Analysis Overview
SHA256
6626cdbc6e4f16638523acfb157386e1294df9829d6b124e385a487c2dcfad90
Threat Level: Likely malicious
The file winact.bat was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Drops file in Windows directory
Launches sc.exe
Checks processor information in registry
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Runs net.exe
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-13 08:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-13 08:53
Reported
2024-03-13 08:56
Platform
win10v2004-20240226-en
Max time kernel
172s
Max time network
174s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe | N/A |
| N/A | N/A | C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\system32\expand.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\system32\expand.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\Clipup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\Clipup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\Clipup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\system32\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\reg.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\reg.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\system32\reg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\system32\reg.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\winact.bat"
C:\Windows\system32\takeown.exe
takeown /F C:\Windows\System32\sppsvc.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant administrators:F /T
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\spp /grant administrators:F /T
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
C:\Windows\system32\net.exe
net stop sppsvc
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppsvc
C:\Windows\system32\net.exe
net start sppsvc
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start sppsvc
C:\Windows\system32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs /rilc
C:\Windows\system32\timeout.exe
timeout /T 3 /NOBREAK
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ver
C:\Windows\system32\reg.exe
reg query HKU\S-1-5-19
C:\Windows\system32\mode.com
mode con: cols=102 lines=31
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingService" "Version"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingService" "Version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "Caption"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "Caption"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL" "Name"
C:\Windows\system32\findstr.exe
findstr /i "Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Microsoft Windows 10 Pro"
C:\Windows\system32\findstr.exe
findstr /I Evaluation
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "OperatingSystemSKU"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "OperatingSystemSKU"
C:\Windows\system32\reg.exe
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
C:\Windows\system32\find.exe
find /i "x86"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "osarchitecture"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "Win32_OperatingSystem" "osarchitecture"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo 64-bit "
C:\Windows\system32\find.exe
find /i "ARM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo AMD64 "
C:\Windows\system32\find.exe
find /i "ARM"
C:\Windows\system32\PING.EXE
ping -n 1 www.microsoft.com
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc query ClipSVC
C:\Windows\system32\sc.exe
sc query ClipSVC
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc qc ClipSVC
C:\Windows\system32\sc.exe
sc qc ClipSVC
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc query wlidsvc
C:\Windows\system32\sc.exe
sc query wlidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc qc wlidsvc
C:\Windows\system32\sc.exe
sc qc wlidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc query sppsvc
C:\Windows\system32\sc.exe
sc query sppsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc qc sppsvc
C:\Windows\system32\sc.exe
sc qc sppsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc query wuauserv
C:\Windows\system32\sc.exe
sc query wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc qc wuauserv
C:\Windows\system32\sc.exe
sc qc wuauserv
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell write-host '"Checking wuauserv [Service Status -Running] [Startup Type -Demand]"' -fore '"white"' -back '"darkgray"'
C:\Windows\system32\sc.exe
sc config wuauserv start= Auto
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ProductKeyChannel"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ProductKeyChannel"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Volume:GVLK"
C:\Windows\system32\findstr.exe
findstr /i MAK
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Volume:GVLK"
C:\Windows\system32\findstr.exe
findstr /i OEM
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Volume:GVLK"
C:\Windows\system32\findstr.exe
findstr /i Retail
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmip.vbs" "VK7JG-NPHTM-C97JM-9MPGT-3V66T"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ProductKeyChannel"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ProductKeyChannel"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmim.vbs" "SoftwareLicensingService.Version='10.0.19041.1266'" "RefreshLicenseStatus"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "$f=[io.file]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\winact.bat') -split ':bat2file\:.*';iex ($f[1]);X 3;X 4;"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0h0rdaq0\0h0rdaq0.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3104.tmp" "c:\Users\Admin\AppData\Local\Temp\0h0rdaq0\CSC3C80E4A6DFD9420FB0BD1A55E5376E4.TMP"
C:\Windows\system32\expand.exe
"C:\Windows\system32\expand.exe" -R 3._ -F:* .
