Static task
static1
General
-
Target
28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe
-
Size
1.2MB
-
MD5
7edffa62f8534925e9568fc8129b377e
-
SHA1
83c127c87333db4785f0e7c17aea92c3e880aae8
-
SHA256
28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a
-
SHA512
4519940f74c31ca828c31963ab896ef622713a4326470df1d18807acf963ee37de0d54e0cbd9fec8a2c69310cf3ea9bbaab11463112426ae52fed68c360ea11e
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Danabot Loader Component 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\28C601~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\28C601~1.DLL DanabotLoader2021 behavioral1/memory/2076-134-0x0000000003F60000-0x00000000040C2000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\28C601~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\28C601~1.DLL DanabotLoader2021 -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 33 812 rundll32.exe 34 1852 RUNDLL32.EXE -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 812 rundll32.exe 1852 RUNDLL32.EXE 2076 RUNDLL32.EXE 2076 RUNDLL32.EXE 740 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 2076 set thread context of 1400 2076 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 44 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E5774F927E4D73E7CFCEDEE9D88E1518DAF54E1F\Blob = 030000000100000014000000e5774f927e4d73e7cfcedee9d88e1518daf54e1f20000000010000009f0200003082029b30820204a0030201020208070110296da68380300d06092a864886f70d01010b05003074311f301d06035504030c165468617774652054696d6573746f6d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3139313032313033323635375a170d3233313032303033323635375a3074311f301d06035504030c165468617774652054696d6573746f6d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100b20ed2ef72572eea177d9470baaa92c5d870dd9bcba59da4a0e0b740491684abba1e22ed20b34d60cc947df0dec82c8e79341f7fab6a90752cf90029bc3a7309b1eba4e21769b047af693616034ef9ddab371dd5ed235ff68ce45f45a371eb175ab41ded06b86aca800cd5e2169d29235a2ae7503f745c922c6ba936a442a0670203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a301882165468617774652054696d6573746f6d70696e67204341300d06092a864886f70d01010b050003818100444b10edb4b0f0730acc452f19cf2c1deb004bf34882d6ff92bfcfc89b5e98054c3b49a0c31ddd2814e0863c3659d81d6a31856596335f0747217007c57b6488728b4bc468162f6a8035fc54235021216314c5b9dd330305c749c9b320e6fdb3c90b392f2c96d0540f7f9fef6b45785dd7948d073f35cba65b427da909178efd RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E5774F927E4D73E7CFCEDEE9D88E1518DAF54E1F RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
RUNDLL32.EXEpowershell.exeRUNDLL32.EXEpowershell.exepowershell.exepid process 1852 RUNDLL32.EXE 1852 RUNDLL32.EXE 1852 RUNDLL32.EXE 1852 RUNDLL32.EXE 1852 RUNDLL32.EXE 1852 RUNDLL32.EXE 704 powershell.exe 2076 RUNDLL32.EXE 2076 RUNDLL32.EXE 704 powershell.exe 3140 powershell.exe 704 powershell.exe 3140 powershell.exe 3140 powershell.exe 1852 RUNDLL32.EXE 1852 RUNDLL32.EXE 3736 powershell.exe 3736 powershell.exe 3736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 704 powershell.exe Token: SeDebugPrivilege 1852 RUNDLL32.EXE Token: SeDebugPrivilege 3140 powershell.exe Token: SeDebugPrivilege 3736 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1400 rundll32.exe 1852 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 2276 wrote to memory of 812 2276 28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe rundll32.exe PID 2276 wrote to memory of 812 2276 28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe rundll32.exe PID 2276 wrote to memory of 812 2276 28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe rundll32.exe PID 812 wrote to memory of 1852 812 