Analysis Overview
SHA256
44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Threat Level: Known bad
The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.
Malicious Activity Summary
NanoCore
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-11 08:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 08:29
Reported
2024-05-11 08:32
Platform
win7-20240215-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2908 set thread context of 1892 | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DDP Subsystem\ddpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DDP Subsystem\ddpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe
"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp70CD.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp712B.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
Files
memory/2908-0-0x000000007494E000-0x000000007494F000-memory.dmp
memory/2908-1-0x0000000001090000-0x0000000001182000-memory.dmp
memory/2908-2-0x0000000074940000-0x000000007502E000-memory.dmp
memory/2908-3-0x00000000004A0000-0x00000000004BE000-memory.dmp
memory/2908-4-0x0000000000560000-0x0000000000570000-memory.dmp
memory/2908-5-0x0000000000770000-0x0000000000786000-memory.dmp
memory/2908-6-0x0000000005350000-0x00000000053CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp
| MD5 | 4e72793a8838fcfff8053f7462411945 |
| SHA1 | 2d13b860980e328a12a8397d7896f1c6e9ecbfa4 |
| SHA256 | a07a4e04aea7e5643380977ae00dbef0e14ce2447a672fae53b89c74efb6dc90 |
| SHA512 | 2075334cada2199a2a1716c200474174056a700dbba673adbe7df5224e3c0b8e6a133b450b87f0a3d7f31337901a4676c422127abafb3f364a68c41c08b1dd73 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SBZ0Q93V449NDQLEALMR.temp
| MD5 | d6adf8aa5b9f6166de6d6cb46e0a430d |
| SHA1 | bee5f27ef69a070179dc47609c574e0a881aa96f |
| SHA256 | 4610eebe9783d5c07ffe0e429b5d59e8660d8bd747364900293a092fc96a65db |
| SHA512 | b6788f0b034eba471014b0298cda6d83927753f8f458de7743c48852ccf78e760ed82bad41dfe3de4cce7733d6d2b88d61467d3c76fb9f77d4d634d3fcc4fe52 |
memory/1892-28-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1892-29-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1892-31-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1892-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1892-25-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1892-23-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1892-21-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1892-19-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2908-32-0x0000000074940000-0x000000007502E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp70CD.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmp712B.tmp
| MD5 | 8e2d5fba24ae8a54087d8e6cadc188c1 |
| SHA1 | 548555025543b4773b8f36301f5fa5003e1c85dc |
| SHA256 | f8a3739cca23897792b42a11a21adcce745201fa19f8d84ec66a6e0c5e519759 |
| SHA512 | 9246583d7b08152cd73dc40254013e1ae4b8c93603dbb1f4e6b82624e14b134c59de6c8039b588f14075602768a388121e985f886322ae5fb9ec2eee94d4ea3d |
memory/1892-40-0x00000000003B0000-0x00000000003BA000-memory.dmp
memory/1892-41-0x00000000003C0000-0x00000000003CC000-memory.dmp
memory/1892-42-0x00000000003D0000-0x00000000003EE000-memory.dmp
memory/1892-43-0x00000000004E0000-0x00000000004EA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 08:29
Reported
2024-05-11 08:32
Platform
win10v2004-20240426-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1156 set thread context of 4344 | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\UDP Subsystem\udpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UDP Subsystem\udpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe
"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87FC.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8C23.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8D6C.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.210:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
Files
memory/1156-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp
memory/1156-1-0x0000000000600000-0x00000000006F2000-memory.dmp
memory/1156-2-0x0000000005630000-0x0000000005BD4000-memory.dmp
