Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 05:50
Static task
static1
General
-
Target
13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe
-
Size
1.1MB
-
MD5
0b6d77009850a6c6b1b3e37fa256b6c1
-
SHA1
31e9bae613d94bcc8cdbd791b0fa054a22eea9fd
-
SHA256
13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52
-
SHA512
9be0621a748e1b7674455ce974072e2983b33bdb9918ded3fcbbaca99209de9e77f9a450bf1096e211858e9ff24075df8e68d012d46d696ff906ed48079e80ea
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Extracted
danabot
2052
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
main
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2092 created 2636 2092 WerFault.exe RUNDLL32.EXE -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 24 4056 rundll32.exe 25 2812 RUNDLL32.EXE 28 2812 RUNDLL32.EXE 29 2812 RUNDLL32.EXE 30 2812 RUNDLL32.EXE 31 2812 RUNDLL32.EXE -
Loads dropped DLL 6 IoCs
Processes:
rundll32.exeRUNDLL32.EXERUNDLL32.EXERUNDLL32.EXEpid process 4056 rundll32.exe 2812 RUNDLL32.EXE 2812 RUNDLL32.EXE 2636 RUNDLL32.EXE 2636 RUNDLL32.EXE 1332 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 2636 set thread context of 2316 2636 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2092 2636 WerFault.exe RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 37 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXERUNDLL32.EXEdescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE -
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\TypedURLs rundll32.exe -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EEB0313CDE39C2B1FBA89E6EC3DDA8B2E26738AE RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\EEB0313CDE39C2B1FBA89E6EC3DDA8B2E26738AE\Blob = 030000000100000014000000eeb0313cde39c2b1fba89e6ec3dda8b2e26738ae20000000010000006e0200003082026a308201d3a00302010202081acf515c28bf95cf300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f7270204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3139313032323035353133355a170d3233313032313035353133355a305a3122302006035504030c1942616c74696d6f7270204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100a4766f7b8b997d11b958c45497f870ed18ade1bcbf97a5aa2e8701ea826359281e4d1cd5a7048cd207ee829edad0d24c8abdf7c68f9d8d1fea2a6157c0fc8a37325ff8896d63725e7d8aebe3eacf25e5bcd5c2b1a78d55e58603bcab59a7d9c9c60854ed7a1d3952f6535c8a12d32b9898434f576985dfa9208d5c6f97892b710203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f7270204379626572547275737420526f6f74300d06092a864886f70d01010b050003818100025f8bfa03e1256af476974205d0d31bd88e51d5ddd591aa3493d151edb444524a3fe8d35b9c95b3a2ea439137501a0aa27b4584a775e828b510901dbdeb17a0fac146a7b2c2f7df880f19bf9cc73d9ed9b0a68508ecf12dd971f495195b1510b102463ccaa30308b80cb3963bbcc8a67d754db0290bdeb95339f49e6a49a3ff RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
RUNDLL32.EXERUNDLL32.EXEpowershell.exeWerFault.exepowershell.exepowershell.exepid process 2812 RUNDLL32.EXE 2812 RUNDLL32.EXE 2812 RUNDLL32.EXE 2812 RUNDLL32.EXE 2812 RUNDLL32.EXE 2812 RUNDLL32.EXE 2636 RUNDLL32.EXE 2636 RUNDLL32.EXE 388 powershell.exe 388 powershell.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 2092 WerFault.exe 3724 powershell.exe 388 powershell.exe 3724 powershell.exe 3724 powershell.exe 2812 RUNDLL32.EXE 2812 RUNDLL32.EXE 1092 powershell.exe 1092 powershell.exe 1092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeRUNDLL32.EXEWerFault.