Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 03:22
Static task
static1
General
-
Target
2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe
-
Size
1.1MB
-
MD5
0f0e743d80e4d50839f475809ca9dc6b
-
SHA1
7b8669e3ccef71b05aef4bb4d8c2f36931f4688e
-
SHA256
2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d
-
SHA512
dd9103057f6bfce478443c7ffefc7724bb7c74b8145d0a61691c03f12c48a0f64904b73edd4f6a9ccd9cef845d548343ef82c59a60ae332c1937f12544779332
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1548 created 1712 1548 WerFault.exe RUNDLL32.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 32 3952 rundll32.exe 33 3624 RUNDLL32.EXE 36 3624 RUNDLL32.EXE 37 3624 RUNDLL32.EXE 38 3624 RUNDLL32.EXE 39 3624 RUNDLL32.EXE -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 3952 rundll32.exe 3952 rundll32.exe 3624 RUNDLL32.EXE 1712 RUNDLL32.EXE 1264 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 1712 set thread context of 3320 1712 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1548 1712 WerFault.exe RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 38 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\61748FC4230BC37DBD37AE85697DC0FF75F8F1DE RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\61748FC4230BC37DBD37AE85697DC0FF75F8F1DE\Blob = 03000000010000001400000061748fc4230bc37dbd37ae85697dc0ff75f8f1de20000000010000003f0200003082023b308201a4a00302010202085d6e61773c351175300d06092a864886f70d01010b050030433121301f06035504030c184d6b63726f736f667420526f6f7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e301e170d3139313032323033343631315a170d3233313032313033343631315a30433121301f06035504030c184d6b63726f736f667420526f6f7420417574686f72697479311e301c060355040b0c154d6963726f736f667420436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100a09a48768213fb6548f2337f2da1ea3b97e6c0ff40f8e178d97a01caacfced34b57290721b52a1d90b8ecf06a7b5b59d47bd94957d7580c4c273f9901b968d6036b5ac6f94f8d9cdac6dec57d7b5fb6ee26da35a819cc39904f4d5e67697bb1d8682574058276ca6be0b2f04746761f11af5664f8fa9dfebeef74b0a095f79c90203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a82184d6b63726f736f667420526f6f7420417574686f72697479300d06092a864886f70d01010b05000381810092680ae367135e875bfe6ee12f8a6263a4a7c49822c79b58e16ee72190bd7eb2cd5ecee37621540b60047ec97486aed0e781296d36b6d9bce1b0253508557b47a59251f44eefd04c7df2de3cbc1add8729e5485eca47acd5f8a7d7572727d0701644dfb03266c8de2fd43c01f7e3bc5e3d3430feee7a581186e618c24cb9ce02 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
RUNDLL32.EXERUNDLL32.EXEpowershell.exeWerFault.exepowershell.exepowershell.exepid process 3624 RUNDLL32.EXE 3624 RUNDLL32.EXE 3624 RUNDLL32.EXE 3624 RUNDLL32.EXE 3624 RUNDLL32.EXE 3624 RUNDLL32.EXE 1712 RUNDLL32.EXE 1712 RUNDLL32.EXE 1196 powershell.exe 1196 powershell.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 1548 WerFault.exe 916 powershell.exe 1196 powershell.exe 916 powershell.exe 916 powershell.exe 3624 RUNDLL32.EXE 3624 RUNDLL32.EXE 1164 powershell.exe 1164 powershell.exe 1164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeWerFault.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1196 powershell.exe Token: SeRestorePrivilege 1548 WerFault.exe Token: SeBackupPrivilege 1548 WerFault.exe Token: SeDebugPrivilege 3624 RUNDLL32.EXE Token: SeDebugPrivilege 1548 WerFault.exe Token: SeDebugPrivilege 916 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3320 rundll32.exe 3624 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 1556 wrote to memory of 3952 1556 2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe rundll32.exe PID 1556 wrote to memory of 3952 1556 2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe rundll32.exe PID 1556 wrote to memory