Malware Analysis Report

2025-06-16 03:09

Sample ID 210806-shpdv4rhj6
Target BL#TELEX-SHIPMENT-POC76120.exe
SHA256 bd0328f6be16f7c73f39a16739960a069d4812943cfbc93000bbe2a3eed45039
Tags
agenttesla keylogger persistence spyware stealer trojan oski infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd0328f6be16f7c73f39a16739960a069d4812943cfbc93000bbe2a3eed45039

Threat Level: Known bad

The file BL#TELEX-SHIPMENT-POC76120.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger persistence spyware stealer trojan oski infostealer

Oski

AgentTesla

AgentTesla Payload

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-08-06 13:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-08-06 13:45

Reported

2021-08-06 13:48

Platform

win7v20210410

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe" C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1036 set thread context of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\schtasks.exe
PID 1036 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\schtasks.exe
PID 1036 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\schtasks.exe
PID 1036 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\schtasks.exe
PID 1036 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1036 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 1036 wrote to memory of 240 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 240 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\apwxc.exe
PID 240 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\apwxc.exe
PID 240 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\apwxc.exe
PID 240 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\apwxc.exe
PID 1648 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1648 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe

"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\apZSuwq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32B4.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"

C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe

"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe

"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apwxc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 swsaseguranca.com.br udp
N/A 162.241.203.110:80 swsaseguranca.com.br tcp

Files

memory/1036-59-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1036-61-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1036-62-0x0000000000370000-0x0000000000383000-memory.dmp

memory/1036-63-0x0000000005770000-0x0000000005802000-memory.dmp

memory/1036-64-0x0000000002180000-0x00000000021B9000-memory.dmp

memory/596-65-0x0000000000000000-mapping.dmp

memory/596-66-0x0000000075721000-0x0000000075723000-memory.dmp

memory/1148-67-0x0000000000000000-mapping.dmp

memory/972-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp32B4.tmp

MD5 7af89b95f38444b1ea72a964db565e94
SHA1 35aa04d761a970c49a39f686d17936cbe154bccf
SHA256 d7d413cfa82023a736ef26a0792ee68fd9aa3537fde40fa24608a9b6eb1b6f33
SHA512 c418f8f3aaa4ba5a5f7725b4577b5a8d269a8c0b60b00f83a7e5baff1b98256e169937f49b5e89d0cbaa2c3219eb1cf682334240a801480e13b9ec908a6783e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 948ad1f6822d7bb3d294ee157956aca2
SHA1 ff59dd6fd17c8e52c2deba4f900d4ca234639906
SHA256 770a3659fa688b761178552aa5833dec59537515e11258326da32ef59d66ecf8
SHA512 a6aa13c52bae73a8a2766e87c7f5b313ed614b2c9996bbfeb975ae051e68165d0050a894d975dbf1b3bd6aae80b594cd841e00f835e362be0de7b386ada9584e

memory/596-72-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

memory/1148-74-0x00000000048F0000-0x00000000048F1000-memory.dmp

memory/836-76-0x0000000000000000-mapping.dmp

memory/240-77-0x0000000000400000-0x000000000043C000-memory.dmp

memory/240-79-0x000000000043782E-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 948ad1f6822d7bb3d294ee157956aca2
SHA1 ff59dd6fd17c8e52c2deba4f900d4ca234639906
SHA256 770a3659fa688b761178552aa5833dec59537515e11258326da32ef59d66ecf8
SHA512 a6aa13c52bae73a8a2766e87c7f5b313ed614b2c9996bbfeb975ae051e68165d0050a894d975dbf1b3bd6aae80b594cd841e00f835e362be0de7b386ada9584e

memory/240-80-0x0000000000400000-0x000000000043C000-memory.dmp

memory/596-84-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1148-89-0x00000000048B0000-0x00000000048B1000-memory.dmp

memory/596-87-0x00000000047B0000-0x00000000047B1000-memory.dmp

memory/596-90-0x00000000047B2000-0x00000000047B3000-memory.dmp

memory/1148-91-0x00000000048B2000-0x00000000048B3000-memory.dmp

memory/836-93-0x0000000001EB0000-0x0000000002AFA000-memory.dmp

memory/240-92-0x0000000000460000-0x0000000000461000-memory.dmp

memory/1148-94-0x0000000004790000-0x0000000004791000-memory.dmp

memory/1148-99-0x00000000056B0000-0x00000000056B1000-memory.dmp

memory/1148-104-0x00000000056F0000-0x00000000056F1000-memory.dmp

memory/1148-105-0x00000000060E0000-0x00000000060E1000-memory.dmp

memory/1148-112-0x0000000006200000-0x0000000006201000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 0de64a9c72cbd034b7647aaed8c9e42c
SHA1 82862ee4e5c020af42c34cf429687171cf84d8ce
SHA256 db9dc774a671107df22dad7b5419e356d799f3b3e4e98bc33da3a80b4f1f4ab5
SHA512 e80e4b130bb62511ed6cc4351d85779f20b5e00c531a625dcfdf8f25a3a9958a54cff81123340b807ce5fb08d7b97ba7b89a63d2e0d1bcee3a899c0e053ffbee