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 388 powershell.exe Token: SeDebugPrivilege 2812 RUNDLL32.EXE Token: SeRestorePrivilege 2092 WerFault.exe Token: SeBackupPrivilege 2092 WerFault.exe Token: SeDebugPrivilege 2092 WerFault.exe Token: SeDebugPrivilege 3724 powershell.exe Token: SeDebugPrivilege 1092 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2316 rundll32.exe 2812 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exerundll32.exeRUNDLL32.EXERUNDLL32.EXErundll32.exepowershell.exedescription pid process target process PID 1524 wrote to memory of 4056 1524 13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe rundll32.exe PID 1524 wrote to memory of 4056 1524 13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe rundll32.exe PID 1524 wrote to memory of 4056 1524 13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe rundll32.exe PID 4056 wrote to memory of 2812 4056 rundll32.exe RUNDLL32.EXE PID 4056 wrote to memory of 2812 4056 rundll32.exe RUNDLL32.EXE PID 4056 wrote to memory of 2812 4056 rundll32.exe RUNDLL32.EXE PID 2812 wrote to memory of 388 2812 RUNDLL32.EXE powershell.exe PID 2812 wrote to memory of 388 2812 RUNDLL32.EXE powershell.exe PID 2812 wrote to memory of 388 2812 RUNDLL32.EXE powershell.exe PID 2812 wrote to memory of 2636 2812 RUNDLL32.EXE RUNDLL32.EXE PID 2812 wrote to memory of 2636 2812 RUNDLL32.EXE RUNDLL32.EXE PID 2812 wrote to memory of 2636 2812 RUNDLL32.EXE RUNDLL32.EXE PID 2636 wrote to memory of 2316 2636 RUNDLL32.EXE rundll32.exe PID 2636 wrote to memory of 2316 2636 RUNDLL32.EXE rundll32.exe PID 2636 wrote to memory of 2316 2636 RUNDLL32.EXE rundll32.exe PID 2812 wrote to memory of 1332 2812 RUNDLL32.EXE RUNDLL32.EXE PID 2812 wrote to memory of 1332 2812 RUNDLL32.EXE RUNDLL32.EXE PID 2812 wrote to memory of 1332 2812 RUNDLL32.EXE RUNDLL32.EXE PID 2316 wrote to memory of 3408 2316 rundll32.exe ctfmon.exe PID 2316 wrote to memory of 3408 2316 rundll32.exe ctfmon.exe PID 2812 wrote to memory of 3724 2812 RUNDLL32.EXE powershell.exe PID 2812 wrote to memory of 3724 2812 RUNDLL32.EXE powershell.exe PID 2812 wrote to memory of 3724 2812 RUNDLL32.EXE powershell.exe PID 2812 wrote to memory of 1092 2812 RUNDLL32.EXE powershell.exe PID 2812 wrote to memory of 1092 2812 RUNDLL32.EXE powershell.exe PID 2812 wrote to memory of 1092 2812 RUNDLL32.EXE powershell.exe PID 1092 wrote to memory of 916 1092 powershell.exe nslookup.exe PID 1092 wrote to memory of 916 1092 powershell.exe nslookup.exe PID 1092 wrote to memory of 916 1092 powershell.exe nslookup.exe PID 2812 wrote to memory of 2240 2812 RUNDLL32.EXE schtasks.exe PID 2812 wrote to memory of 2240 2812 RUNDLL32.EXE schtasks.exe PID 2812 wrote to memory of 2240 2812 RUNDLL32.EXE schtasks.exe PID 2812 wrote to memory of 3920 2812 RUNDLL32.EXE schtasks.exe PID 2812 wrote to memory of 3920 2812 RUNDLL32.EXE schtasks.exe PID 2812 wrote to memory of 3920 2812 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe"C:\Users\Admin\AppData\Local\Temp\13af9fa492ecf044422edad8b94dde94131e723d8b9a6e1aba79044d3eaecf52.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL,s C:\Users\Admin\AppData\Local\Temp\13AF9F~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL,hVUwRmpx3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLL,eCRTWlprVXM=4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 176595⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 7845⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dll,Start4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp113D.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5DB9.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
e7de866986b2ecc1692eb335e1d06f70
SHA159eb72ee76d02f50a1f8652cb3255c5e04b3d725
SHA2568099520735004cb51630a35469055ca8f370cc0322ce953264f888a50be1092a
SHA5126a66f268a3045b6bb35a097d1defc682b37bf8740bd3edc4a58aa5d8a5677814e3d276b05d24e82da902c653a25c9c835bbb3b4b90d9710c3e7b90f3595dbb71
-
C:\PROGRA~3\zohplghndapsm.tmpMD5
0362480a57d528400b17fba7833eddc5
SHA1ad8c4a570306dc4d35871cd255d676069722a374
SHA25634354cad01afde0ebb437606d37481d1013af862fd2166436e361dcce5c905ad
SHA51283b08f9a7e241608e96bb625bd17133840c3c71ca41cddb09ef091ab53b87b13b4277b86ca9182dae6057717a38ddb99e5a171dbea46e706407cbc2362760761
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
06d4793c8a89604ad993cbf7f8719c15
SHA16a7a03a8230f16d5e35c2a0f64b1e09ddfac4208
SHA2567290e6f104f9750fe9e79daad1d1a81e5b7ab72daca06bcea6de68be6d21122d
