Analysis Overview
SHA256
19377f0b1dd253527ac16e0f4badb1888cf74c41dedaa458b8488f82cd7d3fd8
Threat Level: Known bad
The file CBTradeBotInstaller.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Process spawned unexpected child process
Modifies WinLogon for persistence
ZGRat
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Uses Task Scheduler COM API
Views/modifies file attributes
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-03 16:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-03 16:39
Reported
2024-05-03 16:40
Platform
win7-20240215-en
Max time kernel
29s
Max time network
16s
Command Line
Signatures
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CBTradeBotInstaller.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CBTradeBotInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\CBTradeBotInstaller.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/2460-0-0x00000000011A0000-0x00000000011C4000-memory.dmp
memory/2460-1-0x0000000005420000-0x0000000005460000-memory.dmp
memory/2460-2-0x0000000005420000-0x0000000005460000-memory.dmp
memory/2460-3-0x0000000005420000-0x0000000005460000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-03 16:39
Reported
2024-05-03 16:40
Platform
win10v2004-20240419-en
Max time kernel
32s
Max time network
35s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\tracing\\TrustedInstaller.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\tracing\\TrustedInstaller.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\Windows\\tracing\\TrustedInstaller.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\powershell.exe\", \"C:\\Users\\Default\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Google\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
ZGRat
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\i24xqxoc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CBTradeBotInstaller.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\i24xqxoc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| N/A | N/A | C:\Recovery\WindowsRE\conhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\7z.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Google\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Google\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Windows\\tracing\\TrustedInstaller.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\VideoLAN\\VLC\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Windows\\tracing\\TrustedInstaller.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "\"C:\\Program Files\\VideoLAN\\VLC\\powershell.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Users\\Default\\backgroundTaskHost.exe\"" | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\Windows\System32\ja7kri.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\CSCA7F4FBB88A834CBB97CAB8FDDE7E7C4.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\e978f868350d50 | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| File created | C:\Program Files\Google\conhost.exe | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| File opened for modification | C:\Program Files\Google\conhost.exe | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| File created | C:\Program Files\Google\088424020bedd6 | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\powershell.exe | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\tracing\04c1e7795967e4 | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| File created | C:\Windows\CSC\SearchApp.exe | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
