Malware Analysis Report

2024-11-13 13:55

Sample ID 231203-c62erahc3x
Target a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5
SHA256 a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5
Tags
ducktail persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5

Threat Level: Known bad

The file a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5 was found to be: Known bad.

Malicious Activity Summary

ducktail persistence spyware stealer

Ducktail family

Detect Ducktail Third Stage Payload

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-03 02:42

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-03 02:42

Reported

2023-12-03 02:45

Platform

win7-20231130-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3024 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3024 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3024 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 3024 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe

"C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 api.telegram.org udp

Files

memory/3024-0-0x00000000067C0000-0x0000000007149000-memory.dmp

memory/3024-3-0x00000000067C0000-0x0000000007149000-memory.dmp

memory/3024-5-0x0000000000BB0000-0x00000000013FF000-memory.dmp

memory/3024-4-0x0000000006210000-0x00000000062B7000-memory.dmp

memory/3024-9-0x0000000000630000-0x000000000064D000-memory.dmp

memory/3024-12-0x0000000000630000-0x000000000064D000-memory.dmp

memory/3024-8-0x0000000006210000-0x00000000062B7000-memory.dmp

memory/3024-13-0x0000000000B50000-0x0000000000B78000-memory.dmp

memory/3024-16-0x0000000000B50000-0x0000000000B78000-memory.dmp

memory/3024-17-0x0000000008F70000-0x00000000090FE000-memory.dmp

memory/3024-21-0x00000000028B0000-0x00000000028E0000-memory.dmp

memory/3024-20-0x0000000008F70000-0x00000000090FE000-memory.dmp

memory/3024-25-0x0000000009460000-0x00000000097B6000-memory.dmp

memory/3024-24-0x00000000028B0000-0x00000000028E0000-memory.dmp

memory/3024-28-0x0000000009460000-0x00000000097B6000-memory.dmp

memory/3024-29-0x0000000006640000-0x00000000066E5000-memory.dmp

memory/3024-33-0x0000000002900000-0x0000000002915000-memory.dmp

memory/3024-37-0x0000000005E30000-0x0000000005E84000-memory.dmp

memory/3024-41-0x00000000066F0000-0x0000000006786000-memory.dmp

memory/3024-45-0x0000000009100000-0x000000000917A000-memory.dmp

memory/3024-49-0x0000000005C70000-0x0000000005CAC000-memory.dmp

memory/3024-52-0x0000000005C70000-0x0000000005CAC000-memory.dmp

memory/3024-48-0x0000000009100000-0x000000000917A000-memory.dmp

memory/3024-44-0x00000000066F0000-0x0000000006786000-memory.dmp

memory/3024-40-0x0000000005E30000-0x0000000005E84000-memory.dmp

memory/3024-36-0x0000000002900000-0x0000000002915000-memory.dmp

memory/3024-32-0x0000000006640000-0x00000000066E5000-memory.dmp

memory/3024-60-0x0000000006590000-0x0000000006596000-memory.dmp

memory/3024-57-0x0000000006590000-0x0000000006596000-memory.dmp

memory/3024-56-0x0000000002A90000-0x0000000002AA2000-memory.dmp

memory/3024-53-0x0000000002A90000-0x0000000002AA2000-memory.dmp

memory/3024-64-0x0000000002A80000-0x0000000002A8C000-memory.dmp

memory/3024-61-0x0000000002A80000-0x0000000002A8C000-memory.dmp

memory/1320-120-0x0000000073050000-0x00000000735FB000-memory.dmp

memory/1320-122-0x0000000001EA0000-0x0000000001EE0000-memory.dmp

memory/1320-123-0x0000000001EA0000-0x0000000001EE0000-memory.dmp

memory/1320-121-0x0000000073050000-0x00000000735FB000-memory.dmp

memory/1320-124-0x0000000073050000-0x00000000735FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 01a27b20a6355334844b25f2cda189c6
SHA1 74b90298a46435d03da6581f803d49a3bda49c5b
SHA256 7f3a0e248cd4941eafff223787c30b88984dd40d9a438af1a94eca6d0534a896
SHA512 9feacddb0c97d628d1aaeb01281cba40eb95b35bc65f88330ed02d78aabf2b62b6fbca5051a2404129c7aaec3336b49c5cba431f762ba5b66963560035ab5752