SHA5122de1facfff4d00f05be58694e5c9f09bb63bd59c11fc7f0070120d132e34c6808c1a8115099300c31b9e3239a19d76b45b127ea4bf2d9faf9e6ee93960f4bc13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
097bda7262cbdf238f7493be1c99893a
SHA136543fb385c6ada341a6f1a89b49893e2ab2d061
SHA256db1ea44b71f5914e0ee77fd75bfe897b41e127e16455c8383a59f918df9081a9
SHA51289f77b997eac48b01d1794f248b2ee49b252901c5fb1d842840eef8b70964a585f897d366ede9c7938995bb557f36007925d401a1cc50ae894c6cc2863083b4f
-
C:\Users\Admin\AppData\Local\Temp\13AF9F~1.DLLMD5
dd20fa2f1e2b0648fe1f70e665b9fa9c
SHA16a62b136a8a21224f606a405024779e253d23e15
SHA2560790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb
SHA512c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521
-
C:\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
C:\Users\Admin\AppData\Local\Temp\tmp113D.tmp.ps1MD5
e7adb37bb8ef23ec102e36b66dbb7440
SHA151bd2b96504ee9965e410fbe4ea68a7a6025e96b
SHA256adda66f469535e336ac22f4ffcfaa4d3126ea3605580537fc4c065b705f6c960
SHA5122df48ab707dfbdb1bea66480ce329bbd2c1e750e53510eb5f35e9a0529c21f04e1ff1a46b53d5318f625abf81371ce7ed12fd24ef912bbcc2f5de95cfd2bdd5a
-
C:\Users\Admin\AppData\Local\Temp\tmp113E.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp5DB9.tmp.ps1MD5
01c0781afd73ba961b49bf3470313c61
SHA193d71c9d210f0aa55d2e3a8bebcc8fad0ca177a5
SHA2566af8fcae7523e7128ba433443568191309199bb05c0761f1e16325df9253b656
SHA5128228b24ae936d447e3c866ec2a9de439f69661f0ecd0fd55012cbc907e8c9a56bc0210fd91889ef00fe5bee03c7b0ac7f6a7bac5923dc1f6d6db32714f430ea0
-
C:\Users\Admin\AppData\Local\Temp\tmp5DBA.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLLMD5
dd20fa2f1e2b0648fe1f70e665b9fa9c
SHA16a62b136a8a21224f606a405024779e253d23e15
SHA2560790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb
SHA512c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521
-
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLLMD5
dd20fa2f1e2b0648fe1f70e665b9fa9c
SHA16a62b136a8a21224f606a405024779e253d23e15
SHA2560790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb
SHA512c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521
-
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLLMD5
dd20fa2f1e2b0648fe1f70e665b9fa9c
SHA16a62b136a8a21224f606a405024779e253d23e15
SHA2560790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb
SHA512c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521
-
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLLMD5
dd20fa2f1e2b0648fe1f70e665b9fa9c
SHA16a62b136a8a21224f606a405024779e253d23e15
SHA2560790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb
SHA512c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521
-
\Users\Admin\AppData\Local\Temp\13AF9F~1.DLLMD5
dd20fa2f1e2b0648fe1f70e665b9fa9c
SHA16a62b136a8a21224f606a405024779e253d23e15
SHA2560790c8e04264db5e6b0af9482eb148501567c3080d9a9659d77f638c5a729efb
SHA512c70808868ad11e6fdccf7535583dfd889cad84599fb787e7b59b63c88d7987dce6af45989269017d468d1463001cd966e383ed7b09bd0ef8f7f90a46ae09c521
-
\Users\Admin\AppData\Local\Temp\58cfb4a6.dllMD5
5951f0afa96cda14623b4cce74d58cca
SHA1ad4a21bd28a3065037b1ea40fab4d7c4d7549fde
SHA2568b64b8bfd9e36cc40c273deccd4301a6c2ab44df03b976530c1bc517d7220bce
SHA512b098f302ad3446edafa5d9914f4697cbf7731b7c2ae31bc513de532115d7c672bec17e810d153eb0dbaae5b5782c1ac55351377231f7aa6502a3d9c223d55071
-
memory/388-182-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/388-220-0x00000000040F3000-0x00000000040F4000-memory.dmpFilesize
4KB
-
memory/388-136-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/388-208-0x0000000008B70000-0x0000000008B71000-memory.dmpFilesize
4KB
-
memory/388-132-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/388-130-0x0000000000000000-mapping.dmp
-
memory/388-138-0x0000000004100000-0x0000000004101000-memory.dmpFilesize
4KB
-
memory/388-202-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/388-140-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/388-199-0x000000007E8D0000-0x000000007E8D1000-memory.dmpFilesize
