Malware Analysis Report

2024-11-30 04:10

Sample ID 240408-bnrxxscd4x
Target dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197
SHA256 dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197

Threat Level: Known bad

The file dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197 was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Reads user/profile data of web browsers

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:17

Reported

2024-04-08 01:20

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\schtasks.exe
PID 2228 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\schtasks.exe
PID 2228 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\schtasks.exe
PID 2228 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\schtasks.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 2228 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe

"C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cjsumKJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cjsumKJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp93F6.tmp"

C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe

"C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2228-0-0x00000000010B0000-0x0000000001168000-memory.dmp

memory/2228-1-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2228-2-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

memory/2228-3-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/2228-4-0x0000000000430000-0x000000000043E000-memory.dmp

memory/2228-5-0x0000000005C90000-0x0000000005D2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp93F6.tmp

MD5 26230c79d18cbf41473b56ee4d3fbef6
SHA1 aaa867994c9c81aebd9f8c847af3818821f64c80
SHA256 304d762ce062822aaf2f6cc4a83af0aa79ddd8260bf859854d54767a868e0277
SHA512 14ad5ccf4e17b0dc09dd4b5245fa4be91c04ffea2b2903df3a47c251fd933cf6929ada829aedb4b8ce4c7e8ddb0c4c38f39682609258174812744414b272ec8a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 fedc96e7e6878a994786b1af96a6e081
SHA1 85f01fd53f151dabe9099e6328bdddcb3e54fb03
SHA256 32439fd4066401312a0a83c694e7c95abf32bfba8ca1a262e8a45275f471cbf8
SHA512 9f059243659390b44b179e32e5020b75069024ad1581e3ce9f9870a44fd6cc3a2d28177c4ce608f88be0851940ae376f814045159009f60c1dd63f5b27fce594

memory/2564-18-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2564-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2228-30-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/1504-31-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

memory/2780-32-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

memory/2780-33-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

memory/1504-34-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

memory/2564-35-0x0000000074B80000-0x000000007526E000-memory.dmp

memory/2780-37-0x0000000002620000-0x0000000002660000-memory.dmp

memory/1504-36-0x0000000002440000-0x0000000002480000-memory.dmp

memory/2780-38-0x0000000002620000-0x0000000002660000-memory.dmp

memory/2780-39-0x0000000002620000-0x0000000002660000-memory.dmp

memory/1504-40-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

memory/2780-41-0x000000006F8E0000-0x000000006FE8B000-memory.dmp

memory/2564-42-0x0000000074B80000-0x000000007526E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:17

Reported

2024-04-08 01:20

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3948 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3948 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Windows\SysWOW64\schtasks.exe
PID 3948 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 3948 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 3948 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 3948 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 3948 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 3948 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 3948 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe
PID 3948 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe

"C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cjsumKJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cjsumKJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C21.tmp"

C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe

"C:\Users\Admin\AppData\Local\Temp\dd0b2e214fcf8eecde40532e99c29faff1bba94d8df28df05b3f98a86793b197.exe"

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 mail.wecaresvc.com udp
TW 103.144.32.9:587 mail.wecaresvc.com tcp
US 8.8.8.8:53 9.32.144.103.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/3948-0-0x0000000000F20000-0x0000000000FD8000-memory.dmp

memory/3948-1-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3948-2-0x0000000006030000-0x00000000065D4000-memory.dmp

memory/3948-3-0x00000000059B0000-0x0000000005A42000-memory.dmp

memory/3948-4-0x0000000005C00000-0x0000000005C10000-memory.dmp

memory/3948-5-0x0000000005B70000-0x0000000005B7A000-memory.dmp

memory/3948-6-0x0000000005C60000-0x0000000005C72000-memory.dmp

memory/3948-7-0x0000000005C90000-0x0000000005C9E000-memory.dmp

memory/3948-8-0x0000000008350000-0x00000000083EC000-memory.dmp

memory/3948-9-0x000000000AA20000-0x000000000AABC000-memory.dmp

memory/3552-14-0x0000000004610000-0x0000000004646000-memory.dmp

memory/3552-15-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3552-16-0x0000000004710000-0x0000000004720000-memory.dmp