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S0X9871ZA39WJC2DDGO4.temp

MD5 01a27b20a6355334844b25f2cda189c6
SHA1 74b90298a46435d03da6581f803d49a3bda49c5b
SHA256 7f3a0e248cd4941eafff223787c30b88984dd40d9a438af1a94eca6d0534a896
SHA512 9feacddb0c97d628d1aaeb01281cba40eb95b35bc65f88330ed02d78aabf2b62b6fbca5051a2404129c7aaec3336b49c5cba431f762ba5b66963560035ab5752

memory/2788-131-0x0000000072AA0000-0x000000007304B000-memory.dmp

memory/2788-132-0x0000000072AA0000-0x000000007304B000-memory.dmp

memory/2788-134-0x0000000002AE0000-0x0000000002B20000-memory.dmp

memory/3024-133-0x0000000000BB0000-0x00000000013FF000-memory.dmp

memory/2788-135-0x0000000002AE0000-0x0000000002B20000-memory.dmp

memory/2788-136-0x0000000072AA0000-0x000000007304B000-memory.dmp

\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 41c7c46cfdcccaed611db23a96bd2c99
SHA1 80f685cd297e68655301107eff8ae85b3574183d
SHA256 6ff06b54677d32a26d7230adc14fca1d2e007ae483a156eb801e9d5d82fd5402
SHA512 ca714d462b57443958a31b061a8154aff3e2a8003ce6e4e6995536b93954ac32ead0b7a7b6d0385dd95d8a49d75aa4347d2901b2acef466bb5687cef50661615

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 41c7c46cfdcccaed611db23a96bd2c99
SHA1 80f685cd297e68655301107eff8ae85b3574183d
SHA256 6ff06b54677d32a26d7230adc14fca1d2e007ae483a156eb801e9d5d82fd5402
SHA512 ca714d462b57443958a31b061a8154aff3e2a8003ce6e4e6995536b93954ac32ead0b7a7b6d0385dd95d8a49d75aa4347d2901b2acef466bb5687cef50661615

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 41c7c46cfdcccaed611db23a96bd2c99
SHA1 80f685cd297e68655301107eff8ae85b3574183d
SHA256 6ff06b54677d32a26d7230adc14fca1d2e007ae483a156eb801e9d5d82fd5402
SHA512 ca714d462b57443958a31b061a8154aff3e2a8003ce6e4e6995536b93954ac32ead0b7a7b6d0385dd95d8a49d75aa4347d2901b2acef466bb5687cef50661615

memory/1196-198-0x0000000000260000-0x0000000000AA3000-memory.dmp

memory/3024-200-0x0000000000BB0000-0x00000000013FF000-memory.dmp

memory/1196-201-0x0000000000260000-0x0000000000AA3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-03 02:42

Reported

2023-12-03 02:45

Platform

win10v2004-20231130-en

Max time kernel

67s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4152 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4152 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 4152 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 4152 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe

"C:\Users\Admin\AppData\Local\Temp\a1a204279d3cdcf73ce14a62268795170aece0aa178c9f18c489d83530b14da5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 api.telegram.org udp

Files

memory/4152-0-0x0000000006F00000-0x0000000007889000-memory.dmp

memory/4152-3-0x0000000006F00000-0x0000000007889000-memory.dmp

memory/4152-4-0x00000000069E0000-0x0000000006A87000-memory.dmp

memory/4152-6-0x0000000000450000-0x0000000000C9F000-memory.dmp

memory/4152-9-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4152-8-0x00000000069E0000-0x0000000006A87000-memory.dmp