C:\Windows\system32\expand.exe
"C:\Windows\system32\expand.exe" -R 4._ -F:* .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell "(Get-FileHash -a SHA1 'C:\Windows\Temp\_Ticket_Work\gatherosstate.exe').Hash"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "(Get-FileHash -a SHA1 'C:\Windows\Temp\_Ticket_Work\gatherosstate.exe').Hash"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell "(Get-FileHash -a SHA1 'C:\Windows\Temp\_Ticket_Work\slc.dll').Hash"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "(Get-FileHash -a SHA1 'C:\Windows\Temp\_Ticket_Work\slc.dll').Hash"
C:\Windows\system32\rundll32.exe
rundll32 "C:\Windows\Temp\_Ticket_Work\slc.dll",PatchGatherosstate
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Windows\Temp\_Ticket_Work\slc.dll",PatchGatherosstate
C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe
"C:\Windows\Temp\_Ticket_Work/gatherosstatemodified.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Restart-Service ClipSVC
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o
C:\Windows\system32\Clipup.exe
"C:\Windows\system32\Clipup.exe" -o -ppl C:\Windows\TEMP\tem5313.tmp
C:\Windows\system32\timeout.exe
timeout /t 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ID"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "ApplicationID='55c92734-d682-4d71-983e-d6ec3f16059f' and PartialProductKey is NOT null" "ID"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmim.vbs" "SoftwareLicensingProduct.ID=" "Activate"
C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe //nologo "C:\Users\Admin\AppData\Local\Temp\wmi.vbs" "SoftwareLicensingProduct" "LicenseStatus='1' and GracePeriodRemaining='0' and PartialProductKey is not NULL" "Name"
C:\Windows\system32\findstr.exe
findstr /i "Windows"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell write-host '"Microsoft Windows 10 Pro is permanently activated."' -fore '"white"' -back '"DarkGreen"'
C:\Windows\system32\sc.exe
sc config wuauserv start= Demand
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell write-host '"Cleaning Temp Files [Unsuccessful]"' -fore '"white"' -back '"DarkRed"'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 142.250.200.42:443 | tcp | |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/3436-0-0x000002473E050000-0x000002473E072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kz5uaidz.lq1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3436-10-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp
memory/3436-12-0x0000024723C10000-0x0000024723C20000-memory.dmp
memory/3436-11-0x0000024723C10000-0x0000024723C20000-memory.dmp
memory/3436-13-0x0000024723C10000-0x0000024723C20000-memory.dmp
memory/3436-16-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8fe7bd6cd1d64bcdabbf2e2ae72c5a28 |
| SHA1 | 5e1080c3b8cc4c5bffc73ffe6d45fa073335d0de |
| SHA256 | 5054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8 |
| SHA512 | 658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68 |
memory/4824-18-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp
memory/4824-24-0x000001AE5E670000-0x000001AE5E680000-memory.dmp
memory/4824-29-0x000001AE5E670000-0x000001AE5E680000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 93cb857535495189bb6a362f685bdee0 |
| SHA1 | 30489532d9c79c96faefe978e4a4f07d4cf02a7d |
| SHA256 | 56206d9139019fb2adf82b82197b5b9e417d9b00016beb01be6b99dcb1bfa0ea |