| File created | C:\Windows\tracing\TrustedInstaller.exe | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CBTradeBotInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\CBTradeBotInstaller.exe"
C:\Users\Admin\i24xqxoc.exe
"C:\Users\Admin\i24xqxoc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p13131114561285716693594810402 -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_10.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "svcshost.exe"
C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe
"svcshost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\conhost.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kabns5k1\kabns5k1.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ACD.tmp" "c:\Windows\System32\CSCA7F4FBB88A834CBB97CAB8FDDE7E7C4.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\TrustedInstaller.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Windows\tracing\TrustedInstaller.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\TrustedInstaller.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\powershell.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Default\backgroundTaskHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Users\Default\backgroundTaskHost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gnthvGXGTc.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Recovery\WindowsRE\conhost.exe
"C:\Recovery\WindowsRE\conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| RU | 31.177.108.72:80 | 31.177.108.72 | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 72.108.177.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| RU | 188.120.241.126:80 | 188.120.241.126 | tcp |
| RU | 188.120.241.126:80 | 188.120.241.126 | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.241.120.188.in-addr.arpa | udp |
Files
memory/3208-0-0x000000007534E000-0x000000007534F000-memory.dmp
memory/3208-1-0x0000000000CA0000-0x0000000000CC4000-memory.dmp
memory/3208-2-0x0000000005D60000-0x0000000006304000-memory.dmp
memory/3208-3-0x0000000005690000-0x0000000005722000-memory.dmp
memory/3208-4-0x0000000005730000-0x000000000573A000-memory.dmp
memory/3208-5-0x0000000075340000-0x0000000075AF0000-memory.dmp
memory/3208-36-0x0000000075340000-0x0000000075AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 043b0224c8f2520e52583d2270efcec9 |
| SHA1 | 73bd6e7a3cb4005110c585baa73dbb52ea28f8bf |
| SHA256 | 5aeb109ea30777765a887d679155aeffafe9ee948429457f96f7dfef1f0274aa |
| SHA512 | 840123d11fd4469ba2817287c8c0481310d029acf03ca94cb39353f29e06d6faa95e77ba0e517c623b10469ea6786496d31aa2631251888af6e113c4f30b800d |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 550fd258c0514c118fad636e38a9abfb |
| SHA1 | 8403edcc378d2f6ecbcec94ad7d69f55f73d9a8b |
| SHA256 | a516c15f8c0468ca67a5594365fb538e184c2ce63d20f704081f43c24d8259dc |
| SHA512 | 7b7a1db50e3f051b2deb165659376e2cf8ca70915b76561e0ca058e53a3f3ec83b46e698481f9070173acc00ae662c406be857dd0c2a2d818a935c39cb41c73b |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip
| MD5 | 11dcc8595de23b341ec63026f1906179 |
| SHA1 | 864c73d35a8098da481a00e63c76ddcb2aa27ca2 |
| SHA256 | 9eb9a81369e9ea7f4b706872c9521e65fd12c2e7879c901861846943df787605 |
| SHA512 | 42c8e7dc1bebed7d3b42dc82cca05445b3ad21f290355aa551a47a88f251dffed7bd01bdb30c3413a52e441194750449ed5ef4e00439713674f92ead56a07bc1 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
| MD5 | 3f4d5c94d68c2a8d3c5b703d80cbc326 |
| SHA1 | 3880a3ae2f38d7426a7fd793c3140fd1a6f71b7c |
| SHA256 | a32ce4a595622466c9728d52fa3ad3864de17e6b903b6f5411e3e963b4e1c5af |
| SHA512 | fe79af862033d677f320235e7a200eb792c5d9ff6924a5da52e0f22ee62b989f350ae87331f7eb13a127e5953616a01591f97680419d1b8795735bfa5e71bdb2 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