memory/3552-18-0x0000000004D50000-0x0000000005378000-memory.dmp

memory/3552-17-0x0000000004710000-0x0000000004720000-memory.dmp

memory/4488-20-0x0000000002540000-0x0000000002550000-memory.dmp

memory/4488-19-0x0000000002540000-0x0000000002550000-memory.dmp

memory/3552-22-0x0000000004AE0000-0x0000000004B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9C21.tmp

MD5 3ceb6a5be1ba13ea0acf22daaae6af39
SHA1 73f246dfd02f96c9a6d76117083d7cc07d6ec432
SHA256 1a5efe9ead2e47d7b2a8926c0c79a9ddfa3b3bb1609a516ce1d39dfe6ef8437f
SHA512 c668a0d5bed3a8072837c8d9cb17d976c245f7d72e8f1cfbf3ee07bc4af0a2d7cace84de83ed7b3542de6ae4268d743a0b95be3e1e3ad3d2173d2f4d66e16846

memory/3552-23-0x0000000004B80000-0x0000000004BE6000-memory.dmp

memory/4488-25-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3552-24-0x0000000005480000-0x00000000054E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2catc34l.4he.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3552-36-0x00000000054F0000-0x0000000005844000-memory.dmp

memory/3948-35-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3828-37-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3828-48-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3948-49-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3828-50-0x0000000005840000-0x0000000005850000-memory.dmp

memory/3552-51-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

memory/3552-52-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/3552-53-0x0000000004710000-0x0000000004720000-memory.dmp

memory/4488-54-0x0000000002540000-0x0000000002550000-memory.dmp

memory/3552-55-0x0000000006B80000-0x0000000006BB2000-memory.dmp

memory/3552-56-0x000000007EFC0000-0x000000007EFD0000-memory.dmp

memory/3552-57-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/3552-67-0x0000000006110000-0x000000000612E000-memory.dmp

memory/3552-68-0x0000000006BC0000-0x0000000006C63000-memory.dmp

memory/4488-69-0x0000000070BF0000-0x0000000070C3C000-memory.dmp

memory/4488-70-0x000000007EFE0000-0x000000007EFF0000-memory.dmp

memory/4488-80-0x0000000007740000-0x0000000007DBA000-memory.dmp

memory/3552-81-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

memory/3552-82-0x0000000006F40000-0x0000000006F4A000-memory.dmp

memory/3552-83-0x0000000007150000-0x00000000071E6000-memory.dmp

memory/4488-84-0x0000000007300000-0x0000000007311000-memory.dmp

memory/3828-85-0x0000000006D40000-0x0000000006D90000-memory.dmp

memory/3552-86-0x0000000007100000-0x000000000710E000-memory.dmp

memory/3552-87-0x0000000007110000-0x0000000007124000-memory.dmp

memory/4488-88-0x0000000007440000-0x000000000745A000-memory.dmp

memory/3552-89-0x00000000071F0000-0x00000000071F8000-memory.dmp

memory/4488-95-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3552-96-0x0000000074520000-0x0000000074CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 94aec1857c49305d51c3f3b97f10331f
SHA1 5695862d381ff380e3a24ac08b3348aab5dc0aec
SHA256 56cca141bcd42b1c8c182843da5a63fbd619ae4940b870bf98c68018e1f5bba8
SHA512 5c8dfd9650f0bc94e61111c03f64cb7832e2a31eadb23e10c474e2936e69283e4cfa2274b9ddd032efc04c8b76346f9a1605ac4691bf80c19ca9d64fa2e674b6

memory/3828-97-0x0000000074520000-0x0000000074CD0000-memory.dmp

memory/3828-98-0x0000000005840000-0x0000000005850000-memory.dmp