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9

MD5 b6d38f250ccc9003dd70efd3b778117f
SHA1 d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a
SHA256 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265
SHA512 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba

MD5 75a8da7754349b38d64c87c938545b1b
SHA1 5c28c257d51f1c1587e29164cc03ea880c21b417
SHA256 bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96
SHA512 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5

MD5 02ff38ac870de39782aeee04d7b48231
SHA1 0390d39fa216c9b0ecdb38238304e518fb2b5095
SHA256 fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876
SHA512 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b

MD5 df44874327d79bd75e4264cb8dc01811
SHA1 1396b06debed65ea93c24998d244edebd3c0209d
SHA256 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181
SHA512 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598

MD5 5e3c7184a75d42dda1a83606a45001d8
SHA1 94ca15637721d88f30eb4b6220b805c5be0360ed
SHA256 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59
SHA512 fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

memory/1148-119-0x00000000061A0000-0x00000000061A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370

MD5 be4d72095faf84233ac17b94744f7084
SHA1 cc78ce5b9c57573bd214a8f423ee622b00ebb1ec
SHA256 b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc
SHA512 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

memory/1148-134-0x0000000006300000-0x0000000006301000-memory.dmp

memory/1148-135-0x0000000006310000-0x0000000006311000-memory.dmp

memory/1148-136-0x000000007EF30000-0x000000007EF31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c

MD5 a725bb9fafcf91f3c6b7861a2bde6db2
SHA1 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA256 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA512 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 b4d7ee94429419f75655f4cc5a75b7d9
SHA1 29beb6812cbc71f1cf7044801b3ad3850705de06
SHA256 85811f0b4c7828e7379994ffe1fc153fc0d10b2d8ad34664116f1d87780df736
SHA512 929af1807ab14e6699c6ec19a8f9e4a00beec0c4b5927e022c9c6bbd051eafb0ef7d938af1a695785183df60e1b406e486dacb6995df3af1de697be4d1c9fa46

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5 b4d7ee94429419f75655f4cc5a75b7d9
SHA1 29beb6812cbc71f1cf7044801b3ad3850705de06
SHA256 85811f0b4c7828e7379994ffe1fc153fc0d10b2d8ad34664116f1d87780df736
SHA512 929af1807ab14e6699c6ec19a8f9e4a00beec0c4b5927e022c9c6bbd051eafb0ef7d938af1a695785183df60e1b406e486dacb6995df3af1de697be4d1c9fa46

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c

MD5 a725bb9fafcf91f3c6b7861a2bde6db2
SHA1 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114
SHA256 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431
SHA512 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb

MD5 597009ea0430a463753e0f5b1d1a249e
SHA1 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62
SHA256 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d
SHA512 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85476360-8cea-42c3-ad65-564b0710de6f

MD5 a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA1 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256 dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA512 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_813ec99d-515c-41a4-8d23-a21962538a25

MD5 354b8209f647a42e2ce36d8cf326cc92
SHA1 98c3117f797df69935f8b09fc9e95accfe3d8346
SHA256 feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239
SHA512 420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_06809adb-70aa-468c-9fe6-22560a97035c

MD5 d89968acfbd0cd60b51df04860d99896
SHA1 b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA256 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512 b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c442ad28-c044-49ec-9c30-60178334033b

MD5 7f79b990cb5ed648f9e583fe35527aa7
SHA1 71b177b48c8bd745ef02c2affad79ca222da7c33
SHA256 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA512 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

\Users\Admin\AppData\Local\Temp\apwxc.exe

MD5 8663ed0caec9adcb980a4a7ea23e7984
SHA1 e6dcb19362e88b50ab1990e7032437072f104e98
SHA256 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
SHA512 fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9

memory/1648-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

MD5 8663ed0caec9adcb980a4a7ea23e7984
SHA1 e6dcb19362e88b50ab1990e7032437072f104e98
SHA256 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
SHA512 fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