rundll32.exe RUNDLL32.EXE PID 812 wrote to memory of 1852 812 rundll32.exe RUNDLL32.EXE PID 812 wrote to memory of 1852 812 rundll32.exe RUNDLL32.EXE PID 1852 wrote to memory of 704 1852 RUNDLL32.EXE powershell.exe PID 1852 wrote to memory of 704 1852 RUNDLL32.EXE powershell.exe PID 1852 wrote to memory of 704 1852 RUNDLL32.EXE powershell.exe PID 1852 wrote to memory of 2076 1852 RUNDLL32.EXE RUNDLL32.EXE PID 1852 wrote to memory of 2076 1852 RUNDLL32.EXE RUNDLL32.EXE PID 1852 wrote to memory of 2076 1852 RUNDLL32.EXE RUNDLL32.EXE PID 2076 wrote to memory of 1400 2076 RUNDLL32.EXE rundll32.exe PID 2076 wrote to memory of 1400 2076 RUNDLL32.EXE rundll32.exe PID 1852 wrote to memory of 740 1852 RUNDLL32.EXE RUNDLL32.EXE PID 1852 wrote to memory of 740 1852 RUNDLL32.EXE RUNDLL32.EXE PID 1852 wrote to memory of 740 1852 RUNDLL32.EXE RUNDLL32.EXE PID 2076 wrote to memory of 1400 2076 RUNDLL32.EXE rundll32.exe PID 1400 wrote to memory of 2988 1400 rundll32.exe ctfmon.exe PID 1400 wrote to memory of 2988 1400 rundll32.exe ctfmon.exe PID 1852 wrote to memory of 3140 1852 RUNDLL32.EXE powershell.exe PID 1852 wrote to memory of 3140 1852 RUNDLL32.EXE powershell.exe PID 1852 wrote to memory of 3140 1852 RUNDLL32.EXE powershell.exe PID 1852 wrote to memory of 3736 1852 RUNDLL32.EXE powershell.exe PID 1852 wrote to memory of 3736 1852 RUNDLL32.EXE powershell.exe PID 1852 wrote to memory of 3736 1852 RUNDLL32.EXE powershell.exe PID 3736 wrote to memory of 3016 3736 powershell.exe nslookup.exe PID 3736 wrote to memory of 3016 3736 powershell.exe nslookup.exe PID 3736 wrote to memory of 3016 3736 powershell.exe nslookup.exe PID 1852 wrote to memory of 3216 1852 RUNDLL32.EXE schtasks.exe PID 1852 wrote to memory of 3216 1852 RUNDLL32.EXE schtasks.exe PID 1852 wrote to memory of 3216 1852 RUNDLL32.EXE schtasks.exe PID 1852 wrote to memory of 2636 1852 RUNDLL32.EXE schtasks.exe PID 1852 wrote to memory of 2636 1852 RUNDLL32.EXE schtasks.exe PID 1852 wrote to memory of 2636 1852 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe"C:\Users\Admin\AppData\Local\Temp\28c6011ce5deb72197f4e8a26910d7fd368f4c5d7e83dea4a6fe7502d846091a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL,s C:\Users\Admin\AppData\Local\Temp\28C601~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL,hFUv3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\28C601~1.DLL,VCYtT2pZbUw=4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 176595⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFE71.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6CCD.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
cf6df07eadcfa62475176a47cd68ff86
SHA137f367bcd2ff0f35b0849c0dda2abde7820492a2
SHA256cdba3afc087a7f05b24b6d0a6f9b570b1fead98719879c1b89770a72ddaa2d7e
SHA512a5b85553b88bcd139943cb3c386d644b283125938b218e3f9e6c4784692747fb69cdd3107078f6a0986f0ecff8517a4d04f42ed694b666cc7b24d2e11b7f9a80
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
cf6df07eadcfa62475176a47cd68ff86
SHA137f367bcd2ff0f35b0849c0dda2abde7820492a2
SHA256cdba3afc087a7f05b24b6d0a6f9b570b1fead98719879c1b89770a72ddaa2d7e
SHA512a5b85553b88bcd139943cb3c386d644b283125938b218e3f9e6c4784692747fb69cdd3107078f6a0986f0ecff8517a4d04f42ed694b666cc7b24d2e11b7f9a80
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
f7a808b5711f58fb4f85476c1bb24ac3
SHA1fbdf9670d622e8fc3446ad4f53fbbd83016f03d1
SHA256de4aadfe00c4cf41434a12450cdc69d37cb2d9cec951b074c3b5e7bfce9e94ec
SHA512866848d13e999e6a1a79d77c33adb642d78d0a11adee293fca411b4ed5f7bf85324f90b3031148a66ac10dccc577d3c2a7c1ab6ed4237360de9911c27516a5af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4ded3e1b42ce8ad34c360077b353bbb0