of 3952 1556 2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe rundll32.exe PID 3952 wrote to memory of 3624 3952 rundll32.exe RUNDLL32.EXE PID 3952 wrote to memory of 3624 3952 rundll32.exe RUNDLL32.EXE PID 3952 wrote to memory of 3624 3952 rundll32.exe RUNDLL32.EXE PID 3624 wrote to memory of 1196 3624 RUNDLL32.EXE powershell.exe PID 3624 wrote to memory of 1196 3624 RUNDLL32.EXE powershell.exe PID 3624 wrote to memory of 1196 3624 RUNDLL32.EXE powershell.exe PID 3624 wrote to memory of 1712 3624 RUNDLL32.EXE RUNDLL32.EXE PID 3624 wrote to memory of 1712 3624 RUNDLL32.EXE RUNDLL32.EXE PID 3624 wrote to memory of 1712 3624 RUNDLL32.EXE RUNDLL32.EXE PID 1712 wrote to memory of 3320 1712 RUNDLL32.EXE rundll32.exe PID 1712 wrote to memory of 3320 1712 RUNDLL32.EXE rundll32.exe PID 1712 wrote to memory of 3320 1712 RUNDLL32.EXE rundll32.exe PID 3624 wrote to memory of 1264 3624 RUNDLL32.EXE RUNDLL32.EXE PID 3624 wrote to memory of 1264 3624 RUNDLL32.EXE RUNDLL32.EXE PID 3624 wrote to memory of 1264 3624 RUNDLL32.EXE RUNDLL32.EXE PID 3320 wrote to memory of 1696 3320 rundll32.exe ctfmon.exe PID 3320 wrote to memory of 1696 3320 rundll32.exe ctfmon.exe PID 3624 wrote to memory of 916 3624 RUNDLL32.EXE powershell.exe PID 3624 wrote to memory of 916 3624 RUNDLL32.EXE powershell.exe PID 3624 wrote to memory of 916 3624 RUNDLL32.EXE powershell.exe PID 3624 wrote to memory of 1164 3624 RUNDLL32.EXE powershell.exe PID 3624 wrote to memory of 1164 3624 RUNDLL32.EXE powershell.exe PID 3624 wrote to memory of 1164 3624 RUNDLL32.EXE powershell.exe PID 1164 wrote to memory of 3628 1164 powershell.exe nslookup.exe PID 1164 wrote to memory of 3628 1164 powershell.exe nslookup.exe PID 1164 wrote to memory of 3628 1164 powershell.exe nslookup.exe PID 3624 wrote to memory of 1816 3624 RUNDLL32.EXE schtasks.exe PID 3624 wrote to memory of 1816 3624 RUNDLL32.EXE schtasks.exe PID 3624 wrote to memory of 1816 3624 RUNDLL32.EXE schtasks.exe PID 3624 wrote to memory of 1136 3624 RUNDLL32.EXE schtasks.exe PID 3624 wrote to memory of 1136 3624 RUNDLL32.EXE schtasks.exe PID 3624 wrote to memory of 1136 3624 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe"C:\Users\Admin\AppData\Local\Temp\2962b043447caa6a0ecfcb1befe91b22a96da25b518f603449c55b419ec71e7d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL,s C:\Users\Admin\AppData\Local\Temp\2962B0~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL,XRVITw==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLL,NSoKSA==4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 176595⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 8045⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp113D.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp579F.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
885cacc747a33506a56a8b556650dd09
SHA18738f61aa35029d0a6e9258233a947935ad17cc8
SHA256530c992e88ea9129f4fbc245579c552802c15586ddefdf190b6ee01bb85468cc
SHA512cc49dba28b9e2781b2a7ec4923fdab2e12faf338f90454810b998ecc358681ab8fd956b283a31e18cb15fd34a6c2c0eb9122729b2dfcf65d96a6f55547e4d1c0
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
ed5cdaab480a72930cadc1323f84760e
SHA141eb86d9d38f9e2d3d2d61f09b5a9053b200d4a5
SHA2569143322829079c09c94d47947a1b038d126e87afbbcd6a0223a152652a963382
SHA51284957fafcdab477e77b1a8fd9bf3193c7bdd75256eefb45b842f6d1a92918a349ea4dc0f2e68d86a6fbf1c7564405814604b64105c1562e9d0fe40361e97e357
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
a71f142529408a71b4ab8ffd39061c59
SHA17fbd459754fe9d50c79f77657fd3ce6ad341de02
SHA256f0a3fc2f7377da91c4e6b3dfe31dae5eb8be8541f349a16741746a717964b7b5