| SHA512 | ab6980d63ca944711b7bbccdb83a82233980578cb54f3d9ea699ebed36126c78c02106275c60ba88f7cd720f93021533e9d024216c50facfe2ab2fa979251811 |
memory/4824-32-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp
memory/2892-33-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp
memory/2892-43-0x000001AA0D2F0000-0x000001AA0D300000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c5c1d544037a6215c80133de5e46db0e |
| SHA1 | dbb945947d69450c0f05d69f66f9c527641ab32f |
| SHA256 | 2a5a22e8e4c1e8dc0438c915f8d589e7ecc3d836d6890203747bdf902538e512 |
| SHA512 | dab62558ba0ea46555794a3f419aac1cfe82ebec9c3cfd36c47a06e69e5e4dbc2f1da3eb3ca139eafa22255200f1ad1b65cb0001ccd0ff933458fb6e564cb0fb |
memory/2892-46-0x00007FFA34B80000-0x00007FFA35641000-memory.dmp
memory/4892-47-0x00007FFA34A50000-0x00007FFA35511000-memory.dmp
memory/4892-48-0x00000206015C0000-0x00000206015D0000-memory.dmp
memory/4892-54-0x00000206015C0000-0x00000206015D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e2eaeeb3cd489fd6be3b2a6479c91981 |
| SHA1 | a5103719cd26c8d689d36a6bed16275b2460ba0b |
| SHA256 | e57a1daf9ca3c2fd5d1941ac6126113bfdbeba50ab316513974d84db419f9829 |
| SHA512 | f0cb230812434933aee6918fa261c6e19504a46bb1792ce56117579f8a1db0f72faba42e66064d34e18241cb41321c32e20af5258233575616b688b59e1279e6 |
memory/4892-61-0x00007FFA34A50000-0x00007FFA35511000-memory.dmp
memory/1376-63-0x0000029C73950000-0x0000029C73960000-memory.dmp
memory/1376-62-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp
memory/1376-66-0x0000029C73950000-0x0000029C73960000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f61633e2e747fc15903069b35f4f5fa1 |
| SHA1 | 6f0eeb79bd1421cbb30284389b735cfe2cc1252f |
| SHA256 | b1fa182f636ef2b2aa0fc5642607d13c5690414ecfff40ae8d80077bfd887b56 |
| SHA512 | 3cfe02bdd85a599d6a31792d2da787132dbdfd25f6d5e3ce4e9399dc79b17bb912699865b3e1287902a02351b3c2cb9feb0755ad3d410a4053672434153fba74 |
memory/1376-75-0x0000029C73950000-0x0000029C73960000-memory.dmp
memory/1376-76-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp
memory/1376-77-0x0000029C73950000-0x0000029C73960000-memory.dmp
memory/1376-78-0x0000029C73950000-0x0000029C73960000-memory.dmp
memory/1376-79-0x0000029C73950000-0x0000029C73960000-memory.dmp
memory/1376-81-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp
memory/3452-82-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp
memory/3452-92-0x0000013153430000-0x0000013153440000-memory.dmp
memory/3452-93-0x0000013153430000-0x0000013153440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 781ee7133f8c815cf6936a58a6ec7a00 |
| SHA1 | bcb7a46f0900c564afc9e81d2a865b2fb163559a |
| SHA256 | fb410c61a4c32ecff9fe1829baa42e216c482cc3b36c049b15454d6a766422ae |
| SHA512 | 116d22cfec167e4d8367e765fb6a9f191096001556deedc08f06afb29a0b0052bcc5658a637ddf5d3dcf1cdd24a8a0a810accf97611c79d4c4c116cd6e1aca2c |
memory/3452-95-0x0000013153430000-0x0000013153440000-memory.dmp
memory/3452-97-0x00007FFA34B00000-0x00007FFA355C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wmi.vbs
| MD5 | 771337df46923fa7608ae2f39295bd5d |
| SHA1 | 0ed8a167620d1b0c34fc4dc8f08e3f533c519a5a |
| SHA256 | 62d3f93457147d95c4caeacb9c9ec567ded6056b82e775184b6066d0d3ad767f |
| SHA512 | 972a411b1f27266be063995165c3867d4fdb1ef8fdc7355197c71a48cbdc9c8b9ff6e5a88782587f5be0c01e0a6422d36dc283174586d980313f9e18e211f0a1 |
memory/2064-103-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