| MD5 | 1c507c505d56c470cd18067eb8c35f98 |
| SHA1 | 98184f491014083bc0b84c1d6b6e4396b55f4bee |
| SHA256 | 5bc82ec0e564451458dd72d4715ce4b69c0031a88ff7c6c927e4cb57be9ef032 |
| SHA512 | cf1c86a3b4e2ac7d5b6f6faea7e084d11fa1f9f06a18eb19e629ba0481e459d95e3ec93e2a771df7f2d58cd9e53bf58ecf1435c818658f2b0baa4b8dd62c8c95 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | e81f8d3ac4cbeb2de32dbb6ff1f833e8 |
| SHA1 | 8c107301299c7762a4e0108db5f282c7968bc4de |
| SHA256 | 7e497f41e453460c2c365abd86fc3a70d8d8347e7c41aa09dd99e8394346842b |
| SHA512 | 73f5f8bee1ccd1517665c11ea8f3b566c497a5772be4ff24c1968295d54848eb802ffb0df3c3ff02cdcd2834a3a51a9e4f9c9fc1e60823efcf7e91a52e4593a6 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 6f9e836981e825a41df7320a5e70c2ca |
| SHA1 | 9a1f3a66c5877942db3b7d8476c7c5c09506a487 |
| SHA256 | 4ec1d537b3c7f72c0a0b18b53e4bade5d84be92c56d01ec7148f53d3ff43cf3d |
| SHA512 | 54a16cef5d595cad5250cb47c04b165068bdfe7293adffa1927fc7342bf7e492482cef8f5b095337b27a3621b1b04a42848f6ec0766b96299ae57552830b5ae5 |
C:\Users\Admin\AppData\Local\Temp\main\svcshost.exe
| MD5 | 91f9d856727a50a33ca7aaeab6550579 |
| SHA1 | 65aacc80cbab3a3639559465ebfa16b6c5db844a |
| SHA256 | 9cafc04fd838fd95af79c931befea32cfe0ef45391aee4542e9d80140e0de6e6 |
| SHA512 | 749b7d9b6f97ab4dc8a11c4e491de51f16b3db57d648481c15a744db243cb3f7036602087c96326977a46d81a056a615ae3bd9e49b26572f6f446fcab1783df1 |
memory/1680-124-0x0000000000100000-0x000000000031E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 3903e2c0914406f3ee3853e60b531486 |
| SHA1 | 238fa4926f71157d89755f3684b8b23194675cc5 |
| SHA256 | 580323a8147c39c47e2e79e00ce0d5eeb7c4c00728a7c9a6475806367a541550 |
| SHA512 | 6fdfd68a14f5bba14c29b84fe1c352c63f97f0ae6829e0d39ccd62a624e53c81cf9f993ee6d78ff258877a917a360cde30b6727fabd9abcd1ddf08391697c7f9 |
memory/1680-128-0x0000000000B60000-0x0000000000B7C000-memory.dmp
memory/1680-141-0x000000001B040000-0x000000001B052000-memory.dmp
memory/1680-146-0x0000000002400000-0x000000000240C000-memory.dmp
memory/2712-167-0x0000015A3A270000-0x0000015A3A292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g2ms0pa1.bxh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1680-144-0x00000000023A0000-0x00000000023AE000-memory.dmp
memory/1680-142-0x000000001C8C0000-0x000000001CDE8000-memory.dmp
memory/1680-139-0x0000000002420000-0x0000000002436000-memory.dmp
memory/1680-137-0x0000000000BA0000-0x0000000000BAE000-memory.dmp
memory/1680-135-0x0000000000B50000-0x0000000000B5C000-memory.dmp
memory/1680-133-0x0000000000B40000-0x0000000000B4E000-memory.dmp
memory/1680-131-0x0000000000B80000-0x0000000000B98000-memory.dmp
memory/1680-129-0x00000000023B0000-0x0000000002400000-memory.dmp
memory/1680-126-0x0000000000B30000-0x0000000000B3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 30e16fa8f21fe0476f5e3e487743a954 |
| SHA1 | 8e9a0ced3b214043fabd1c6a73e64b3301f6ef82 |
| SHA256 | 0af4057b4b6c4bbdd139a23cbe74c67d7adeafacd42bdd74d100e85dd845df53 |
| SHA512 | 88afd2c708c165f13113d25d41bb1722d0c10d7162e344b13a8d38db46a9d50acd00a9b638c38c5548631e2faf2a47ca04ce549d359893e5051020e7f8dd2223 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | 48dbc6184d9a286a615d509c5d1b9419 |
| SHA1 | 2fbdbe6867004c210fb657c8839a3875683ee1b1 |
| SHA256 | 9791579a11a0f468216d80c9ec872b0b5b104c90938ce2542a4ae3e903067db2 |
| SHA512 | 1485914f5ddeac91e3927200074cfc4b1f3aefeed5327d767ba0fdc236eca42d8a372cba883f46b790ebc678a38f3df93c5320dae03ca6fb918694a8972e5b39 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | c3480f06689196f2aa11e86590546e0a |
