Analysis Overview
SHA256
c1032817c3b6733dccbfe475c4ab3313981410387f518ae06cbbfcf7a51674c6
Threat Level: Known bad
The file Result.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Umbral
njRAT/Bladabindi
Detect Umbral payload
Xworm
Njrat family
Detect Xworm Payload
Umbral family
Drops file in Drivers directory
Modifies Windows Firewall
Disables Task Manager via registry modification
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Runs ping.exe
Suspicious use of SetWindowsHookEx
Detects videocard installed
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-27 15:25
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Njrat family
Umbral family
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-27 15:25
Reported
2024-04-27 15:35
Platform
win10-20240404-en
Max time kernel
600s
Max time network
598s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
njRAT/Bladabindi
Disables Task Manager via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral3.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Client.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Explorer.exe | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Result.exe
"C:\Users\Admin\AppData\Local\Temp\Result.exe"
C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe
"C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral3.exe'
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Client.exe'
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral3.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Client" /tr "C:\Users\Admin\AppData\Roaming\Client.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
C:\Users\Admin\AppData\Roaming\Client.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | phentermine-partial.gl.at.ply.gg | udp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | phentermine-partial.gl.at.ply.gg | udp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
| US | 147.185.221.19:36969 | phentermine-partial.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Malinovka Install.exe
| MD5 | f69924b642ac4b9ef1dfacdfd43759a9 |
| SHA1 | 95da50564c7cbc3749148419c68a08b0f2869ee1 |
| SHA256 | d9b248ce98a243a37d33096fc7b1cad784ee77f5920b0bd6618a6690ca426f18 |
| SHA512 | 2334511265c507d16b3a323c721a392659feb405a5d9fea588146c4ef320261166312c2fcf8f494c4aa342e0b5a9d5da20576ce2d6ae1e3215ee47dcc19f5e07 |
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | ba71f783926cbda30d8ff8f295fdd312 |
| SHA1 | bd533cc6457836098ff34d07ab2ef6b04ef144b9 |
| SHA256 | c6caa8ccc6ac706820712f93ea3a2541da32ec04542b3b7a85d8d85b0f0e1831 |
| SHA512 | 19767768012b07f3a13dc3e3652c9c3b6376d3ec6199ad384f7011f6db3c6b2e11bff86979d0475a7b58e84e100126661954a667a8217655439aff73b374d5c9 |
memory/1412-10-0x0000000000400000-0x0000000000471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Umbral3.exe
| MD5 | 7a902c87a60986f18a6b097712299256 |
| SHA1 | 2c01906a39faa9d27a41e0d3cd84e92410b9c483 |
| SHA256 | e4e4f9045dc3683a2a69b9c7625f2ff46ed241ff64b47660a039dbc9d34cb0d5 |
| SHA512 | c8b75b3f0a77d1f84167af3c431e186802ccd5271fc4a361142e0209541de37f5d584d487bf5ea4b4d921e6e3846267fdea9f65cbd71001331bfea08de5425b6 |
C:\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 3fc932775533f1bcea180de679a902dd |
| SHA1 | 3f393d02af4653e34bf5526ec5b6f8d6e4df65e8 |
| SHA256 | 09a15daeebc228706f36a7659284ef673ea72e7a71700a2f73f4f1409486dd6a |