SHA5129727db18faf9f033ebffe610232b39310a7e420a6c0f4a9fec317be01842fe243f6ed26dde8a5f296645e4bf7fd54729e7bfcab8fb4b733518d3947d26cb3fa2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c308c3effbea4ccd7e8982f18c2969a4
SHA1db222a9d8cb9510fbfebff3b3d440499fb839782
SHA256995b55e88d1df9d80481e4d3706df47c47a02d49ce11ca504750c2b773452ceb
SHA5125c7bcf79ac6c20a7b6bb205957d182b5ce88d3c0bc561d81cebe739937541d22673a4bc50705a7401974ea1c92eb58adee0979088e3e84f7bc52e31a39fb611b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
6638ce27e8cb2e9d4ed9e757752e2ab6
SHA1adac95d12491fa374f60b5d741deee475a418f0a
SHA256381f7aa63a16801fe8af55613b1eb0713052ad5b6c3bee60ff9b5b647331f2be
SHA51225c47e9a5eaf629c58284340dd302b1b4fa80d5bccff72d8ca593fb3d67a5e47c98fe06a6709e55d553200baa67a8825514504b4bdbeae76407b040daf34ced7
-
C:\Users\Admin\AppData\Local\Temp\2962B0~1.DLLMD5
be8102b02b6b07e5a8dca07ea97484f5
SHA1c339c3688b7c0a30e4d540ad0016166874d59711
SHA256edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00
SHA5129f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938
-
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
C:\Users\Admin\AppData\Local\Temp\tmp113D.tmp.ps1MD5
e7adb37bb8ef23ec102e36b66dbb7440
SHA151bd2b96504ee9965e410fbe4ea68a7a6025e96b
SHA256adda66f469535e336ac22f4ffcfaa4d3126ea3605580537fc4c065b705f6c960
SHA5122df48ab707dfbdb1bea66480ce329bbd2c1e750e53510eb5f35e9a0529c21f04e1ff1a46b53d5318f625abf81371ce7ed12fd24ef912bbcc2f5de95cfd2bdd5a
-
C:\Users\Admin\AppData\Local\Temp\tmp113E.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp579F.tmp.ps1MD5
aacfc09af9d5d5ed93682c66653a8350
SHA17abfd1101aa439f7dda0460569220dcbc80b1ca6
SHA256b58dba1343bfcb964723c0f40952ff4f030f53abf66ff713abb8a00d18024359
SHA5128dd5e7d8a525dcd7e8e2c700e54c17336a54783021f9bc947bf1f9dcbd05a2d97af4256de8f2f611f8fa7d073d3d5313a2638bd0ce32377e13ef00848f8ce901
-
C:\Users\Admin\AppData\Local\Temp\tmp57A0.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\2962B0~1.DLLMD5
be8102b02b6b07e5a8dca07ea97484f5
SHA1c339c3688b7c0a30e4d540ad0016166874d59711
SHA256edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00
SHA5129f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938
-
\Users\Admin\AppData\Local\Temp\2962B0~1.DLLMD5
be8102b02b6b07e5a8dca07ea97484f5
SHA1c339c3688b7c0a30e4d540ad0016166874d59711
SHA256edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00
SHA5129f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938
-
\Users\Admin\AppData\Local\Temp\2962B0~1.DLLMD5
be8102b02b6b07e5a8dca07ea97484f5
SHA1c339c3688b7c0a30e4d540ad0016166874d59711
SHA256edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00
SHA5129f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938
-
\Users\Admin\AppData\Local\Temp\2962B0~1.DLLMD5
be8102b02b6b07e5a8dca07ea97484f5
SHA1c339c3688b7c0a30e4d540ad0016166874d59711
SHA256edd2fb6c3e8f2b769aebf879a1a94882bb0e40c857b516d37ea7c7ddd4aeff00
SHA5129f90ec67a994219a61478defcebd4e3d8fe240f3bd269222ed3683bfaa1e1b7190e8b020fee4ef0454a56779b1d8e1dc98cdca1d8f5e6342e61dab87b0628938
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
memory/916-250-0x0000000000DA3000-0x0000000000DA4000-memory.dmpFilesize
4KB
-
memory/916-170-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/916-169-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/916-167-0x0000000000000000-mapping.dmp
-
memory/916-202-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/916-191-0x0000000007BB0000-0x0000000007BB1000-memory.dmpFilesize
4KB
-
memory/916-175-0x0000000000DA2000-0x0000000000DA3000-memory.dmpFilesize
4KB
-
memory/916-174-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/1136-454-0x0000000000000000-mapping.dmp
-
memory/1164-451-0x00000000068F3000-0x00000000068F4000-memory.dmpFilesize
4KB
-
memory/1164-328-0x0000000000000000-mapping.dmp
-
