Analysis Overview
SHA256
0feeb8481e07c0d5c1973f7a1644b788d56c9616c82ae0ce73505893664804a1
Threat Level: Known bad
The file Setup.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Executes dropped EXE
Drops desktop.ini file(s)
Adds Run key to start application
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-06 18:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-06 18:00
Reported
2023-08-06 18:43
Platform
win7-20230712-en
Max time kernel
136s
Max time network
148s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amazonhost.thedreamsop.com | udp |
| US | 107.180.2.24:80 | amazonhost.thedreamsop.com | tcp |
| US | 107.180.2.24:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | 24-06-2022-8080.blogspot.com | udp |
| NL | 142.251.36.33:443 | 24-06-2022-8080.blogspot.com | tcp |
| US | 8.8.8.8:53 | vcpanel.hackcrack.io | udp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
Files
memory/2224-54-0x0000000000B90000-0x0000000000C08000-memory.dmp
memory/2224-55-0x0000000000260000-0x000000000028C000-memory.dmp
memory/2224-56-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2224-57-0x0000000000590000-0x0000000000610000-memory.dmp
memory/2224-58-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
memory/2352-70-0x0000000000D20000-0x0000000000D7A000-memory.dmp
memory/2352-73-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2352-74-0x0000000000B00000-0x0000000000B80000-memory.dmp
memory/2352-72-0x0000000000480000-0x0000000000488000-memory.dmp
memory/2352-75-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2224-71-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2352-82-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2352-83-0x0000000000B00000-0x0000000000B80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 247976d7e405bfd0f716a3d5f2cd499b |
| SHA1 | dbcf03a94b3cced51ebe42af6f860e8d898f2459 |
| SHA256 | c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6 |
| SHA512 | 664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 247976d7e405bfd0f716a3d5f2cd499b |
| SHA1 | dbcf03a94b3cced51ebe42af6f860e8d898f2459 |
| SHA256 | c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6 |
| SHA512 | 664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 247976d7e405bfd0f716a3d5f2cd499b |
| SHA1 | dbcf03a94b3cced51ebe42af6f860e8d898f2459 |
| SHA256 | c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6 |
| SHA512 | 664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad |
memory/2352-90-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp
memory/2876-91-0x00000000012B0000-0x00000000012D6000-memory.dmp
memory/2876-92-0x000007FEF27D0000-0x000007FEF31BC000-memory.dmp
memory/2876-93-0x000000001B140000-0x000000001B1C0000-memory.dmp
memory/2876-94-0x0000000000140000-0x000000000014E000-memory.dmp
memory/2876-95-0x0000000000160000-0x000000000016C000-memory.dmp
memory/2876-98-0x000007FEF27D0000-0x000007FEF31BC000-memory.dmp
memory/2876-99-0x000000001B140000-0x000000001B1C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-06 18:00
Reported
2023-08-06 18:43
Platform
win10v2004-20230703-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\irdq4iho.inf
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.136.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amazonhost.thedreamsop.com | udp |
| US | 107.180.2.24:80 | amazonhost.thedreamsop.com | tcp |
| US | 107.180.2.24:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | 24.2.180.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24-06-2022-8080.blogspot.com | udp |
| NL | 142.251.36.33:443 | 24-06-2022-8080.blogspot.com | tcp |
| US | 8.8.8.8:53 | 33.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vcpanel.hackcrack.io | udp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 209.25.141.181:55178 | vcpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
memory/3476-133-0x0000000000460000-0x00000000004D8000-memory.dmp
memory/3476-134-0x00007FFFD3700000-0x00007FFFD40A1000-memory.dmp
memory/3476-135-0x00007FFFD3700000-0x00007FFFD40A1000-memory.dmp
memory/3476-136-0x0000000000D80000-0x0000000000D90000-memory.dmp
memory/3476-137-0x0000000000E10000-0x0000000000E3C000-memory.dmp
memory/3476-140-0x000000001B9F0000-0x000000001BA96000-memory.dmp
memory/3476-141-0x000000001C210000-0x000000001C6DE000-memory.dmp
memory/3476-142-0x000000001BFB0000-0x000000001C04C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
| MD5 | 301e8d9a2445dd999ce816c17d8dbbb3 |
| SHA1 | b91163babeb738bd4d0f577ac764cee17fffe564 |
| SHA256 | 2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb |
| SHA512 | 4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3 |
memory/4224-161-0x0000000000A80000-0x0000000000ADA000-memory.dmp
memory/4224-162-0x00007FFFD3700000-0x00007FFFD40A1000-memory.dmp
memory/4224-164-0x0000000001370000-0x0000000001378000-memory.dmp
