Analysis Overview
SHA256
44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Threat Level: Known bad
The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.
Malicious Activity Summary
NanoCore
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-11 08:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-11 08:34
Reported
2024-05-11 08:37
Platform
win7-20240508-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1704 set thread context of 2632 | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ARP Host\arphost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ARP Host\arphost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe
"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E6C.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp70FB.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp715A.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
Files
memory/1704-0-0x000000007491E000-0x000000007491F000-memory.dmp
memory/1704-1-0x00000000011D0000-0x00000000012C2000-memory.dmp
memory/1704-2-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1704-3-0x0000000000650000-0x000000000066E000-memory.dmp
memory/1704-4-0x00000000006D0000-0x00000000006E0000-memory.dmp
memory/1704-5-0x00000000006E0000-0x00000000006F6000-memory.dmp
memory/1704-6-0x0000000004FF0000-0x000000000506C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6E6C.tmp
| MD5 | 2d3ee718c64e7fee2cb124f69a49ebcf |
| SHA1 | e83c9878aa552893736434af4f49051cfa1b1bd3 |
| SHA256 | 226218576c8a2d68d91bd08db88af98e99d3e1ec7830d041d286a898accde770 |
| SHA512 | 03c9bb80bb175e75ef00c2de1d621f08ad96c077181357a5df8a498c4b6bcb991c45c7555336d81c156a6a730f9182736c89dca19df4c4616c83a3cb652ff083 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UQP5CZ5IQGCB0PNWW95E.temp
| MD5 | d3e4e8fe8581ac256d7b99c9561cc5a4 |
| SHA1 | 170da6db9be372c207ce15aa9a0b30890a5be3b8 |
| SHA256 | 7a8fb699f21b18016a5c4e6feea5895b3efab73a268231256b0dece6d617f2a5 |
| SHA512 | 153bf9ccb1f1415a0cb41b95473f028604fda7a6129d30bdb4a97827016fbebfaf1e7157baca2807812892464eb67e5d95e632264cd7302426afd83ba1256d91 |
memory/1704-19-0x000000007491E000-0x000000007491F000-memory.dmp
memory/2632-20-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2632-22-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2632-30-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2632-32-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2632-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2632-24-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2632-29-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2632-26-0x0000000000400000-0x000000000043A000-memory.dmp
memory/1704-33-0x0000000074910000-0x0000000074FFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp70FB.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmp715A.tmp
| MD5 | 447ab194ab36cb1d20078d80e502b1b2 |
| SHA1 | a947b3b2c91d7c50bb8d39bd4fc91a0d0cc5b1c0 |
| SHA256 | 8d5304b20b7d7dea223ce2738e5668054250d57bf6bed86b305b69924bd472f5 |
| SHA512 | 49ddc557f7f6635627eea9bf0fa12a14b7b13edb235ed560ee0044a7f87fe27b686ff878d347d0273d92eb0b318b8c2bca85c0fbf42d586ed7d7da39eac6a327 |
memory/2632-41-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/2632-42-0x00000000004E0000-0x00000000004EC000-memory.dmp
memory/2632-43-0x0000000000530000-0x000000000054E000-memory.dmp
memory/2632-44-0x00000000005E0000-0x00000000005EA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-11 08:34
Reported
2024-05-11 08:36
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
NanoCore
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2804 set thread context of 2096 | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DDP Host\ddphost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DDP Host\ddphost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe
"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8ACB.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8F4F.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9309.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| BE | 88.221.83.226:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | 26.69.169.192.in-addr.arpa | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | december2nd.ddns.net | udp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| NL | 91.92.253.11:65024 | december2nd.ddns.net | tcp |