MD5 8663ed0caec9adcb980a4a7ea23e7984
SHA1 e6dcb19362e88b50ab1990e7032437072f104e98
SHA256 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
SHA512 fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9

memory/1648-150-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1648-152-0x0000000004D00000-0x0000000004D01000-memory.dmp

memory/1648-153-0x0000000000390000-0x000000000039D000-memory.dmp

memory/1648-154-0x0000000009290000-0x000000000932A000-memory.dmp

memory/1648-155-0x0000000001F60000-0x0000000001F93000-memory.dmp

memory/332-156-0x0000000000000000-mapping.dmp

memory/396-159-0x0000000000000000-mapping.dmp

memory/1056-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 948ad1f6822d7bb3d294ee157956aca2
SHA1 ff59dd6fd17c8e52c2deba4f900d4ca234639906
SHA256 770a3659fa688b761178552aa5833dec59537515e11258326da32ef59d66ecf8
SHA512 a6aa13c52bae73a8a2766e87c7f5b313ed614b2c9996bbfeb975ae051e68165d0050a894d975dbf1b3bd6aae80b594cd841e00f835e362be0de7b386ada9584e

memory/332-162-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 948ad1f6822d7bb3d294ee157956aca2
SHA1 ff59dd6fd17c8e52c2deba4f900d4ca234639906
SHA256 770a3659fa688b761178552aa5833dec59537515e11258326da32ef59d66ecf8
SHA512 a6aa13c52bae73a8a2766e87c7f5b313ed614b2c9996bbfeb975ae051e68165d0050a894d975dbf1b3bd6aae80b594cd841e00f835e362be0de7b386ada9584e

memory/1056-166-0x0000000004840000-0x0000000004841000-memory.dmp

memory/1056-168-0x0000000004842000-0x0000000004843000-memory.dmp

memory/332-163-0x0000000004A60000-0x0000000004A61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp

MD5 bf64d4a655b245b1bd560dc86f73e713
SHA1 1d4f7d13342afec5792fc9b185b61bed22e2ac0a
SHA256 300263401335f862275dbb971f8b50f9b4c6bbb7cc6059363d333755861b9050
SHA512 f063c9b7fd140d7a8807e5d10042f5136283db4f3d7e40089b3345b4ea9a818e01aab53ab09f23efd0cf1f120667010dcec41762eb0d5923928fa4147124b931

Analysis: behavioral2

Detonation Overview

Submitted

2021-08-06 13:45

Reported

2021-08-06 13:47

Platform

win10v20210408

Max time kernel

150s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Oski

infostealer oski

AgentTesla Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe" C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 664 set thread context of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 664 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\schtasks.exe
PID 664 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\schtasks.exe
PID 664 wrote to memory of 2112 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\schtasks.exe
PID 664 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 664 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
PID 3932 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\apwxc.exe
PID 3932 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\apwxc.exe
PID 3932 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe C:\Users\Admin\AppData\Local\Temp\apwxc.exe
PID 3016 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3016 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\apwxc.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe

"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\apZSuwq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AD7.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"

C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe

"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apwxc.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF62.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 swsaseguranca.com.br udp
N/A 162.241.203.110:80 swsaseguranca.com.br tcp

Files

memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmp

memory/664-116-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/664-117-0x00000000051C0000-0x00000000051C1000-memory.dmp

memory/664-118-0x0000000005160000-0x0000000005161000-memory.dmp

memory/664-119-0x00000000052F0000-0x00000000057EE000-memory.dmp

memory/664-120-0x0000000007690000-0x0000000007691000-memory.dmp

memory/664-121-0x00000000053D0000-0x00000000053E3000-memory.dmp

memory/664-122-0x00000000075F0000-0x0000000007682000-memory.dmp

memory/664-123-0x0000000009E70000-0x0000000009EA9000-memory.dmp

memory/1820-124-0x0000000000000000-mapping.dmp

memory/2088-126-0x0000000000000000-mapping.dmp

memory/2112-128-0x0000000000000000-mapping.dmp

memory/1820-129-0x00000000044B0000-0x00000000044B1000-memory.dmp

memory/1820-131-0x0000000007170000-0x0000000007171000-memory.dmp

memory/1820-136-0x00000000045D2000-0x00000000045D3000-memory.dmp

memory/1820-135-0x00000000045D0000-0x00000000045D1000-memory.dmp

memory/2088-137-0x00000000041A0000-0x00000000041A1000-memory.dmp

memory/2088-138-0x00000000041A2000-0x00000000041A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3AD7.tmp