memory/1164-354-0x00000000068F0000-0x00000000068F1000-memory.dmpFilesize
4KB
-
memory/1164-356-0x00000000068F2000-0x00000000068F3000-memory.dmpFilesize
4KB
-
memory/1196-158-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/1196-132-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1196-130-0x0000000000000000-mapping.dmp
-
memory/1196-133-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1196-218-0x0000000000D93000-0x0000000000D94000-memory.dmpFilesize
4KB
-
memory/1196-206-0x0000000008CD0000-0x0000000008CD1000-memory.dmpFilesize
4KB
-
memory/1196-137-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/1196-198-0x0000000008810000-0x0000000008811000-memory.dmpFilesize
4KB
-
memory/1196-199-0x000000007ED60000-0x000000007ED61000-memory.dmpFilesize
4KB
-
memory/1196-145-0x0000000000D92000-0x0000000000D93000-memory.dmpFilesize
4KB
-
memory/1196-190-0x0000000008BA0000-0x0000000008BD3000-memory.dmpFilesize
204KB
-
memory/1196-138-0x0000000006D60000-0x0000000006D61000-memory.dmpFilesize
4KB
-
memory/1196-179-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1196-160-0x0000000006B70000-0x0000000006B71000-memory.dmpFilesize
4KB
-
memory/1196-143-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/1196-168-0x0000000007BE0000-0x0000000007BE1000-memory.dmpFilesize
4KB
-
memory/1196-163-0x0000000007390000-0x0000000007391000-memory.dmpFilesize
4KB
-
memory/1196-164-0x00000000074B0000-0x00000000074B1000-memory.dmpFilesize
4KB
-
memory/1196-165-0x0000000006CF0000-0x0000000006CF1000-memory.dmpFilesize
4KB
-
memory/1196-166-0x0000000007900000-0x0000000007901000-memory.dmpFilesize
4KB
-
memory/1264-155-0x0000000000000000-mapping.dmp
-
memory/1556-115-0x0000000004F00000-0x0000000004FF1000-memory.dmpFilesize
964KB
-
memory/1556-117-0x0000000000400000-0x0000000002FE8000-memory.dmpFilesize
43.9MB
-
memory/1556-116-0x0000000005000000-0x0000000005108000-memory.dmpFilesize
1.0MB
-
memory/1696-159-0x0000000000000000-mapping.dmp
-
memory/1712-150-0x0000000005C40000-0x0000000005D80000-memory.dmpFilesize
1.2MB
-
memory/1712-148-0x0000000005E50000-0x0000000005E51000-memory.dmpFilesize
4KB
-
memory/1712-140-0x0000000003010000-0x0000000003011000-memory.dmpFilesize
4KB
-
memory/1712-139-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1712-136-0x0000000004C51000-0x0000000005C35000-memory.dmpFilesize
15.9MB
-
memory/1712-146-0x0000000005C40000-0x0000000005D80000-memory.dmpFilesize
1.2MB
-
memory/1712-147-0x0000000005C40000-0x0000000005D80000-memory.dmpFilesize
1.2MB
-
memory/1712-141-0x0000000005C40000-0x0000000005D80000-memory.dmpFilesize
1.2MB
-
memory/1712-149-0x0000000005C40000-0x0000000005D80000-memory.dmpFilesize
1.2MB
-
memory/1712-142-0x0000000005C40000-0x0000000005D80000-memory.dmpFilesize
1.2MB
-
memory/1712-131-0x0000000000000000-mapping.dmp
-
memory/1816-453-0x0000000000000000-mapping.dmp
-
memory/3320-154-0x0000029286420000-0x0000029286422000-memory.dmpFilesize
8KB
-
memory/3320-153-0x0000029286420000-0x0000029286422000-memory.dmpFilesize
8KB
-
memory/3320-151-0x00007FF6A5C25FD0-mapping.dmp
-
memory/3320-162-0x0000029286470000-0x0000029286622000-memory.dmpFilesize
1.7MB
-
memory/3320-161-0x00000000001A0000-0x0000000000340000-memory.dmpFilesize
1.6MB
-
memory/3624-129-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/3624-128-0x0000000004AC1000-0x0000000005AA5000-memory.dmpFilesize
15.9MB
-
memory/3624-125-0x0000000000000000-mapping.dmp
-
memory/3628-438-0x0000000000000000-mapping.dmp
-
memory/3952-124-0x0000000002B90000-0x0000000002B91000-memory.dmpFilesize
4KB
-
memory/3952-118-0x0000000000000000-mapping.dmp
-
memory/3952-122-0x00000000029E0000-0x0000000002B45000-memory.dmpFilesize
1.4MB
-
memory/3952-123-0x00000000048F1000-0x00000000058D5000-memory.dmpFilesize
15.9MB