memory/4152-12-0x0000000006890000-0x00000000068B8000-memory.dmp

memory/4152-15-0x0000000006890000-0x00000000068B8000-memory.dmp

memory/4152-16-0x000000000AE90000-0x000000000B01E000-memory.dmp

memory/4152-19-0x000000000AE90000-0x000000000B01E000-memory.dmp

memory/4152-20-0x0000000006DD0000-0x0000000006E00000-memory.dmp

memory/4152-23-0x0000000006DD0000-0x0000000006E00000-memory.dmp

memory/4152-24-0x000000000B380000-0x000000000B6D6000-memory.dmp

memory/4152-27-0x000000000B380000-0x000000000B6D6000-memory.dmp

memory/4152-28-0x000000000ADA0000-0x000000000AE45000-memory.dmp

memory/4152-31-0x000000000ADA0000-0x000000000AE45000-memory.dmp

memory/4152-32-0x0000000006EE0000-0x0000000006EF5000-memory.dmp

memory/4152-35-0x0000000006EE0000-0x0000000006EF5000-memory.dmp

memory/4152-36-0x000000000B020000-0x000000000B074000-memory.dmp

memory/4152-39-0x000000000B020000-0x000000000B074000-memory.dmp

memory/4152-40-0x000000000AD00000-0x000000000AD96000-memory.dmp

memory/4152-43-0x000000000AD00000-0x000000000AD96000-memory.dmp

memory/4152-44-0x000000000B110000-0x000000000B18A000-memory.dmp

memory/4152-47-0x000000000B110000-0x000000000B18A000-memory.dmp

memory/4152-48-0x000000000AE50000-0x000000000AE8C000-memory.dmp

memory/4152-51-0x000000000AE50000-0x000000000AE8C000-memory.dmp

memory/4152-52-0x000000000B1C0000-0x000000000B1D2000-memory.dmp

memory/4152-55-0x000000000B1C0000-0x000000000B1D2000-memory.dmp

memory/4152-56-0x000000000B100000-0x000000000B106000-memory.dmp

memory/4152-59-0x000000000B100000-0x000000000B106000-memory.dmp

memory/4152-60-0x000000000B1B0000-0x000000000B1BC000-memory.dmp

memory/4152-63-0x000000000B1B0000-0x000000000B1BC000-memory.dmp

memory/4152-64-0x000000000B300000-0x000000000B33A000-memory.dmp

memory/3736-126-0x0000000002430000-0x0000000002466000-memory.dmp

memory/3736-128-0x0000000002470000-0x0000000002480000-memory.dmp

memory/3736-127-0x0000000073BE0000-0x0000000074390000-memory.dmp

memory/3736-129-0x0000000002470000-0x0000000002480000-memory.dmp

memory/3736-130-0x0000000004E00000-0x0000000005428000-memory.dmp

memory/3736-131-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

memory/3736-132-0x00000000056A0000-0x0000000005706000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iudyvbtj.fm5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3736-142-0x0000000005810000-0x0000000005876000-memory.dmp

memory/3736-143-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/3736-144-0x0000000005D40000-0x0000000005D5E000-memory.dmp

memory/3736-145-0x0000000005D80000-0x0000000005DCC000-memory.dmp

memory/3736-146-0x00000000062A0000-0x0000000006336000-memory.dmp

memory/3736-147-0x0000000006230000-0x000000000624A000-memory.dmp

memory/3736-148-0x0000000006D40000-0x0000000006D62000-memory.dmp

memory/3736-149-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/3736-152-0x0000000073BE0000-0x0000000074390000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/4688-163-0x0000000073BE0000-0x0000000074390000-memory.dmp

memory/4688-165-0x0000000004750000-0x0000000004760000-memory.dmp

memory/4688-164-0x0000000004750000-0x0000000004760000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a2969cec968310d4e569c9417a4791a
SHA1 23529e28f00c0989687bacae91b595999ab1534e
SHA256 0ec55e6b6bd8e5cf9afda8cd2b1677df6dde5b0c12885bbb2f43f05b42d55518
SHA512 23542242b8157ad35bd3d454c161225699dceff1fe68f41996280eb581b196439ff4691910e375e3ca3f93a71216c283767105687a538ce9c3bd30a482b65093

memory/4688-177-0x0000000073BE0000-0x0000000074390000-memory.dmp

memory/4152-179-0x0000000000450000-0x0000000000C9F000-memory.dmp

memory/4504-180-0x0000000073BE0000-0x0000000074390000-memory.dmp

memory/4504-181-0x0000000002690000-0x00000000026A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f091062175982c8771f33a6f4dc3cce
SHA1 7cf6e87a218c80d90bdd57d53e1ee77c9127b90b
SHA256 09be24ce413cf8a7402bc1f4840f053399b7a4d2646428257d94a6d1dd1d18db
SHA512 c1ad48d7732f88300d67e5fbdf1c4bec132747244eb8e678e7f6e37659ea5e81e399283389ccf055b1e15e6f0efbccccc589b44fead2d58678aaae6efd7ab604

memory/4504-193-0x0000000073BE0000-0x0000000074390000-memory.dmp

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 41c7c46cfdcccaed611db23a96bd2c99
SHA1 80f685cd297e68655301107eff8ae85b3574183d
SHA256 6ff06b54677d32a26d7230adc14fca1d2e007ae483a156eb801e9d5d82fd5402
SHA512 ca714d462b57443958a31b061a8154aff3e2a8003ce6e4e6995536b93954ac32ead0b7a7b6d0385dd95d8a49d75aa4347d2901b2acef466bb5687cef50661615

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 41c7c46cfdcccaed611db23a96bd2c99
SHA1 80f685cd297e68655301107eff8ae85b3574183d
SHA256 6ff06b54677d32a26d7230adc14fca1d2e007ae483a156eb801e9d5d82fd5402
SHA512 ca714d462b57443958a31b061a8154aff3e2a8003ce6e4e6995536b93954ac32ead0b7a7b6d0385dd95d8a49d75aa4347d2901b2acef466bb5687cef50661615

memory/3656-256-0x0000000000580000-0x0000000000DC3000-memory.dmp

memory/4152-258-0x0000000000450000-0x0000000000C9F000-memory.dmp

memory/3656-259-0x0000000000580000-0x0000000000DC3000-memory.dmp