memory/1156-3-0x0000000005120000-0x00000000051B2000-memory.dmp
memory/1156-4-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/1156-5-0x0000000005100000-0x000000000510A000-memory.dmp
memory/1156-6-0x00000000054E0000-0x00000000054FE000-memory.dmp
memory/1156-7-0x0000000005520000-0x0000000005530000-memory.dmp
memory/1156-8-0x0000000005550000-0x0000000005566000-memory.dmp
memory/1156-9-0x00000000066F0000-0x000000000676C000-memory.dmp
memory/1156-10-0x0000000008E10000-0x0000000008EAC000-memory.dmp
memory/4604-15-0x0000000004CE0000-0x0000000004D16000-memory.dmp
memory/1156-16-0x0000000074A0E000-0x0000000074A0F000-memory.dmp
memory/4604-17-0x0000000005350000-0x0000000005978000-memory.dmp
memory/4604-18-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/4604-19-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/4604-20-0x0000000074A00000-0x00000000751B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp87FC.tmp
| MD5 | 2573f6eb52917639dd8dc6a6fd291a60 |
| SHA1 | 79d9b256bc2fecebf3c3c42a9608ddb2ae761cb8 |
| SHA256 | fcd9da72234d9e8ebab22342cc12ff6187a818ff93d923ca85e9fe1444eb05fc |
| SHA512 | 6026def83e211c8ff7fcc3b0900914a50fe5d78cf2e5ac9395eb193d82df7368f1d3dc5fc8515534aded7147852732b6badf687ead5ac5a7b26df82f7968e37f |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a254yzjm.lq1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3064-31-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/3064-35-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/4604-24-0x00000000059F0000-0x0000000005A56000-memory.dmp
memory/1156-46-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/4344-48-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3064-47-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/1156-50-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/4604-45-0x0000000005C10000-0x0000000005F64000-memory.dmp
memory/4604-23-0x0000000005980000-0x00000000059E6000-memory.dmp
memory/4604-22-0x00000000052A0000-0x00000000052C2000-memory.dmp
memory/4604-51-0x0000000006260000-0x000000000627E000-memory.dmp
memory/4604-52-0x00000000067D0000-0x000000000681C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8C23.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmp8D6C.tmp
| MD5 | c4aecdef99eba873119e79616df3f4b0 |
| SHA1 | b1b3af52655fb633eed909dfed05b64fbbfac37c |
| SHA256 | 24fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b |
| SHA512 | e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4 |
memory/4344-61-0x0000000005650000-0x000000000565C000-memory.dmp
memory/4344-60-0x0000000005640000-0x000000000564A000-memory.dmp
memory/4344-63-0x0000000005940000-0x000000000594A000-memory.dmp
memory/4344-62-0x0000000005920000-0x000000000593E000-memory.dmp
memory/4604-65-0x00000000752B0000-0x00000000752FC000-memory.dmp
memory/4604-64-0x0000000007440000-0x0000000007472000-memory.dmp
memory/4604-75-0x0000000007420000-0x000000000743E000-memory.dmp
memory/4604-76-0x0000000007480000-0x0000000007523000-memory.dmp
memory/3064-77-0x00000000752B0000-0x00000000752FC000-memory.dmp
memory/3064-88-0x0000000007660000-0x000000000767A000-memory.dmp
memory/3064-87-0x0000000007CA0000-0x000000000831A000-memory.dmp
memory/4604-89-0x0000000007600000-0x000000000760A000-memory.dmp
memory/4604-90-0x0000000007810000-0x00000000078A6000-memory.dmp
memory/4604-91-0x0000000007790000-0x00000000077A1000-memory.dmp
memory/3064-92-0x0000000007890000-0x000000000789E000-memory.dmp
memory/4604-93-0x00000000077D0000-0x00000000077E4000-memory.dmp
memory/4604-94-0x00000000078D0000-0x00000000078EA000-memory.dmp
memory/3064-95-0x0000000007980000-0x0000000007988000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dc12780b8f8e6af0f0567ffed9526d48 |
| SHA1 | 2e7d967b8d247e6096e8e1948a0a6d6aa44cc3d5 |
| SHA256 | 0168c72bc42cca16bcb0fe9798863a0c00daabec9f7b8d6bcf39410c49322171 |
| SHA512 | dfd68ade1897d2dfd90be5fa2c95cb952977500c58b1eafe8d0f7ccc8e99d3b4deac16328be439de106f63a918c3ba3cce7b724c4536fa9bb37a2e8729c25eb3 |
memory/3064-102-0x0000000074A00000-0x00000000751B0000-memory.dmp
memory/4604-101-0x0000000074A00000-0x00000000751B0000-memory.dmp