SHA1d0b31c95b56dfef8d0a4af8e26675833815a0319
SHA256cb9879b3236686becabc8a71a7c4903ae83b7611b47759f755a1667a923df7bb
SHA512388e4d7e0318da97e1386bb6553c65eaac32838bfb17a8c7c751c23f34cd848c2e2d4c359260df9dd3c7d58bef43cca1597ffb59423d9f6ec6c7b20d7cfdb90d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a88bc5b7b17cf8e3eba40d7ef4b3901d
SHA1307c3e27de483c59185b379d9bbf26cc34f06a0e
SHA2567ec397e29d0ad9b0533ef06a0e0a7a4f9a482bd74fbfa18c8d40be700383495e
SHA512dd37aa85c5c98b558e15777bf38998efa0ed2620c64ba60cefaf9a6241708cfdfbe65f3e3e93bd51021d155f6d28fd4eed1054ee9ab012aa9aff9d25c9407595
-
C:\Users\Admin\AppData\Local\Temp\28C601~1.DLLMD5
cf5d4c10502510e92af825d06353cd9c
SHA1d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12
SHA256e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7
SHA5122fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd
-
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
C:\Users\Admin\AppData\Local\Temp\tmp6CCD.tmp.ps1MD5
ae1cda89daed1d856f22751f8737d1f1
SHA185749f8355f2a77d04e02fe7187622dd6dddcfc2
SHA2563542554394e2457e7a2951e7db643726ae3e8c1453b23026855230b4caf3a80f
SHA512272253857a2a42368f352308174b25c338922d6314312c6fd728a01bc6422a1ddbd9c38ab9690005a29e04534993aa6b62d1e8fd718205fdf4b061fc0229c992
-
C:\Users\Admin\AppData\Local\Temp\tmp6CCE.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmpFE71.tmp.ps1MD5
31bda7eda1214091d9d4189fddec6153
SHA10d1c22641d3fef8c02d2b65c36d2423b9aeba56b
SHA2560c19df9ec228faf1036f3c915e9e7cef1d235171d8d99dc8696e74f844f139e1
SHA5120292b52eb9008800fdbe7a6a6dcc79cb8d76ae6ec34770221c53cde3ee7caa04e630f126eff80e04324769f919abbd4bb6cf470fa27a5c7cbfb7ddfc12a08328
-
C:\Users\Admin\AppData\Local\Temp\tmpFE72.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
\Users\Admin\AppData\Local\Temp\28C601~1.DLLMD5
cf5d4c10502510e92af825d06353cd9c
SHA1d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12
SHA256e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7
SHA5122fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd
-
\Users\Admin\AppData\Local\Temp\28C601~1.DLLMD5
cf5d4c10502510e92af825d06353cd9c
SHA1d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12
SHA256e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7
SHA5122fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd
-
\Users\Admin\AppData\Local\Temp\28C601~1.DLLMD5
cf5d4c10502510e92af825d06353cd9c
SHA1d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12
SHA256e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7
SHA5122fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd
-
\Users\Admin\AppData\Local\Temp\28C601~1.DLLMD5
cf5d4c10502510e92af825d06353cd9c
SHA1d2ba35b348e0efc317a7cbd1c7bfad134e8bfd12
SHA256e0737c51b7c9712f1090e5b19d2744bc3f66382bea5de086e9827c836c382ee7
SHA5122fac9dbf75a9de28f20b15c93f5ce972337ca2be5dd30fe2617bcd4233f8539256640516eb744a5380cdcd8bf609bd5d4749179833f86ba6073a3bac1642fdbd
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
memory/704-159-0x0000000008040000-0x0000000008041000-memory.dmpFilesize
4KB
-
memory/704-179-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/704-167-0x00000000087D0000-0x00000000087D1000-memory.dmpFilesize
4KB
-
memory/704-130-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/704-136-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/704-137-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/704-138-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/704-139-0x0000000004D22000-0x0000000004D23000-memory.dmpFilesize
4KB
-
memory/704-166-0x0000000007FC0000-0x0000000007FC1000-memory.dmpFilesize
4KB
-
memory/704-171-0x0000000008820000-0x0000000008821000-memory.dmpFilesize
4KB
-