MD5 71690438d71ee055dd3e790174dc4a43
SHA1 805809667652c49aa87c9a8f51c5209072070fed
SHA256 b5887274341e365dcf4a30aac82e57d2ea4a7fa8a12ce7e0faf2dc77828e4315
SHA512 2912ba30feae1bf83732fd671a1a3c884f7d32ef11c38e7b715eb5fa549df306a596717b557aca2ab5fb97a7a9d5f494fb951dfdf050c4128d94a38678c5fa89

memory/3848-140-0x0000000000000000-mapping.dmp

memory/3932-141-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3932-142-0x000000000043782E-mapping.dmp

memory/3848-151-0x00000000079E0000-0x00000000079E1000-memory.dmp

memory/3932-154-0x00000000053B0000-0x00000000058AE000-memory.dmp

memory/2088-155-0x0000000007420000-0x0000000007421000-memory.dmp

memory/3848-158-0x00000000050B0000-0x00000000050B1000-memory.dmp

memory/2088-159-0x0000000006D80000-0x0000000006D81000-memory.dmp

memory/3848-162-0x00000000050B2000-0x00000000050B3000-memory.dmp

memory/3848-163-0x00000000083B0000-0x00000000083B1000-memory.dmp

memory/3848-166-0x00000000075F0000-0x00000000075F1000-memory.dmp

memory/2088-169-0x0000000007A00000-0x0000000007A01000-memory.dmp

memory/2088-172-0x0000000007C60000-0x0000000007C61000-memory.dmp

memory/3848-197-0x0000000009A50000-0x0000000009A83000-memory.dmp

memory/3848-235-0x000000007EF60000-0x000000007EF61000-memory.dmp

memory/2088-236-0x000000007F770000-0x000000007F771000-memory.dmp

memory/1820-237-0x000000007E700000-0x000000007E701000-memory.dmp

memory/3848-260-0x00000000050B3000-0x00000000050B4000-memory.dmp

memory/1820-266-0x00000000045D3000-0x00000000045D4000-memory.dmp

memory/2088-262-0x00000000041A3000-0x00000000041A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f3fcc6c9bac7d4151817db32e729fe8
SHA1 9fcd413798488dc4c6b90d7ca8855c57e39f7fa7
SHA256 78d9b56329dbafdf4dff62f87d49a2ce9bb340d938ff80e87bcb46568b50fa5d
SHA512 1bad783500ee6905b255d7548eafb51ef185dfd6b87b10571721f1f03d95d187abcd389880381314fae2d578486627d797633165ce9bb44df58085f962d7039c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

memory/3016-885-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

MD5 8663ed0caec9adcb980a4a7ea23e7984
SHA1 e6dcb19362e88b50ab1990e7032437072f104e98
SHA256 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
SHA512 fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

MD5 8663ed0caec9adcb980a4a7ea23e7984
SHA1 e6dcb19362e88b50ab1990e7032437072f104e98
SHA256 bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750
SHA512 fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9

memory/3016-894-0x0000000004BE0000-0x00000000050DE000-memory.dmp

memory/2540-898-0x0000000000000000-mapping.dmp

memory/1280-899-0x0000000000000000-mapping.dmp

memory/1708-900-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCF62.tmp

MD5 8229b450d30b9d1b14c3febe972026ee
SHA1 5fb031ef7f2918ab3bb7d51f3d7dbfab50d22964
SHA256 919eb7c6840a70e585157ad93d71b380a7a1c4061ec866369fcb4c3f0b957b24
SHA512 23e9f915169808457005f7f6610c893245f223370edc4339893c5e3863bff015cec71617d905746ca15cfc7a23478e21f3bbf0448e8713f053126d7ff8b58153

memory/4000-914-0x0000000000000000-mapping.dmp

memory/2540-916-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/2540-917-0x00000000042A2000-0x00000000042A3000-memory.dmp

memory/2940-920-0x000000000040717B-mapping.dmp

memory/1280-919-0x0000000006A40000-0x0000000006A41000-memory.dmp

memory/1280-921-0x0000000006A42000-0x0000000006A43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\apwxc.exe

MD5 e138bafdec89ef959a18b71e01334883
SHA1 233ddf6a55ddc5199254fc536dd6dcd91425289d
SHA256 4e8a77666313dc3c5aeaa4c302e07282914e67940952e43ca740f9ff20c3131c
SHA512 41c4a7dfeb32112fb29222c8a40f16d7135febfa441ef48f83bf5bb1deb8b7af5343e12c73246ac0936a50af892603fe21a90e12fb6c1fdc98d5536b273f902f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f3fcc6c9bac7d4151817db32e729fe8
SHA1 9fcd413798488dc4c6b90d7ca8855c57e39f7fa7
SHA256 78d9b56329dbafdf4dff62f87d49a2ce9bb340d938ff80e87bcb46568b50fa5d
SHA512 1bad783500ee6905b255d7548eafb51ef185dfd6b87b10571721f1f03d95d187abcd389880381314fae2d578486627d797633165ce9bb44df58085f962d7039c