| SHA512 | f59d35a6fe5517a5b9a1ec9a07899eef9f48745710196f1824cc79823994d6fba7975da457ee06ec6215f56860680dc0c07412268c2b1c725c4c66611a75a764 |
memory/4580-21-0x000001D56F530000-0x000001D56F570000-memory.dmp
memory/2016-22-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4544-23-0x0000000000F70000-0x0000000000F8A000-memory.dmp
memory/3200-24-0x00000000031B0000-0x00000000031C0000-memory.dmp
memory/4212-30-0x0000013F6E5E0000-0x0000013F6E602000-memory.dmp
memory/4212-33-0x0000013F6E7A0000-0x0000013F6E816000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oul5lr4x.ghl.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4cebace363955b5fb79b606d1252b9e |
| SHA1 | f57eb08ca60074896c6d65c98e2f8b99450f7aee |
| SHA256 | ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a |
| SHA512 | 5d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f |
memory/4580-123-0x000001D571310000-0x000001D571360000-memory.dmp
memory/4580-124-0x000001D56F9D0000-0x000001D56F9EE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5a9b97538363bc5ab5f3d92352560061 |
| SHA1 | 70815f2fbacb2fd9a59fadb9110ec2d96b8ef533 |
| SHA256 | 4e00cb8ba8e2f1b9c9fb7c1af39f1bfcfaf32f9f2e476ff3897ee17bc477b23c |
| SHA512 | 7974155b3ea099fee0ac3e12ffe5a3427ef2fdd448b5cfe9c17a4af399db9a84e48abe73b9b7bc6d66e7e5774d1e6c15d3135540aa4085973408b41db6b45ff4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8c5fff2c090f31e158e97938c720ee9f |
| SHA1 | 324055be6148591f0928ce320b6c325b3f8bb0a8 |
| SHA256 | 700f8375b5760e1c4c2eedd335fe3dc1097281424b52a8f9e918d0a78dcb65b5 |
| SHA512 | 0502bc8345c14c0ced566a9afc8210172f49c48cb1c551fb27105311498e79e03b634fbcbbd4a5ce09490b1ca052e813b68d18e93e215ddae3fb983616a29ea3 |
memory/4580-188-0x000001D5712C0000-0x000001D5712CA000-memory.dmp
memory/4580-189-0x000001D5712F0000-0x000001D571302000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f3bde5dba3f8b6083eec8169823ce3a3 |
| SHA1 | 1a4581fd14a07f64075d90791a25959e8afae332 |
| SHA256 | 1266b3e994f64e316900166fd67d5d1bd58b35ed4ef52dda31b9a97cbf482678 |
| SHA512 | 210670295949ae8733e79e10494f723728cd7bf9560636f397d0f966282d3619b234f2886c2f9eea1f2021b3b7bd28347d813d45915d04bd8269a67df920cea1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 59649da1edf059761abb0865a6a4785f |
| SHA1 | 142dc13d01a0f4919704e7b42e2bc0b2d80068ff |
| SHA256 | 27678235ba9f6202a0788bb00e673ef29c129d1f7ed39c6b3711a9152cd0f8ff |
| SHA512 | b8ca5e8039ad28f11bd4aa674deea7b810bd4934b90ff703a1b89f713bfad1444b82924cda5a0ac0a008294ef72d1dc58c29f1eb809f61f24c59e4b26622ee3a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 86145a4983c4d894c0c9dd9e4ff0f009 |
| SHA1 | a8e43fd7b070bc11476242e1f2714f54dcbc8276 |
| SHA256 | ff54b5d1dc749af3a3d46b39d5feeba746aa89bf3810a093cf5aa8259866a620 |
| SHA512 | 124159cd441b05d456f38e38329a14503c6cd59d48fffa30c32f71a0fd11b1d820297ade894ec6667ba8460115a05305a7e1aae6004f18f9ca24713cbc98dd0f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d928f90923f5ff9d64502694f33643fd |
| SHA1 | e6b682eda4540554b331988e3d84d41c49084490 |
| SHA256 | e72f59277c81b40e98abf39268d6eed8dbbf1c8e092e224df750e8e136a2784a |
| SHA512 | 476f2ae43e6a70a0bf92754945b1d757c0d5b421e80d09e3ecdcb80baf3a2a6b9dec226c91f0e0f8cbb23e59197fa734459942116dd59b084353c36438082f50 |
memory/3200-395-0x00000000031B0000-0x00000000031C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |
memory/4544-409-0x0000000001650000-0x000000000165C000-memory.dmp