Analysis Overview
SHA256
04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860
Threat Level: Known bad
The file 04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Detect Xworm Payload
Xworm
AgentTesla payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 16:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 16:00
Reported
2024-06-21 16:02
Platform
win7-20240508-en
Max time kernel
148s
Max time network
118s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe | N/A |
| N/A | N/A | C:\Windows\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\dwm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 1.tcp.sa.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\dwm.exe | C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbgBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAZABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AbABlACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe
"C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe"
C:\Windows\dwm.exe
"C:\Windows\dwm.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2648 -s 536
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dwm" /tr "C:\Users\Admin\AppData\Roaming\dwm.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {99432D25-E89E-4BE5-80D0-9A29CBCA7107} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\dwm.exe
C:\Users\Admin\AppData\Roaming\dwm.exe
C:\Users\Admin\AppData\Roaming\dwm.exe
C:\Users\Admin\AppData\Roaming\dwm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 1.tcp.sa.ngrok.io | udp |
Files
memory/2580-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp
memory/2580-1-0x0000000000080000-0x0000000000248000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe
| MD5 | 3d0cf751fb32bf70ed4f71aabebb3510 |
| SHA1 | 9cb2daa219930db66e9fbc0fdbd163b9ea530176 |
| SHA256 | 0469f50854f0dde4fe6c3f21ce5718f8fce4d93b7c7f5c3d87a3be63cf8c8ca4 |
| SHA512 | 00f5087887146714b6d0e4c7db9eafe272acf590046a2ddba359c4cebda16ce8b64ec88095bdb5887e16546af9df255a30f9da1fc16862884638b75d5b23ad1b |
memory/2424-16-0x0000000002B80000-0x0000000002C00000-memory.dmp
memory/2648-15-0x0000000000C30000-0x0000000000DD8000-memory.dmp
memory/2424-14-0x00000000026E0000-0x00000000026E8000-memory.dmp
memory/2580-12-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
memory/2424-10-0x000000001B7F0000-0x000000001BAD2000-memory.dmp
memory/2660-21-0x00000000010B0000-0x00000000010C6000-memory.dmp
memory/2580-22-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp
C:\Windows\dwm.exe
| MD5 | cd65113a412150ecdc63837ab1bfe9ba |
| SHA1 | c691b213aa095d0c5b1e724c3121ecc28409735d |
| SHA256 | 06439b356cd3345f9e95eeee776e855c1ed77a9e445de6ce8bdd1765b9157326 |
| SHA512 | ed2ce053a16649d5866bc81a9602f8b9f22dd87d8651657783d0196ec9c1b7fbdd9390099b99a8f5bc07f0830fb4ac0be469ee3bd7ea160348a9e2df699eaeb7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 564d4994f63dac3b91fd1dd7b2a7560c |
| SHA1 | 8c00d9dbe938362e913d53ad098c3f1309016355 |
| SHA256 | 41cc97d79f09be58d6fce1d2f831dea8b7c1f8f05a60c5d939f4f602ef6d6666 |
| SHA512 | edf7f6d6bb89b5a59cb41c5202c8f6f61031a78f60254433a1748ff352e6dea0de3fbe3ebd6fba3fb83dba7ee5d99d7ee0af35a6484992ac44e4469463cf7fe8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCWHO9R01DFAPUPL5JVZ.temp
| MD5 | c29ba10c733f23810f7602258df7fb8c |
| SHA1 | 2f37021c427cb36bbd4b21287e41153bc4e84ee1 |
| SHA256 | 13afc38bf1fc9174bf4fc13388480c85a55f2b3a022fc9a028c32b44c639d693 |
| SHA512 | bb062deab2a7f05a4f30043e746c3c4b4c625028cfa0479b68328fdd9956ca3801eacb2d671e95818e0396cb2b5019013340dfe115fa6ec6562074a0ebca6ab1 |
memory/2804-28-0x000000001B710000-0x000000001B9F2000-memory.dmp
memory/2804-29-0x0000000001FF0000-0x0000000001FF8000-memory.dmp
memory/392-35-0x00000000027E0000-0x00000000027E8000-memory.dmp
memory/2192-50-0x0000000000320000-0x0000000000336000-memory.dmp
memory/564-52-0x0000000001070000-0x0000000001086000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 16:00
Reported
2024-06-21 16:02
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
54s
Command Line
Signatures
AgentTesla
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\dwm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe | N/A |