| US | 8.8.8.8:53 | december2n.duckdns.org | udp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
| US | 192.169.69.26:65024 | december2n.duckdns.org | tcp |
Files
memory/2804-0-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/2804-1-0x0000000000D30000-0x0000000000E22000-memory.dmp
memory/2804-2-0x0000000005EC0000-0x0000000006464000-memory.dmp
memory/2804-3-0x0000000005800000-0x0000000005892000-memory.dmp
memory/2804-4-0x00000000058C0000-0x00000000058CA000-memory.dmp
memory/2804-5-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/2804-6-0x00000000059C0000-0x00000000059DE000-memory.dmp
memory/2804-7-0x0000000005B50000-0x0000000005B60000-memory.dmp
memory/2804-8-0x0000000005B80000-0x0000000005B96000-memory.dmp
memory/2804-9-0x0000000006D50000-0x0000000006DCC000-memory.dmp
memory/2804-10-0x0000000009490000-0x000000000952C000-memory.dmp
memory/3784-15-0x0000000002FA0000-0x0000000002FD6000-memory.dmp
memory/2804-16-0x00000000744DE000-0x00000000744DF000-memory.dmp
memory/3784-18-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3784-17-0x0000000005A60000-0x0000000006088000-memory.dmp
memory/3784-19-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3700-20-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3700-21-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3784-24-0x0000000006090000-0x00000000060F6000-memory.dmp
memory/2804-26-0x00000000744D0000-0x0000000074C80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31ske0yh.24v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2096-47-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3700-46-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3784-27-0x0000000006240000-0x0000000006594000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8ACB.tmp
| MD5 | eb191f331a938125005e0de35289d1be |
| SHA1 | 9f036798936f34fa5b483f4e47f3ee80afb72b23 |
| SHA256 | 04e80553000a88cae1b459ac57cc5977a59766c001d0223a5ff19b7a44a96cd6 |
| SHA512 | fbc9bc540c2d420541adba4f15523d0b17045c5833eb9b7d2163c4c95d737a5045a18f3f8cbc7a5b0455df8e06d8f20ccbb0ca85acd0f48b886a19b96122f014 |
memory/3784-23-0x0000000005940000-0x00000000059A6000-memory.dmp
memory/3784-22-0x00000000058A0000-0x00000000058C2000-memory.dmp
memory/2804-49-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3784-52-0x0000000006890000-0x00000000068AE000-memory.dmp
memory/3784-54-0x0000000006C20000-0x0000000006C6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8F4F.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
C:\Users\Admin\AppData\Local\Temp\tmp9309.tmp
| MD5 | 2271642ca970891700e3f48439739ed8 |
| SHA1 | cd472df2349f7db9e1e460d0ee28acd97b8a8793 |
| SHA256 | 7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68 |
| SHA512 | 4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807 |
memory/2096-59-0x00000000054B0000-0x00000000054BA000-memory.dmp
memory/2096-61-0x0000000006170000-0x000000000618E000-memory.dmp
memory/2096-62-0x00000000062C0000-0x00000000062CA000-memory.dmp
memory/2096-60-0x0000000006160000-0x000000000616C000-memory.dmp
memory/3700-65-0x0000000070B80000-0x0000000070BCC000-memory.dmp
memory/3784-63-0x0000000006E80000-0x0000000006EB2000-memory.dmp
memory/3784-64-0x0000000070B80000-0x0000000070BCC000-memory.dmp
memory/3784-84-0x0000000006E20000-0x0000000006E3E000-memory.dmp
memory/3784-85-0x0000000007A70000-0x0000000007B13000-memory.dmp
memory/3784-86-0x00000000081F0000-0x000000000886A000-memory.dmp
memory/3784-87-0x0000000007BA0000-0x0000000007BBA000-memory.dmp
memory/3784-88-0x0000000007C10000-0x0000000007C1A000-memory.dmp
memory/3784-89-0x0000000007E20000-0x0000000007EB6000-memory.dmp
memory/3784-90-0x0000000007DA0000-0x0000000007DB1000-memory.dmp
memory/3784-91-0x0000000007DD0000-0x0000000007DDE000-memory.dmp
memory/3784-92-0x0000000007DE0000-0x0000000007DF4000-memory.dmp
memory/3784-93-0x0000000007EE0000-0x0000000007EFA000-memory.dmp
memory/3700-94-0x0000000007310000-0x0000000007318000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7aff546d3ae4bdca5c52f10c5066098c |
| SHA1 | ed5a69f8bcb7f4bb79801505de65e571746fb02c |
| SHA256 | 17408ea57ee0f7029755702f1412a0f80ffbf7fe77cc4c1e6f584903c4e8657d |
| SHA512 | 49575c1420feff8cf82569f5fba7add0f685def8d6759b8681b4e33201464fe177744983d455ccb5fdc64cd1d6f864d2034fba3a288a5b1f30762fdfe259dd6d |
memory/3784-101-0x00000000744D0000-0x0000000074C80000-memory.dmp
memory/3700-100-0x00000000744D0000-0x0000000074C80000-memory.dmp