Malware Analysis Report

2025-06-16 01:20

Sample ID 240410-ht7nwsae2x
Target e-Payment Challan. R5364_08334_46915919.rar.pellet
SHA256 8c2ea9871e74e6666be7e36d50993391239f372868bb38e698b20f6c3e2fafcf
Tags
remcos gg rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c2ea9871e74e6666be7e36d50993391239f372868bb38e698b20f6c3e2fafcf

Threat Level: Known bad

The file e-Payment Challan. R5364_08334_46915919.rar.pellet was found to be: Known bad.

Malicious Activity Summary

remcos gg rat

Remcos

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 07:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 07:02

Reported

2024-04-10 07:05

Platform

win7-20240221-en

Max time kernel

141s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe"

Signatures

Remcos

rat remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1924 set thread context of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1924 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1924 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe

"C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ONSBsuKIuEQJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ONSBsuKIuEQJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF798.tmp"

C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe

"C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe"

Network

Country Destination Domain Proto
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp

Files

memory/1924-0-0x0000000000B00000-0x0000000000BA2000-memory.dmp

memory/1924-1-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/1924-2-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

memory/1924-3-0x00000000005E0000-0x00000000005FC000-memory.dmp

memory/1924-4-0x0000000000580000-0x0000000000588000-memory.dmp

memory/1924-5-0x0000000000610000-0x000000000061C000-memory.dmp

memory/1924-6-0x0000000004280000-0x00000000042E0000-memory.dmp

memory/1924-7-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/1924-8-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF798.tmp

MD5 c0eebee05b21bd22d417c71388c7ab3f
SHA1 7b71140439512f21cf68f7eebf68798631bc5289
SHA256 10051c23fc1382797f110d99cd019919b9872636245296274d3f1aa2fcbc817f
SHA512 dbc99e87224f33558cca46a8e2ece35420c5e450dd7374eeabf4fdf4bff3f60fa8a782268dda0d7573a9d085a8a71f4b6dc14fa50db3228de54d9bead333b4d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a64fb1807d622d5afc1f6c1354c6c97b
SHA1 2c4fd6c4f1fb6d4fcdbabb4fe2b8ed0fc0f88466
SHA256 d4efeea3a8afe4e69ca46a91b928004b44958b99d4e1d2db3d040a63b8239596
SHA512 586e88aab09e615a3708545cd1ebb89d0e9149e281a6b688a45fe6a8b33ca15093948b78adff3511656c2c22eae291173d572dae5093ff103957f71809b4ede9

memory/2508-21-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2508-23-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2508-25-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2508-27-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2508-29-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2508-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2508-33-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1924-36-0x0000000074EA0000-0x000000007558E000-memory.dmp

memory/2508-35-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2508-37-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2508-39-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2464-40-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

memory/2472-41-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

memory/2472-42-0x0000000002700000-0x0000000002740000-memory.dmp

memory/2464-43-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2472-44-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

memory/2464-45-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

memory/2464-46-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2464-47-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2508-48-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2464-49-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

memory/2472-50-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

memory/2508-52-0x0000000000400000-0x0000000000417000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 07:02

Reported

2024-04-10 07:05

Platform

win10v2004-20240226-en

Max time kernel

131s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1776 set thread context of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1776 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\schtasks.exe
PID 1776 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\schtasks.exe
PID 1776 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Windows\SysWOW64\schtasks.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe
PID 1776 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe

"C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ONSBsuKIuEQJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ONSBsuKIuEQJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA3E1.tmp"

C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe

"C:\Users\Admin\AppData\Local\Temp\e-Payment Challan. R5364_08334_46915919.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
SE 62.102.148.185:9771 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
SE 62.102.148.185:9771 tcp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
SE 62.102.148.185:9771 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
SE 62.102.148.185:9771 tcp
SE 62.102.148.185:9771 tcp

Files

memory/1776-0-0x00000000006C0000-0x0000000000762000-memory.dmp

memory/1776-1-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/1776-2-0x00000000057E0000-0x0000000005D84000-memory.dmp

memory/1776-3-0x0000000005160000-0x00000000051F2000-memory.dmp

memory/1776-4-0x0000000005130000-0x0000000005140000-memory.dmp

memory/1776-5-0x0000000005200000-0x000000000520A000-memory.dmp

memory/1776-6-0x00000000054E0000-0x00000000054FC000-memory.dmp

memory/1776-7-0x0000000005510000-0x0000000005518000-memory.dmp

memory/1776-8-0x0000000004BA0000-0x0000000004BAC000-memory.dmp

memory/1776-9-0x00000000068D0000-0x0000000006930000-memory.dmp

memory/1776-10-0x00000000079D0000-0x0000000007A6C000-memory.dmp

memory/1776-11-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/1776-12-0x0000000005130000-0x0000000005140000-memory.dmp

memory/2364-17-0x00000000044F0000-0x0000000004526000-memory.dmp

memory/2364-18-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/2364-19-0x0000000004580000-0x0000000004590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA3E1.tmp

MD5 3d3c3a38ec7e34c2d39ba4c8aed8245d
SHA1 d9e48aa2927f36dabb50050c15a0fa66793d8900
SHA256 f508a61e92d26050ecb7b7b2a9fd4a384f5af19eb33bfa2d3a9ca6c9d742de12
SHA512 0e31905c9f659c52afff11dec0171984513594972735fea3063a08674a1ddee3886c283c39e507996cf846771eacbfc2c1d3a9ee07f0afa64c80b598c4cbd672

memory/2216-23-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2216-21-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/2216-20-0x0000000005400000-0x0000000005A28000-memory.dmp

memory/2216-24-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2364-25-0x0000000004580000-0x0000000004590000-memory.dmp

memory/2252-26-0x0000000000400000-0x0000000000417000-memory.dmp

memory/1776-30-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/2252-29-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2364-32-0x00000000049F0000-0x0000000004A12000-memory.dmp

memory/2216-35-0x0000000005CB0000-0x0000000005D16000-memory.dmp

memory/2252-36-0x0000000000400000-0x0000000000417000-memory.dmp

memory/2364-34-0x00000000053E0000-0x0000000005446000-memory.dmp

memory/2252-31-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gb1spjcv.wuv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2216-52-0x0000000005D20000-0x0000000006074000-memory.dmp

memory/2216-57-0x00000000063B0000-0x00000000063FC000-memory.dmp

memory/2364-56-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

memory/2216-60-0x0000000070D80000-0x0000000070DCC000-memory.dmp

memory/2364-59-0x000000007F560000-0x000000007F570000-memory.dmp

memory/2216-62-0x000000007FA80000-0x000000007FA90000-memory.dmp

memory/2216-81-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2216-72-0x00000000072F0000-0x000000000730E000-memory.dmp

memory/2364-61-0x0000000070D80000-0x0000000070DCC000-memory.dmp

memory/2364-58-0x0000000006A50000-0x0000000006A82000-memory.dmp

memory/2216-84-0x0000000007310000-0x00000000073B3000-memory.dmp

memory/2216-85-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/2364-83-0x0000000004580000-0x0000000004590000-memory.dmp

memory/2216-86-0x0000000007C90000-0x000000000830A000-memory.dmp

memory/2216-87-0x0000000007650000-0x000000000766A000-memory.dmp

memory/2216-88-0x00000000076C0000-0x00000000076CA000-memory.dmp

memory/2216-89-0x00000000078D0000-0x0000000007966000-memory.dmp

memory/2364-90-0x0000000006FD0000-0x0000000006FE1000-memory.dmp

memory/2216-91-0x0000000007880000-0x000000000788E000-memory.dmp

memory/2364-92-0x0000000007010000-0x0000000007024000-memory.dmp

memory/2216-93-0x0000000007990000-0x00000000079AA000-memory.dmp

memory/2216-94-0x0000000007970000-0x0000000007978000-memory.dmp

memory/2364-97-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ee8386a5814fc298b52fe84d4e67aca
SHA1 36a552f4d5005fecbd65503c441583407012654e
SHA256 6d2e3febf06905936f75334638dfc4313026ac4a2814b6d42e8f0c0a15ffd883
SHA512 6b2e5bc8762c46c17d3f71ee07b7226e8517af1db7c00adbb540ffb0ca66f822da2350e778a4389869b71a627876c987ce83cea036fd7287d48f085003979294

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2216-101-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/2252-103-0x0000000000400000-0x0000000000417000-memory.dmp