Analysis Overview
SHA256
ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f
Threat Level: Shows suspicious behavior
The file ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Indicator Removal: File Deletion
UPX packed file
Unsigned PE
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 08:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 08:10
Reported
2024-11-13 08:12
Platform
win7-20240903-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MUICACHE | C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe
"C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe"
C:\Windows\SysWOW64\cmd.exe
/c wmic path win32_usbcontrollerdevice
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_usbcontrollerdevice
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell Remove-Item -Path "$env:TEMP\*.exe" -Recurse -Force
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -ExecutionPolicy Bypass -File C:\kill.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Remove-Item -Path "$env:TEMP\*.exe" -Recurse -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File C:\kill.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | top.top666666.win | udp |
Files
memory/1916-1-0x0000000010000000-0x0000000010018000-memory.dmp
memory/1916-0-0x0000000010000000-0x0000000010018000-memory.dmp
memory/1916-3-0x0000000077174000-0x0000000077175000-memory.dmp
memory/1916-2-0x0000000037160000-0x0000000037170000-memory.dmp
memory/1916-5-0x0000000077160000-0x0000000077270000-memory.dmp
memory/1916-4-0x0000000001F50000-0x0000000001FDA000-memory.dmp
memory/1916-6-0x0000000001F50000-0x0000000001FDA000-memory.dmp
memory/1916-8-0x0000000077160000-0x0000000077270000-memory.dmp
memory/1916-9-0x0000000010000000-0x0000000010018000-memory.dmp
memory/1916-12-0x0000000077160000-0x0000000077270000-memory.dmp
memory/1916-11-0x0000000010000000-0x0000000010018000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 768bcc446daf8d4ec5fee65be7d048d8 |
| SHA1 | e32cceed22649223a089331132c4be64d5239a2c |
| SHA256 | 04dac7fa5ab6e6b0daebc5244c6fda893242df4eebb61763d03c3023b4a5cc34 |
| SHA512 | 0839f95a21c66dd07e02b1d0524fca2d2bdab9aec57a8e78ff71a97b4d8a65c14a91db67cba63203c1e18fb7553b52604746b8eadc61186ef05798b7ecda34a9 |
C:\kill.ps1
| MD5 | fd0c40bece0fa72db59aaf39111db33f |
| SHA1 | d7f686ab25627ca38d5cba74a2af378b9981bae0 |
| SHA256 | a0d5dacd1e7cd1b26a45d41cb8ece2df03d78c71ca43283bf3eea1c32b514862 |
| SHA512 | 3867cc66e518203b60a1de9d021a6443ed90ae1d51773bed20aaf63e496c093abc5a0bf2eb8546f08a0164d241101d866b58a3824bdef1e10eaa149879678bf9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 08:10
Reported
2024-11-13 08:12
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Indicator Removal: File Deletion
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE | C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe
"C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe"
C:\Windows\SysWOW64\cmd.exe
/c wmic path win32_usbcontrollerdevice
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_usbcontrollerdevice
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell Remove-Item -Path "$env:TEMP\*.exe" -Recurse -Force
C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -ExecutionPolicy Bypass -File C:\kill.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Remove-Item -Path "$env:TEMP\*.exe" -Recurse -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -File C:\kill.ps1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | top.top666666.win | udp |
| US | 8.8.8.8:53 | 68.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
memory/1068-1-0x0000000010000000-0x0000000010018000-memory.dmp
memory/1068-0-0x0000000010000000-0x0000000010018000-memory.dmp
memory/1068-3-0x0000000075D90000-0x0000000075D91000-memory.dmp
memory/1068-2-0x0000000035D80000-0x0000000035D90000-memory.dmp
memory/1068-4-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/1068-6-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/1068-7-0x00000000025C0000-0x000000000264A000-memory.dmp
memory/1068-5-0x00000000025C0000-0x000000000264A000-memory.dmp
memory/1068-14-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/1068-13-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/1068-12-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/1068-11-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/1068-10-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/1068-9-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/1068-15-0x0000000010000000-0x0000000010018000-memory.dmp
memory/1068-17-0x0000000010000000-0x0000000010018000-memory.dmp
memory/1068-18-0x0000000075D70000-0x0000000075E60000-memory.dmp
memory/3908-19-0x0000000002AB0000-0x0000000002AE6000-memory.dmp
memory/3908-20-0x00000000054A0000-0x0000000005AC8000-memory.dmp
memory/4472-21-0x0000000005A70000-0x0000000005A92000-memory.dmp
memory/3908-22-0x0000000005BD0000-0x0000000005C36000-memory.dmp
memory/4472-23-0x00000000062E0000-0x0000000006346000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0u1fku0.b1a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4472-38-0x0000000006350000-0x00000000066A4000-memory.dmp
memory/4472-43-0x0000000006930000-0x000000000694E000-memory.dmp
memory/3908-44-0x0000000006400000-0x000000000644C000-memory.dmp
C:\kill.ps1
| MD5 | fd0c40bece0fa72db59aaf39111db33f |
| SHA1 | d7f686ab25627ca38d5cba74a2af378b9981bae0 |
| SHA256 | a0d5dacd1e7cd1b26a45d41cb8ece2df03d78c71ca43283bf3eea1c32b514862 |
| SHA512 | 3867cc66e518203b60a1de9d021a6443ed90ae1d51773bed20aaf63e496c093abc5a0bf2eb8546f08a0164d241101d866b58a3824bdef1e10eaa149879678bf9 |
memory/3908-46-0x0000000007390000-0x0000000007426000-memory.dmp
memory/3908-47-0x00000000068D0000-0x00000000068EA000-memory.dmp
memory/3908-48-0x0000000006940000-0x0000000006962000-memory.dmp
memory/3908-49-0x00000000079E0000-0x0000000007F84000-memory.dmp
memory/4472-52-0x0000000008C20000-0x000000000929A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 467aef1b6dc1e6ba73e3709a89e35675 |
| SHA1 | 96292de9e71795af3de3ff4c93a4905eb4fafb66 |
| SHA256 | 38c3f56279cea99a0051e7db19c11f7fe244a60e1836807651644aa8c3244fb7 |
| SHA512 | 2436067bb0c19e566a05916afd21bbb290208ea9e502759d29fb762ce15721e076f0a225a1c1657308a8aded96f4372401b89a27bc1508e75a3e2f52470d9c85 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |