Analysis Overview
SHA256
69d3cf6c83d6b21abbe13ea46f6fa0462c564712ddad17b9151ac36db85486fe
Threat Level: Known bad
The file svchost.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-19 09:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-19 09:16
Reported
2023-09-19 09:19
Platform
win7-20230831-en
Max time kernel
131s
Max time network
143s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2304 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe |
| PID 2304 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe |
| PID 2304 wrote to memory of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | proxy-cheap.blogspot.com | udp |
| NL | 142.251.36.33:443 | proxy-cheap.blogspot.com | tcp |
| US | 8.8.8.8:53 | amazonhost.thedreamsop.com | udp |
| US | 107.180.2.24:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | ucpanel.hackcrack.io | udp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
Files
memory/2304-3-0x0000000000540000-0x0000000000548000-memory.dmp
memory/2304-2-0x000000001AB70000-0x000000001ABF0000-memory.dmp
memory/2304-1-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2304-0-0x0000000001350000-0x00000000013A6000-memory.dmp
memory/2304-9-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2304-10-0x000000001AB70000-0x000000001ABF0000-memory.dmp
memory/2816-16-0x0000000000800000-0x0000000000828000-memory.dmp
memory/2304-17-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2816-19-0x00000000001C0000-0x00000000001CE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 6d78acbcbb8d77547e8956bdd6b19e0e |
| SHA1 | ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c |
| SHA256 | bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3 |
| SHA512 | 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 6d78acbcbb8d77547e8956bdd6b19e0e |
| SHA1 | ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c |
| SHA256 | bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3 |
| SHA512 | 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 6d78acbcbb8d77547e8956bdd6b19e0e |
| SHA1 | ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c |
| SHA256 | bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3 |
| SHA512 | 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118 |
memory/2816-18-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2816-20-0x00000000001E0000-0x00000000001EC000-memory.dmp
memory/2816-23-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2816-24-0x000000001B090000-0x000000001B110000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-19 09:16
Reported
2023-09-19 09:19
Platform
win10v2004-20230915-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\iduc3abw.inf
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | proxy-cheap.blogspot.com | udp |
| NL | 142.251.36.33:443 | proxy-cheap.blogspot.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amazonhost.thedreamsop.com | udp |
| US | 107.180.2.24:80 | amazonhost.thedreamsop.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.2.180.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ucpanel.hackcrack.io | udp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 209.25.141.181:3914 | ucpanel.hackcrack.io | tcp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/4864-0-0x0000000000DD0000-0x0000000000E26000-memory.dmp
memory/4864-1-0x000000001BAB0000-0x000000001BAB8000-memory.dmp
memory/4864-2-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/4864-8-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 6d78acbcbb8d77547e8956bdd6b19e0e |
| SHA1 | ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c |
| SHA256 | bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3 |
| SHA512 | 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 6d78acbcbb8d77547e8956bdd6b19e0e |
| SHA1 | ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c |
| SHA256 | bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3 |
| SHA512 | 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
| MD5 | 6d78acbcbb8d77547e8956bdd6b19e0e |
| SHA1 | ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c |
| SHA256 | bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3 |
| SHA512 | 0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118 |
memory/2600-24-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/2600-25-0x0000000000C50000-0x0000000000C78000-memory.dmp
memory/2600-26-0x000000001BA20000-0x000000001BA30000-memory.dmp
memory/4864-23-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/2600-27-0x0000000001490000-0x000000000149E000-memory.dmp
memory/2600-31-0x000000001BA20000-0x000000001BA30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iduc3abw.inf
| MD5 | 6f1420f2133f3e08fd8cdea0e1f5fe27 |
| SHA1 | 3aa41ec75adc0cf50e001ca91bbfa7f763adf70b |
| SHA256 | aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242 |
| SHA512 | d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa |
memory/2600-33-0x0000000002E00000-0x0000000002E0C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
| MD5 | a2e907bf8f4c9c90c5b270cd78d86556 |
| SHA1 | 97751aedfaae7c181482f227c3ec558f8f63503d |
| SHA256 | 5ebb3f9a174483bbd163a5bae6a49adb9f21db1ca3a7126898dfd904d27ea7e1 |
| SHA512 | 4718342f0c1a182d6c435129bca18413798384f8ba0d9a79d6453e4e1b2a3316b7f844b4b786862a20dd2d33816b162924e11b5dfdfe2df28be474d1b91b9786 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
| MD5 | a2e907bf8f4c9c90c5b270cd78d86556 |
| SHA1 | 97751aedfaae7c181482f227c3ec558f8f63503d |
| SHA256 | 5ebb3f9a174483bbd163a5bae6a49adb9f21db1ca3a7126898dfd904d27ea7e1 |
| SHA512 | 4718342f0c1a182d6c435129bca18413798384f8ba0d9a79d6453e4e1b2a3316b7f844b4b786862a20dd2d33816b162924e11b5dfdfe2df28be474d1b91b9786 |
memory/1204-37-0x0000000000300000-0x000000000030A000-memory.dmp
memory/1204-38-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/1204-40-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/1072-41-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/1072-42-0x0000027CCD330000-0x0000027CCD340000-memory.dmp
memory/3380-43-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/3380-44-0x000001C4DF190000-0x000001C4DF1A0000-memory.dmp
memory/1072-46-0x0000027CB51F0000-0x0000027CB5212000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbgw4zcx.etv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3380-45-0x000001C4DF190000-0x000001C4DF1A0000-memory.dmp
memory/4416-65-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/1036-85-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/4416-86-0x000001D1F4FC0000-0x000001D1F4FD0000-memory.dmp
memory/1036-87-0x0000023BC67B0000-0x0000023BC67C0000-memory.dmp
memory/4416-88-0x000001D1F4FC0000-0x000001D1F4FD0000-memory.dmp
memory/1036-98-0x0000023BC67B0000-0x0000023BC67C0000-memory.dmp
memory/3864-99-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/3864-100-0x0000020CD7CF0000-0x0000020CD7D00000-memory.dmp
memory/4416-101-0x000001D1F4FC0000-0x000001D1F4FD0000-memory.dmp
memory/1072-102-0x0000027CCD330000-0x0000027CCD340000-memory.dmp
memory/1036-104-0x0000023BC67B0000-0x0000023BC67C0000-memory.dmp
memory/3380-103-0x000001C4DF190000-0x000001C4DF1A0000-memory.dmp
memory/2600-105-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/4416-106-0x000001D1F4FC0000-0x000001D1F4FD0000-memory.dmp
memory/2600-107-0x000000001BA20000-0x000000001BA30000-memory.dmp
memory/2600-108-0x000000001BA20000-0x000000001BA30000-memory.dmp
memory/2600-109-0x000000001BA20000-0x000000001BA30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/1036-119-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/3380-122-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/4416-118-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
memory/1072-123-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/3864-112-0x0000020CD7CF0000-0x0000020CD7D00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0ddc7f3691c81ee14d17b419ba220d |
| SHA1 | f0ef5fde8bab9d17c0b47137e014c91be888ee53 |
| SHA256 | a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5 |
| SHA512 | 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3 |
memory/3864-126-0x00007FFCBF400000-0x00007FFCBFEC1000-memory.dmp