Analysis Overview
SHA256
63c2e0330762479ef2c7d87ff691af7b867275f60a2544de3ce51643b2c5c55d
Threat Level: Known bad
The file Product Inquiry-002.gz was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Vipkeylogger family
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
outlook_win_path
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 13:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 13:35
Reported
2024-10-31 13:39
Platform
win7-20241010-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1304 set thread context of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KrNxPXjrA.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrNxPXjrA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp"
C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
memory/1304-0-0x000000007492E000-0x000000007492F000-memory.dmp
memory/1304-1-0x0000000000E70000-0x0000000000F44000-memory.dmp
memory/1304-2-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1304-3-0x0000000000A40000-0x0000000000A5C000-memory.dmp
memory/1304-4-0x000000007492E000-0x000000007492F000-memory.dmp
memory/1304-5-0x0000000074920000-0x000000007500E000-memory.dmp
memory/1304-6-0x00000000008A0000-0x000000000092C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0BFDGF2P7HRZ4OUMKPFN.temp
| MD5 | 43c585cdc02e42f5a4260fe6984cf4b5 |
| SHA1 | a55718112f84b3b1e59f0d7c17ccacd10169b5c8 |
| SHA256 | db26e5c07728e5074d4b4ce921a9b1df791e6cd53434f14adea5af0ce9e0891d |
| SHA512 | a7721a004ef183a67d3886e984d51fdd8d878e6c8357e86e8c1d30769d603da9f050fe2782806d0bd0da94b159ae627e1a5e45098c30b7901929a521a46e1a3a |
C:\Users\Admin\AppData\Local\Temp\tmp23E5.tmp
| MD5 | a96824c81909a2c5e416e70714c5b749 |
| SHA1 | 417dfc1bb8219b5b868176302e04cafd27408918 |
| SHA256 | 899327909e22c3e3c1e3ef180aefec104bcc1313ca04af1cbac0b8c2df89d5b9 |
| SHA512 | 9be9234180fbd387bd52c64b256226234ee98c67c0c03a48b54bca1d5fd0baaebcdf08d70e1b43420a3814359fe43c2d892d988cda6e20e62d1f22cc1664af52 |
memory/2844-31-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2844-28-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2844-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2844-25-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2844-23-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2844-21-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2844-19-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2844-29-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1304-32-0x0000000074920000-0x000000007500E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 13:35
Reported
2024-10-31 13:38
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
138s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4448 set thread context of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KrNxPXjrA.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KrNxPXjrA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA52.tmp"
C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe
"C:\Users\Admin\AppData\Local\Temp\Product Inquiry-002.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4448-0-0x000000007448E000-0x000000007448F000-memory.dmp
memory/4448-1-0x0000000000BD0000-0x0000000000CA4000-memory.dmp
memory/4448-2-0x0000000005CA0000-0x0000000006244000-memory.dmp
memory/4448-3-0x00000000056F0000-0x0000000005782000-memory.dmp
memory/4448-4-0x00000000057F0000-0x00000000057FA000-memory.dmp
memory/4448-5-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/4448-6-0x0000000005960000-0x000000000597C000-memory.dmp
memory/4448-7-0x000000007448E000-0x000000007448F000-memory.dmp
memory/4448-8-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/4448-9-0x0000000002F80000-0x000000000300C000-memory.dmp
memory/4448-10-0x000000000DC20000-0x000000000DCBC000-memory.dmp
memory/1308-15-0x0000000002320000-0x0000000002356000-memory.dmp
memory/1308-17-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1308-16-0x0000000004D90000-0x00000000053B8000-memory.dmp
memory/1308-18-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3920-19-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3920-21-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1308-23-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/1308-22-0x00000000054C0000-0x00000000054E2000-memory.dmp
memory/4084-25-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1308-27-0x0000000005640000-0x0000000005994000-memory.dmp
memory/1308-26-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1308-24-0x00000000055D0000-0x0000000005636000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDA52.tmp
| MD5 | 0c61e142d5c063f6219c751d876e35b7 |
| SHA1 | 606911d6adb6d4249b5c9d9289a7361ef2c26fa8 |
| SHA256 | 5a39f37ff0792469dfe1f6c80fa1f642b2677c0280676f7f29de29f98e1021ad |
| SHA512 | d6b312777748f191f3c4a8a024ac9f1e3fcf901bfa8d2d8d4c9e6de083b093dea37d3f0fbca7b07f405578f4075163af2626e6268e6ff44114b05f68b52bc3e2 |
memory/3920-29-0x0000000074480000-0x0000000074C30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1w0m3eew.wvd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4448-30-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1308-49-0x0000000005C40000-0x0000000005C5E000-memory.dmp
memory/1308-50-0x0000000005CD0000-0x0000000005D1C000-memory.dmp
memory/1308-51-0x0000000006BF0000-0x0000000006C22000-memory.dmp
memory/1308-52-0x0000000070B00000-0x0000000070B4C000-memory.dmp
memory/3920-63-0x0000000070B00000-0x0000000070B4C000-memory.dmp
memory/1308-62-0x0000000006BB0000-0x0000000006BCE000-memory.dmp
memory/1308-73-0x0000000006E30000-0x0000000006ED3000-memory.dmp
memory/1308-74-0x00000000075B0000-0x0000000007C2A000-memory.dmp
memory/1308-75-0x0000000006F60000-0x0000000006F7A000-memory.dmp
memory/1308-76-0x0000000006FD0000-0x0000000006FDA000-memory.dmp
memory/3920-77-0x0000000007F00000-0x0000000007F96000-memory.dmp
memory/1308-78-0x0000000007160000-0x0000000007171000-memory.dmp
memory/3920-79-0x0000000007EB0000-0x0000000007EBE000-memory.dmp
memory/3920-80-0x0000000007EC0000-0x0000000007ED4000-memory.dmp
memory/3920-81-0x0000000007FC0000-0x0000000007FDA000-memory.dmp
memory/3920-82-0x0000000007FA0000-0x0000000007FA8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 70f4957652a42b6b95fe708059bc400b |
| SHA1 | b03086af375704eaa6f911f31824797f466978e4 |
| SHA256 | cdd644dc46e4128d2fac9fbae3ee7e84f14a9ea915772199d7a29aee4f3880b6 |
| SHA512 | f7374261803c7a27cb877f5e381efb51de08c19875195f7c974cc408205ddb2a4e9feba02c4df333705710d451e3c714892114aa68e91f96014a651b68788a56 |
memory/3920-89-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1308-88-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/4084-90-0x0000000006490000-0x0000000006652000-memory.dmp
memory/4084-91-0x0000000006310000-0x0000000006360000-memory.dmp