4KB
-
memory/388-142-0x00000000040F0000-0x00000000040F1000-memory.dmpFilesize
4KB
-
memory/388-143-0x00000000040F2000-0x00000000040F3000-memory.dmpFilesize
4KB
-
memory/388-193-0x0000000008990000-0x00000000089C3000-memory.dmpFilesize
204KB
-
memory/388-173-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/388-170-0x0000000007C60000-0x0000000007C61000-memory.dmpFilesize
4KB
-
memory/388-168-0x0000000006790000-0x0000000006791000-memory.dmpFilesize
4KB
-
memory/388-167-0x0000000007420000-0x0000000007421000-memory.dmpFilesize
4KB
-
memory/388-164-0x0000000007240000-0x0000000007241000-memory.dmpFilesize
4KB
-
memory/388-165-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/388-157-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/916-449-0x0000000000000000-mapping.dmp
-
memory/1092-454-0x0000000007233000-0x0000000007234000-memory.dmpFilesize
4KB
-
memory/1092-369-0x0000000007232000-0x0000000007233000-memory.dmpFilesize
4KB
-
memory/1092-352-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/1092-338-0x0000000000000000-mapping.dmp
-
memory/1332-149-0x0000000000000000-mapping.dmp
-
memory/1524-116-0x0000000004FD0000-0x00000000050D5000-memory.dmpFilesize
1.0MB
-
memory/1524-115-0x0000000004EE0000-0x0000000004FCE000-memory.dmpFilesize
952KB
-
memory/1524-117-0x0000000000400000-0x0000000002FE6000-memory.dmpFilesize
43.9MB
-
memory/2240-455-0x0000000000000000-mapping.dmp
-
memory/2316-162-0x0000000000340000-0x00000000004E0000-memory.dmpFilesize
1.6MB
-
memory/2316-156-0x00007FF6DF395FD0-mapping.dmp
-
memory/2316-161-0x000001C5B94C0000-0x000001C5B94C2000-memory.dmpFilesize
8KB
-
memory/2316-163-0x000001C5B9740000-0x000001C5B98F2000-memory.dmpFilesize
1.7MB
-
memory/2316-159-0x000001C5B94C0000-0x000001C5B94C2000-memory.dmpFilesize
8KB
-
memory/2636-155-0x0000000005AF0000-0x0000000005C30000-memory.dmpFilesize
1.2MB
-
memory/2636-131-0x0000000000000000-mapping.dmp
-
memory/2636-145-0x0000000005AF0000-0x0000000005C30000-memory.dmpFilesize
1.2MB
-
memory/2636-148-0x0000000005AF0000-0x0000000005C30000-memory.dmpFilesize
1.2MB
-
memory/2636-150-0x0000000005AF0000-0x0000000005C30000-memory.dmpFilesize
1.2MB
-
memory/2636-151-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/2636-153-0x0000000005AF0000-0x0000000005C30000-memory.dmpFilesize
1.2MB
-
memory/2636-135-0x0000000000F40000-0x00000000010A1000-memory.dmpFilesize
1.4MB
-
memory/2636-146-0x0000000005AF0000-0x0000000005C30000-memory.dmpFilesize
1.2MB
-
memory/2636-144-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/2636-160-0x0000000000950000-0x0000000000A9A000-memory.dmpFilesize
1.3MB
-
memory/2636-141-0x0000000005C40000-0x0000000005C41000-memory.dmpFilesize
4KB
-
memory/2636-139-0x0000000004A41000-0x0000000005A25000-memory.dmpFilesize
15.9MB
-
memory/2812-126-0x0000000000E00000-0x0000000000F61000-memory.dmpFilesize
1.4MB
-
memory/2812-129-0x0000000005B80000-0x0000000005B81000-memory.dmpFilesize
4KB
-
memory/2812-128-0x0000000004981000-0x0000000005965000-memory.dmpFilesize
15.9MB
-
memory/2812-123-0x0000000000000000-mapping.dmp
-
memory/3408-166-0x0000000000000000-mapping.dmp
-
memory/3724-195-0x0000000006730000-0x0000000006731000-memory.dmpFilesize
4KB
-
memory/3724-249-0x00000000064B3000-0x00000000064B4000-memory.dmpFilesize
4KB
-
memory/3724-207-0x0000000003EF0000-0x0000000003EF1000-memory.dmpFilesize
4KB
-
memory/3724-181-0x00000000064B2000-0x00000000064B3000-memory.dmpFilesize
4KB
-
memory/3724-175-0x00000000064B0000-0x00000000064B1000-memory.dmpFilesize
4KB
-
memory/3724-171-0x0000000003EF0000-0x0000000003EF1000-memory.dmpFilesize
4KB
-
memory/3724-172-0x0000000003EF0000-0x0000000003EF1000-memory.dmpFilesize
4KB
-
memory/3724-169-0x0000000000000000-mapping.dmp
-
memory/3920-456-0x0000000000000000-mapping.dmp
-
memory/4056-122-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/4056-121-0x0000000005321000-0x0000000006305000-memory.dmpFilesize
15.9MB
-
memory/4056-118-0x0000000000000000-mapping.dmp