memory/704-163-0x00000000080B0000-0x00000000080B1000-memory.dmpFilesize
4KB
-
memory/704-189-0x0000000009530000-0x0000000009563000-memory.dmpFilesize
204KB
-
memory/704-208-0x0000000004D23000-0x0000000004D24000-memory.dmpFilesize
4KB
-
memory/704-153-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/704-129-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/704-128-0x0000000000000000-mapping.dmp
-
memory/704-204-0x0000000009660000-0x0000000009661000-memory.dmpFilesize
4KB
-
memory/704-198-0x0000000008780000-0x0000000008781000-memory.dmpFilesize
4KB
-
memory/704-156-0x0000000007F40000-0x0000000007F41000-memory.dmpFilesize
4KB
-
memory/704-193-0x000000007FD30000-0x000000007FD31000-memory.dmpFilesize
4KB
-
memory/740-146-0x0000000000000000-mapping.dmp
-
memory/812-121-0x0000000004C41000-0x0000000005C25000-memory.dmpFilesize
15.9MB
-
memory/812-122-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/812-118-0x0000000000000000-mapping.dmp
-
memory/1400-155-0x00007FF795BF5FD0-mapping.dmp
-
memory/1400-160-0x000002D1E27E0000-0x000002D1E27E2000-memory.dmpFilesize
8KB
-
memory/1400-158-0x000002D1E27E0000-0x000002D1E27E2000-memory.dmpFilesize
8KB
-
memory/1400-161-0x0000000000BF0000-0x0000000000D90000-memory.dmpFilesize
1.6MB
-
memory/1400-162-0x000002D1E0E60000-0x000002D1E1012000-memory.dmpFilesize
1.7MB
-
memory/1852-127-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1852-126-0x0000000004D81000-0x0000000005D65000-memory.dmpFilesize
15.9MB
-
memory/1852-123-0x0000000000000000-mapping.dmp
-
memory/2076-147-0x0000000005630000-0x0000000005770000-memory.dmpFilesize
1.2MB
-
memory/2076-144-0x0000000005630000-0x0000000005770000-memory.dmpFilesize
1.2MB
-
memory/2076-131-0x0000000000000000-mapping.dmp
-
memory/2076-140-0x0000000004581000-0x0000000005565000-memory.dmpFilesize
15.9MB
-
memory/2076-141-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/2076-142-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/2076-143-0x0000000005630000-0x0000000005770000-memory.dmpFilesize
1.2MB
-
memory/2076-134-0x0000000003F60000-0x00000000040C2000-memory.dmpFilesize
1.4MB
-
memory/2076-154-0x0000000005630000-0x0000000005770000-memory.dmpFilesize
1.2MB
-
memory/2076-152-0x0000000005630000-0x0000000005770000-memory.dmpFilesize
1.2MB
-
memory/2076-151-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/2076-150-0x0000000005630000-0x0000000005770000-memory.dmpFilesize
1.2MB
-
memory/2276-115-0x0000000004D18000-0x0000000004E07000-memory.dmpFilesize
956KB
-
memory/2276-116-0x0000000004E10000-0x0000000004F16000-memory.dmpFilesize
1.0MB
-
memory/2276-117-0x0000000000400000-0x0000000002E83000-memory.dmpFilesize
42.5MB
-
memory/2636-454-0x0000000000000000-mapping.dmp
-
memory/2988-164-0x0000000000000000-mapping.dmp
-
memory/3016-449-0x0000000000000000-mapping.dmp
-
memory/3140-169-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/3140-173-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/3140-168-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/3140-200-0x0000000008210000-0x0000000008211000-memory.dmpFilesize
4KB
-
memory/3140-255-0x0000000004953000-0x0000000004954000-memory.dmpFilesize
4KB
-
memory/3140-175-0x0000000004952000-0x0000000004953000-memory.dmpFilesize
4KB
-
memory/3140-165-0x0000000000000000-mapping.dmp
-
memory/3140-205-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/3216-453-0x0000000000000000-mapping.dmp
-
memory/3736-398-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/3736-412-0x0000000004922000-0x0000000004923000-memory.dmpFilesize
4KB
-
memory/3736-383-0x0000000000000000-mapping.dmp
-
memory/3736-450-0x0000000004923000-0x0000000004924000-memory.dmpFilesize
4KB