| SHA1 | 5684dc0597f52f2d34dcfb570c060d103b224e62 |
| SHA256 | ccb4f1c24d17ae8c03a3a922d020b7d79f85994032198e19e25b0d2b3db35cfe |
| SHA512 | b41170b565e044968409cb8ae02450aa652c58b6802d48532c68e1bcc9260c6019bcdc49f23b33cbf849796794da28f3d7dba202c94c26663630bba3440a2df7 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | b9159fcb8ee51c96dfb77ba73b995780 |
| SHA1 | 758ec22692524fd10fe0be414ceab886ed081bf4 |
| SHA256 | 9e5427a2b5988bb96f1720be221f58250955e9836df4c1fd6b5efdc61fa28197 |
| SHA512 | d1a86b8bad26f46aa90cf09e9354931d196d0cd8abb1041e08045cad91d1a4c06fdf149177386eb97075c142e6b07ac268982c62c24a818de58eaaf73e51d325 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | 780565fa593890bd2b90772c3ed41023 |
| SHA1 | 61ea57a239c116374f8aa8da19a74be2be7de6c4 |
| SHA256 | 4cdb435eafb6ce66e03dd9dae163e6e9c0fbd70e3de10841a1cbb30f6d4cefa5 |
| SHA512 | 56a66f908600fff405701e2bd62c79ffb063c7f8e8a5ae71f9dabadada2ead63b053b1133fd683d04f1e681071316b33a0d29b9ec5a95d56068151f4039511d0 |
\??\c:\Users\Admin\AppData\Local\Temp\kabns5k1\kabns5k1.0.cs
| MD5 | 361dcf0058c2c916813e65d7a4951c80 |
| SHA1 | 55b23a9bd46de34aab22ad34bea6e866cc31efa4 |
| SHA256 | 04ce195b3bee997bf9951a89702f288b30cb6e153a6cca4e66b0a947ce2deefa |
| SHA512 | 04096f679181d11a2b703c58959e37fbd8c14607c6a8b69fb59f9bf79c412bd98541331f91b92cfab23f909cea2f03517da591ae2144ba11ea9159be5dbf9bc2 |
\??\c:\Users\Admin\AppData\Local\Temp\kabns5k1\kabns5k1.cmdline
| MD5 | 72fb30160390ab8152b3682e3f4b1f01 |
| SHA1 | 2e201e38910b3fb3a140a88bfa925e12ca58231d |
| SHA256 | 4c799905052cce619016bc98a6ee43d19cb0150758efd6a19895b7720fbbec7f |
| SHA512 | 93917e7c035587e2189cd3dfba9eb7594868cc22823ce3d033364ce78e0bb2237ad5f5af4e7a1c67151e0d59db8eab1374875aeeaeee64ea9ac5b30f234279a5 |
\??\c:\Windows\System32\CSCA7F4FBB88A834CBB97CAB8FDDE7E7C4.TMP
| MD5 | c39f312a5cba8a420c1a93bbab328edc |
| SHA1 | 20dabcad44082ed54949c50dd2e8a4178a046340 |
| SHA256 | 2077b880e475632b0638001558cbdff81982b820fcfd7bcde8d688730f432e9e |
| SHA512 | 8818d4fe55a0ee022100fa73b6a2248c35ab775cf14292353f3d1a0c3c3f91021b00c56c7787184373aaf595b4833b1963fe9814e85b65cba6c989bbe2d29038 |
C:\Users\Admin\AppData\Local\Temp\RES7ACD.tmp
| MD5 | f9857ba43c9023fe4feb89948bc20ccf |
| SHA1 | 0f88225c5cd2eeae603500fa55badae543207a7e |
| SHA256 | f4347e1d8bea8cfcd704119fe93d9dc0470474dd128b0c82910946f23fdcb136 |
| SHA512 | 23fdfa7080b0db5b56e6d8ddb028b509a7faa701c0ac21f106f3d685eaf04782faf4282e5c48de5ffd635ef9a9fdf3a5e846e4eb9d1efd191cda4f208d2795cb |
C:\Users\Admin\AppData\Local\Temp\gnthvGXGTc.bat
| MD5 | 0c725824891981a9055f96dcc17a588a |
| SHA1 | b49e28973d9ecde2b27611ef21b2859408b9f93b |
| SHA256 | 08397f5e017d97d1ba6b92c0e76ffb279ff40a94151348617dd9e5dc382a22d2 |
| SHA512 | a44dcf3e99854a479340a2d948df5562fd4e2073cf660daf01cba88fc08a74498a9519546ac68ba378a2c4bc985ae05428abab2d41a62b69df371c8f5923f376 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/3208-299-0x000000007534E000-0x000000007534F000-memory.dmp
memory/3208-311-0x0000000075340000-0x0000000075AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 92075279f2dbcaa5724ee5a47e49712f |
| SHA1 | 8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb |
| SHA256 | fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442 |
| SHA512 | 744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 36c0eb4cc9fdffc5d2d368d7231ad514 |
| SHA1 | ce52fda315ce5c60a0af506f87edb0c2b3fdebcc |
| SHA256 | f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b |
| SHA512 | 4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54 |
memory/3208-431-0x0000000075340000-0x0000000075AF0000-memory.dmp