memory/2064-109-0x0000021CFD540000-0x0000021CFD550000-memory.dmp
memory/2064-110-0x0000021CFD540000-0x0000021CFD550000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d62de053bc592694c6218379a9b3d2af |
| SHA1 | 3bcbcfa507268b2a91391e7b9904dfddfa440bfa |
| SHA256 | f8eeab49b57a3ea567bc6bfb882c27bc37abf92640de04e15dfee828fca92a79 |
| SHA512 | c7b15e8525bbeb5036452c70d1474cc23576ea94845d7b64061042ebea0fdc91a1a892d1c3726f06c13e561310f79fc6811509fe7eace00e09bd5a3f857b7e4a |
memory/2064-117-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wmip.vbs
| MD5 | 4287da015add322dfcaf9c978bcf06c8 |
| SHA1 | 0d9036dbabcbbffc3bfa10c46c107304e84b1b20 |
| SHA256 | 7d2c4a6096a0cef596d649a6ab463def13e50c8ba0c19f2da4fa559574566a58 |
| SHA512 | 464abbb1f7d3379f98360d22dc0674672bf28c75fe1a4978bcbc51e66a51a27cc0c131a932eb495a1679d6e7b2127ad1c772f870dc4c174ed3be545dbcd29b88 |
C:\Users\Admin\AppData\Local\Temp\wmim.vbs
| MD5 | 255c26473b0140bff98d7be7488040c5 |
| SHA1 | 3ec7265b2239e898d43969c5a36d673815a25585 |
| SHA256 | ef903da9c5fb4742c7764000532994d94aade900c2e825f161d9bae371842c3e |
| SHA512 | fff5041bb4d06460455c5fcfae3e147384b981c9630e23a1387473cddd5091d386b80f77aa0b34f374aaa809dfd515262950a59faa045503612a18fa8a7b161b |
memory/3572-126-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
memory/3572-132-0x000001F359880000-0x000001F359890000-memory.dmp
memory/3572-133-0x000001F359880000-0x000001F359890000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fe68a34c09b376ff0c822f2809627238 |
| SHA1 | fb7b7772e77980c40397054ea7ddc88dc80a9cfe |
| SHA256 | 9c6c69f1519015cfd4360e6bc2993b91ff9a7c35889c3ae5910dd62dbc915c79 |
| SHA512 | 5bab3d1ed72137ba700c119b572cf92f8ed129d38aed396fb52f279a88a92b6fa3cee85f9f5d314f6881bdc5afdcb4ede74e907f60f799a9c5852b9b929c0654 |
memory/3572-130-0x000001F359880000-0x000001F359890000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\0h0rdaq0\0h0rdaq0.cmdline
| MD5 | 076108d5b6a793aceaf3590c9b68924d |
| SHA1 | 6539783faf77abed4a1884beb034f2f972a8faa8 |
| SHA256 | baa1091312dafa9bf1c37bffb3c5c5ef265dad5d4dde224caff5cb407baeb39b |
| SHA512 | ebbf4e5d72833b3ce9f153636acc787a78c54fad108a28e931d1a1cb42f8220c6d0576c20129c87d97926f5fe2ba38a6f583ac88b8712fa9235ad3681bc6000f |
\??\c:\Users\Admin\AppData\Local\Temp\0h0rdaq0\0h0rdaq0.0.cs
| MD5 | 758ba880ad959901cbefedbc761b695c |
| SHA1 | 0adb761216512a736ccacd8271d1170f5a961ab8 |
| SHA256 | bd8acacc9694725260536c846fe639b2c10ecf3b4f4c2f21c7738de4135af5fd |
| SHA512 | fdefe9abed4d0340c26e2dd41589738429c8dea8a5f0c28c8244f82df7085cb70115bc8c37bfda4389de0811b74cd0cfc779ecde7e30a86aaac79c710d05f2e7 |
\??\c:\Users\Admin\AppData\Local\Temp\0h0rdaq0\CSC3C80E4A6DFD9420FB0BD1A55E5376E4.TMP
| MD5 | 4ecb84eb845deefc0ddd4c95b0c8fdbe |
| SHA1 | 80e2cc9e3da5ec14ee74ea5b2152e2710648978c |
| SHA256 | 8bd97388c41550f3bb407e1e1d2523afba5697084ca87139d2a777137144064d |
| SHA512 | 797973b22d1f23b8f44c5e697fd0b7511c1bf6c9cd4e55e30e8be4ae9b84350aea455858723429a3e4fc731fcbc8efbed5b2d8869bc9e33802dac21a01a40b08 |
C:\Users\Admin\AppData\Local\Temp\RES3104.tmp
| MD5 | 3b203d347257baee898c8b4eafb2d496 |
| SHA1 | c3ec331a9f2b85d112ca03175f39a4511efc83c4 |
| SHA256 | 91fe24a6090c5312327dc88a44d61a0f516144018e195b1d6f02677f3a40b630 |
| SHA512 | 99867b1055983a5950da40c8c5071b581671caff9403b58763c22f88da60fd4fd520fc208f8c773397a592166d5abaadf6757d0e946f618b487af48071330eab |
memory/3572-146-0x000001F3413B0000-0x000001F3413B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0h0rdaq0\0h0rdaq0.dll