memory/3476-163-0x00007FFFD3700000-0x00007FFFD40A1000-memory.dmp
memory/4224-165-0x00007FFFD3700000-0x00007FFFD40A1000-memory.dmp
memory/4224-172-0x00007FFFD3700000-0x00007FFFD40A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 247976d7e405bfd0f716a3d5f2cd499b |
| SHA1 | dbcf03a94b3cced51ebe42af6f860e8d898f2459 |
| SHA256 | c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6 |
| SHA512 | 664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 247976d7e405bfd0f716a3d5f2cd499b |
| SHA1 | dbcf03a94b3cced51ebe42af6f860e8d898f2459 |
| SHA256 | c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6 |
| SHA512 | 664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 247976d7e405bfd0f716a3d5f2cd499b |
| SHA1 | dbcf03a94b3cced51ebe42af6f860e8d898f2459 |
| SHA256 | c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6 |
| SHA512 | 664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad |
memory/3880-188-0x00000000007A0000-0x00000000007C6000-memory.dmp
memory/4224-189-0x00007FFFD3700000-0x00007FFFD40A1000-memory.dmp
memory/3880-190-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/3880-191-0x000000001B410000-0x000000001B420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\irdq4iho.inf
| MD5 | 6f1420f2133f3e08fd8cdea0e1f5fe27 |
| SHA1 | 3aa41ec75adc0cf50e001ca91bbfa7f763adf70b |
| SHA256 | aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242 |
| SHA512 | d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa |
memory/3880-195-0x000000001B410000-0x000000001B420000-memory.dmp
memory/3880-197-0x000000001B410000-0x000000001B420000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
| MD5 | 8ca62e1f3f7edca67a5273d76fb500c0 |
| SHA1 | f2a3e8ff64bca7a4fb8d59e9b5057e2b881d80f3 |
| SHA256 | 86c884bbd715562ca5f97743e2f9efa0041eef10c6856e21ee7b6c5c87c9f738 |
| SHA512 | 936d2968a8e8106f734cb6f2a39c15bafa9cae177a3e52a59ef5832b541f7381da722316d77a4cbe2e07124d14986a29d1babb847c87c861d8b355fa8979e4f6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
| MD5 | 8ca62e1f3f7edca67a5273d76fb500c0 |
| SHA1 | f2a3e8ff64bca7a4fb8d59e9b5057e2b881d80f3 |
| SHA256 | 86c884bbd715562ca5f97743e2f9efa0041eef10c6856e21ee7b6c5c87c9f738 |
| SHA512 | 936d2968a8e8106f734cb6f2a39c15bafa9cae177a3e52a59ef5832b541f7381da722316d77a4cbe2e07124d14986a29d1babb847c87c861d8b355fa8979e4f6 |
memory/4460-201-0x0000000000460000-0x0000000000468000-memory.dmp
memory/4460-202-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/4460-204-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/1120-211-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/1120-210-0x000001ED22FB0000-0x000001ED22FD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qu0eb5wb.ymp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1120-216-0x000001ED211F0000-0x000001ED21200000-memory.dmp
memory/3308-218-0x00000251C1F40000-0x00000251C1F50000-memory.dmp
memory/1120-217-0x000001ED211F0000-0x000001ED21200000-memory.dmp
memory/3308-219-0x00000251C1F40000-0x00000251C1F50000-memory.dmp
memory/3308-221-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/1120-222-0x000001ED211F0000-0x000001ED21200000-memory.dmp
memory/4336-232-0x000001A91BC60000-0x000001A91BC70000-memory.dmp
memory/4336-233-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/4336-234-0x000001A91BC60000-0x000001A91BC70000-memory.dmp
memory/2352-235-0x0000022223820000-0x0000022223830000-memory.dmp
memory/1120-236-0x000001ED211F0000-0x000001ED21200000-memory.dmp
memory/3048-246-0x000001AEEBCF0000-0x000001AEEBD00000-memory.dmp
memory/3880-265-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/2352-266-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/3048-267-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/4336-269-0x000001A91BC60000-0x000001A91BC70000-memory.dmp
memory/2352-270-0x0000022223820000-0x0000022223830000-memory.dmp
memory/3048-268-0x000001AEEBCF0000-0x000001AEEBD00000-memory.dmp
memory/3880-271-0x000000001B410000-0x000000001B420000-memory.dmp
memory/3880-272-0x000000001B410000-0x000000001B420000-memory.dmp
memory/3308-273-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/4336-280-0x000001A91BEE0000-0x000001A91C02E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
memory/1120-284-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/3308-283-0x00000251C2080000-0x00000251C21CE000-memory.dmp
memory/4336-285-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/3308-286-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/2352-289-0x000002223D860000-0x000002223D9AE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/2352-292-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
memory/3048-293-0x000001AEEBE00000-0x000001AEEBF4E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/3048-294-0x00007FFFD1100000-0x00007FFFD1BC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
memory/1120-276-0x000001ED3B260000-0x000001ED3B3AE000-memory.dmp