| N/A | N/A | C:\Windows\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\dwm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\dwm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 1.tcp.sa.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\dwm.exe | C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\04709443bf8956006d0f13a21e4d419c2f14b69b2d22ad62b52e10c1d896c860_NeikiAnalytics.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAbgBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAZABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AbABlACMAPgA="
C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe
"C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe"
C:\Windows\dwm.exe
"C:\Windows\dwm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dwm.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "dwm" /tr "C:\Users\Admin\AppData\Roaming\dwm.exe"
C:\Users\Admin\AppData\Roaming\dwm.exe
C:\Users\Admin\AppData\Roaming\dwm.exe
C:\Users\Admin\AppData\Roaming\dwm.exe
C:\Users\Admin\AppData\Roaming\dwm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 1.tcp.sa.ngrok.io | udp |
Files
memory/2444-1-0x0000000000740000-0x0000000000908000-memory.dmp
memory/2444-0-0x00007FFC0ADF3000-0x00007FFC0ADF5000-memory.dmp
memory/2444-2-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Zimo Free2.exe
| MD5 | 3d0cf751fb32bf70ed4f71aabebb3510 |
| SHA1 | 9cb2daa219930db66e9fbc0fdbd163b9ea530176 |
| SHA256 | 0469f50854f0dde4fe6c3f21ce5718f8fce4d93b7c7f5c3d87a3be63cf8c8ca4 |
| SHA512 | 00f5087887146714b6d0e4c7db9eafe272acf590046a2ddba359c4cebda16ce8b64ec88095bdb5887e16546af9df255a30f9da1fc16862884638b75d5b23ad1b |
memory/228-15-0x000001F511460000-0x000001F511608000-memory.dmp
C:\Windows\dwm.exe
| MD5 | cd65113a412150ecdc63837ab1bfe9ba |
| SHA1 | c691b213aa095d0c5b1e724c3121ecc28409735d |
| SHA256 | 06439b356cd3345f9e95eeee776e855c1ed77a9e445de6ce8bdd1765b9157326 |
| SHA512 | ed2ce053a16649d5866bc81a9602f8b9f22dd87d8651657783d0196ec9c1b7fbdd9390099b99a8f5bc07f0830fb4ac0be469ee3bd7ea160348a9e2df699eaeb7 |
memory/3240-29-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/3144-34-0x0000000000680000-0x0000000000696000-memory.dmp
memory/3240-33-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/228-32-0x000001F52BC60000-0x000001F52BE74000-memory.dmp
memory/2444-35-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/3240-36-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/228-28-0x000001F52BA20000-0x000001F52BA3A000-memory.dmp
memory/3240-42-0x000001AD55680000-0x000001AD556A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1ahjvi4.dzm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/228-27-0x000001F5132A0000-0x000001F5132B2000-memory.dmp
memory/228-47-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/3240-50-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d775b6d7bb7ad804668df75a5e9b9455 |
| SHA1 | 567110dd4bd79f341697cff48d777584a06f75b5 |
| SHA256 | 6cd235d2bc6d8c4e8281b81956156391290a02aea8306e8bc10c771e6ba3622c |
| SHA512 | a3e78f52ef042adbd4ca9475864c69d3e981fcbe111b8df16ad1e21e61e2c4da4d159fdbd80995e7214697385140c0afc315cc32d7f8a4cd4fa943ca9d175a6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ce4540390cc4841c8973eb5a3e9f4f7d |
| SHA1 | 2293f30a6f4c9538bc5b06606c10a50ab4ecef8e |
| SHA256 | e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105 |
| SHA512 | 2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2a4825f4f95c5d3d72911c6e7eb902ca |
| SHA1 | 4c22133f24e77211313beb0831980029a53e7dde |
| SHA256 | 59eecad327a693c8b2e3a5932238cda2141c6a0afbba6a5587933c9f2c1025e0 |
| SHA512 | 8e09a61c62a4b83f4f323b5b74f89cc26d708fd1fe646317f5f404af8d4d3fcf327f20f5e4a3b310786c0f639df2d17e1a51def08c95fa964928ad6c08c81386 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 65a68df1062af34622552c4f644a5708 |
| SHA1 | 6f6ecf7b4b635abb0b132d95dac2759dc14b50af |
| SHA256 | 718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35 |
| SHA512 | 4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d |
memory/228-97-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
memory/228-98-0x00007FFC0ADF0000-0x00007FFC0B8B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |