Malware Analysis Report

2024-12-07 17:07

Sample ID 241113-j2tmnsxmbx
Target ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f
SHA256 ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f
Tags
defense_evasion discovery execution upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f

Threat Level: Shows suspicious behavior

The file ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery execution upx

Deletes itself

Indicator Removal: File Deletion

UPX packed file

Unsigned PE

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 08:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 08:10

Reported

2024-11-13 08:12

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MUICACHE C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2200 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2200 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2200 wrote to memory of 2100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1916 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2660 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2668 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe

"C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe"

C:\Windows\SysWOW64\cmd.exe

/c wmic path win32_usbcontrollerdevice

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_usbcontrollerdevice

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell Remove-Item -Path "$env:TEMP\*.exe" -Recurse -Force

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -ExecutionPolicy Bypass -File C:\kill.ps1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Remove-Item -Path "$env:TEMP\*.exe" -Recurse -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File C:\kill.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 top.top666666.win udp

Files

memory/1916-1-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1916-0-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1916-3-0x0000000077174000-0x0000000077175000-memory.dmp

memory/1916-2-0x0000000037160000-0x0000000037170000-memory.dmp

memory/1916-5-0x0000000077160000-0x0000000077270000-memory.dmp

memory/1916-4-0x0000000001F50000-0x0000000001FDA000-memory.dmp

memory/1916-6-0x0000000001F50000-0x0000000001FDA000-memory.dmp

memory/1916-8-0x0000000077160000-0x0000000077270000-memory.dmp

memory/1916-9-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1916-12-0x0000000077160000-0x0000000077270000-memory.dmp

memory/1916-11-0x0000000010000000-0x0000000010018000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 768bcc446daf8d4ec5fee65be7d048d8
SHA1 e32cceed22649223a089331132c4be64d5239a2c
SHA256 04dac7fa5ab6e6b0daebc5244c6fda893242df4eebb61763d03c3023b4a5cc34
SHA512 0839f95a21c66dd07e02b1d0524fca2d2bdab9aec57a8e78ff71a97b4d8a65c14a91db67cba63203c1e18fb7553b52604746b8eadc61186ef05798b7ecda34a9

C:\kill.ps1

MD5 fd0c40bece0fa72db59aaf39111db33f
SHA1 d7f686ab25627ca38d5cba74a2af378b9981bae0
SHA256 a0d5dacd1e7cd1b26a45d41cb8ece2df03d78c71ca43283bf3eea1c32b514862
SHA512 3867cc66e518203b60a1de9d021a6443ed90ae1d51773bed20aaf63e496c093abc5a0bf2eb8546f08a0164d241101d866b58a3824bdef1e10eaa149879678bf9

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 08:10

Reported

2024-11-13 08:12

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Indicator Removal: File Deletion

defense_evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4004 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4004 wrote to memory of 3984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1068 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2280 wrote to memory of 3908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3668 wrote to memory of 4472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe

"C:\Users\Admin\AppData\Local\Temp\ea35db64557ad346b721c2ffc408f57e4d7e59f1d9b0f3bcdeefb63ee88b060f.exe"

C:\Windows\SysWOW64\cmd.exe

/c wmic path win32_usbcontrollerdevice

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_usbcontrollerdevice

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell Remove-Item -Path "$env:TEMP\*.exe" -Recurse -Force

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -ExecutionPolicy Bypass -File C:\kill.ps1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Remove-Item -Path "$env:TEMP\*.exe" -Recurse -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -File C:\kill.ps1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 top.top666666.win udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/1068-1-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1068-0-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1068-3-0x0000000075D90000-0x0000000075D91000-memory.dmp

memory/1068-2-0x0000000035D80000-0x0000000035D90000-memory.dmp

memory/1068-4-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/1068-6-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/1068-7-0x00000000025C0000-0x000000000264A000-memory.dmp

memory/1068-5-0x00000000025C0000-0x000000000264A000-memory.dmp

memory/1068-14-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/1068-13-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/1068-12-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/1068-11-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/1068-10-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/1068-9-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/1068-15-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1068-17-0x0000000010000000-0x0000000010018000-memory.dmp

memory/1068-18-0x0000000075D70000-0x0000000075E60000-memory.dmp

memory/3908-19-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

memory/3908-20-0x00000000054A0000-0x0000000005AC8000-memory.dmp

memory/4472-21-0x0000000005A70000-0x0000000005A92000-memory.dmp

memory/3908-22-0x0000000005BD0000-0x0000000005C36000-memory.dmp

memory/4472-23-0x00000000062E0000-0x0000000006346000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0u1fku0.b1a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4472-38-0x0000000006350000-0x00000000066A4000-memory.dmp

memory/4472-43-0x0000000006930000-0x000000000694E000-memory.dmp

memory/3908-44-0x0000000006400000-0x000000000644C000-memory.dmp

C:\kill.ps1

MD5 fd0c40bece0fa72db59aaf39111db33f
SHA1 d7f686ab25627ca38d5cba74a2af378b9981bae0
SHA256 a0d5dacd1e7cd1b26a45d41cb8ece2df03d78c71ca43283bf3eea1c32b514862
SHA512 3867cc66e518203b60a1de9d021a6443ed90ae1d51773bed20aaf63e496c093abc5a0bf2eb8546f08a0164d241101d866b58a3824bdef1e10eaa149879678bf9

memory/3908-46-0x0000000007390000-0x0000000007426000-memory.dmp

memory/3908-47-0x00000000068D0000-0x00000000068EA000-memory.dmp

memory/3908-48-0x0000000006940000-0x0000000006962000-memory.dmp

memory/3908-49-0x00000000079E0000-0x0000000007F84000-memory.dmp

memory/4472-52-0x0000000008C20000-0x000000000929A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 467aef1b6dc1e6ba73e3709a89e35675
SHA1 96292de9e71795af3de3ff4c93a4905eb4fafb66
SHA256 38c3f56279cea99a0051e7db19c11f7fe244a60e1836807651644aa8c3244fb7
SHA512 2436067bb0c19e566a05916afd21bbb290208ea9e502759d29fb762ce15721e076f0a225a1c1657308a8aded96f4372401b89a27bc1508e75a3e2f52470d9c85

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7