| MD5 | fba03b29f70e3d19cf3482707ce2b9d4 |
| SHA1 | 2f9c4ef5c2a3972a2ca4f7c7ef43a8b33fed7d0b |
| SHA256 | f594dd0e4b8fa5db949daf0d1e8bc2549ae75c0f1fc7983c5bc5494a1fc4a90d |
| SHA512 | c76ac267a0f0edec015ef01e4dfaf5ab451c0b5ae55134ff70fc35111634e92f721d48b49cdf992565c68f46f53559bd0905c15f43df721e08457afc1150b7cc |
C:\Windows\Temp\_Ticket_Work\3._
| MD5 | bb9c06f9c67317b6e401eacd6b4d8e02 |
| SHA1 | 3cab4bcfda6c6c11e7695c7f71aeb12a259d97d7 |
| SHA256 | f1bcffaa498e3ccb633d8d473449a8bc2630034ac46b6f52f5cce3a493ac4b6c |
| SHA512 | 13865780bf65545b0f5e5e3b7b4b8d26b54b21bed5dfbcd3013ce45c07fc473f80a497e429cee053819d00e801fe717cffdc29d0d44bf70541f1ca9a84b6e3a6 |
C:\Windows\Temp\_Ticket_Work\4._
| MD5 | 5e6326fea7bfda62ab68585bf2fc09f1 |
| SHA1 | ecb7cb45eed1df63491b2494c23cc8897504d00f |
| SHA256 | 077144a55891a75daf97c0fa26dcee1939ba02fd6a71707d4010b22bfdf447b3 |
| SHA512 | eb0c15bec3a9753d399a938b2c0c7feaac3ab567ecf95e6ec82540d2bbaf69a12bfbd271c67e388a1a50708ff3ce30d0e22d8ac357159d8d07d6979abd9e162b |
C:\Windows\LOGS\DPX\setupact.log
| MD5 | 4327f20030449da42e6e753c4978e9a1 |
| SHA1 | 4c01d5633dfee2a6a09199c5cf3d0a103d01e0ea |
| SHA256 | 930cbf96fbbbe3141642c1377fe6b44685defe4e5bc3bbc85ddd123004d0e2e5 |
| SHA512 | e3694df3e37bf7e87988f1245caa4942f0a4f12294fd81704a0c86607e66a9c9c41f8293c9e16c91ce47715589108989bd27efe5edb5089f260ccb0d905dff51 |
memory/3572-162-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
memory/3884-163-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1b2c0bab2ba90319d1d1b04be2fd781f |
| SHA1 | 9c700fa0ee86732f119a038facb26052a70ee73a |
| SHA256 | 1c46c61990e1d8e3e84683f0e6748c87978d48ff26ff7279e47564f57bd43055 |
| SHA512 | 63e1290d40eae2af5ed93175bed9e019e03cd4796d559be50f66739914ad453e2f58f4c2a12be4fc0f8f4c52e9ce5eabcc62002222e34e17d2e0ae8e9fac90d1 |
memory/3884-175-0x00000128693B0000-0x00000128693C0000-memory.dmp
memory/3884-169-0x00000128693B0000-0x00000128693C0000-memory.dmp
C:\Windows\Temp\_Ticket_Work\gatherosstate.exe
| MD5 | 15ce0753a16dd4f9b9f0f9926dd37c4e |
| SHA1 | fabb5a0fc1e6a372219711152291339af36ed0b5 |
| SHA256 | 028c8fbe58f14753b946475de9f09a9c7a05fd62e81a1339614c9e138fc2a21d |
| SHA512 | 4e5a6751f5f1f8499890e07a3b58c4040e43cf1329ab8f4a09201e1f247825e334e416717895f6e570842f3d2d6a137c77539c70545329c1ab3118bd83a38226 |
memory/3884-178-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
memory/2672-184-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
memory/2672-190-0x000001CFEEAE0000-0x000001CFEEAF0000-memory.dmp
memory/2672-185-0x000001CFEEAE0000-0x000001CFEEAF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | def7884bfec63bbb926d51438b7439c2 |
| SHA1 | 48f7438447cc4b0e6e44735dc17a2659380218fd |
| SHA256 | d4951ddfe54394c89d24be1f17576dceefdcc97b905f33fae7bf1caeba2d92f9 |
| SHA512 | 22c529d29befd1b070cb5cdb9c1194ba162035756f7b9d25d4c73537dd286c483fd4a4770b920d58a9536cfc64a5e9bff88f5f46bf1d2cc5bf5ab25005aacfb1 |
memory/2672-192-0x000001CFEEAE0000-0x000001CFEEAF0000-memory.dmp
C:\Windows\Temp\_Ticket_Work\slc.dll
| MD5 | b21c40aaf16ba46b2732618d089db3a4 |
| SHA1 | ca3a51fdfc8749b8be85f7904b1c238a6dfba135 |
| SHA256 | 9395a37c42e83568dc5ecb25d9e9fca4c6c1c4f47e336fb6ccae62df5c696b4d |
| SHA512 | 3e6d4413edfdf2acaf357fba3269913bcfb031848723b64186ed5bbec056030fc385843094bbca5a8377b218c9cdb0bee803ef9be61ed0aef648454bfd1ffad3 |
memory/2672-195-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
C:\Windows\Temp\_Ticket_Work\gatherosstatemodified.exe
| MD5 | f01b9f4e4feb1c2aa510d3010e46e611 |
| SHA1 | 6b1ca1ed81ec178e65872b72e0dd2009f82bace7 |
| SHA256 | a489a44cb48866f3c78c913c5e42bc0bab4283ecaf36e3f2e1568e0a0477873a |
| SHA512 | 274183e01a51a9bb3b619163496108f89c454ecb1258fba359dafb9df89369021863098e7f92e73f8da433c97d65293b0f406e405bf4ee3fc199932587109cb2 |
memory/728-205-0x0000000064B40000-0x0000000064B46000-memory.dmp
C:\Windows\Temp\_Ticket_Work\GenuineTicket.xml
| MD5 | 911aa9298d4857a1ea93209bed86732d |
| SHA1 | 3367397797a35ec781bfc7a477cf32be2463d7d5 |
| SHA256 | d5331721fd20fd64dd73f124dca23f5e32244120cf5814ee20cf2316d631f1ef |
| SHA512 | 5f7ac1fcb08ebdc8cacc61c3bd7ebfb5dd0ada997e45d08c1e8424eca2ab1356781c0d62528ea0349894ad113dd13ed9163310e8cc4b42e86540fadd4deb9f4a |
memory/4368-209-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
memory/4368-215-0x0000021A78430000-0x0000021A78440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 78bcc4937be217a0ff2e2b45223918b5 |
| SHA1 | efcc6f96c244701457bada016820bb7801016c8d |
| SHA256 | 6532ffb7def1df398fdd3dddfb5e5f9416f18888148146d67a7980cb88d58f81 |
| SHA512 | 509f35cbf223a768e338b986a8a1613dbc292483476e6ca990987f579f7b420cd1d2350a11422a41ba6805750f9de48a24bd25dc3edfb2918fa64db0f4ffdd4c |
memory/4368-221-0x0000021A78430000-0x0000021A78440000-memory.dmp
memory/1532-224-0x000002BC217C0000-0x000002BC217D0000-memory.dmp
memory/4368-223-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
memory/1532-226-0x000002BC217C0000-0x000002BC217D0000-memory.dmp
memory/1532-225-0x000002BC217C0000-0x000002BC217D0000-memory.dmp
memory/2204-229-0x0000027E99210000-0x0000027E99220000-memory.dmp
memory/2204-230-0x0000027E99210000-0x0000027E99220000-memory.dmp
memory/2204-227-0x0000027E99210000-0x0000027E99220000-memory.dmp
memory/2204-232-0x0000027E993D0000-0x0000027E993E0000-memory.dmp
C:\Windows\TEMP\tem5313.tmp
| MD5 | b13af738aa8be55154b2752979d76827 |
| SHA1 | 64a5f927720af02a367c105c65c1f5da639b7a93 |
| SHA256 | 663ef05eb1c17b68e752a2d1e2dcd0eaa024e4c2ec88a7bc99a59e0aeabdf79b |
| SHA512 | cb774f2729ce6b5cda325417fbad93e952b447fa2e9285375c26eb0fbdb7f4f8b644b1007038caafd6d8ba4efb3cc8c5da307c14e12be3454103d52848a029a4 |
memory/1532-239-0x000002BC217C0000-0x000002BC217D0000-memory.dmp
memory/1532-238-0x000002BC217C0000-0x000002BC217D0000-memory.dmp
memory/2204-236-0x0000027E99210000-0x0000027E99220000-memory.dmp
memory/2204-235-0x0000027E99210000-0x0000027E99220000-memory.dmp
memory/3792-240-0x00007FFA34C30000-0x00007FFA356F1000-memory.dmp
memory/3792-250-0x0000028F1AF00000-0x0000028F1AF10000-memory.dmp
memory/3792-251-0x0000028F1AF00000-0x0000028F1AF10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 02d34e98497db1b20a085ae33218c2bf |
| SHA1 | e30a40961562c97bd70ddd5924184791b05a0e06 |
| SHA256 | f85569a795a1c6409cf561333133667272b1b49085c30cc7b7a7d9f4cb5e23b1 |
| SHA512 | a31444e4dda7b3650ae19b55e694e39c87e60fb9f53d4b5027d8c06157cee821f7e523762ad283a1bf220bd34ebe554d2660f83fae9c64c0e5c9d2bc450174a7 |
memory/3792-253-0x0000028F1AF00000-0x0000028F1AF10000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1dffbab5ecc6d06e8b259ad505a0dc2a |
| SHA1 | 0938ec61e4af55d7ee9d12708fdc55c72ccb090c |
| SHA256 | a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e |
| SHA512 | 93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76 |