Malware Analysis Report

2024-11-30 07:07

Sample ID 240601-h1dpdsec97
Target 87bffd1fc6695d1508335e8ff198af64dc43eef0daf91b95275f55d3752bec23
SHA256 87bffd1fc6695d1508335e8ff198af64dc43eef0daf91b95275f55d3752bec23
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87bffd1fc6695d1508335e8ff198af64dc43eef0daf91b95275f55d3752bec23

Threat Level: Known bad

The file 87bffd1fc6695d1508335e8ff198af64dc43eef0daf91b95275f55d3752bec23 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:11

Reported

2024-06-01 07:14

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\schtasks.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1284 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe

"C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zhtUkOnXfvAhiZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhtUkOnXfvAhiZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC755.tmp"

C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe

"C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe"

Network

N/A

Files

memory/1284-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

memory/1284-1-0x00000000010E0000-0x000000000118A000-memory.dmp

memory/1284-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1284-3-0x00000000005B0000-0x00000000005C8000-memory.dmp

memory/1284-4-0x0000000000290000-0x00000000002A0000-memory.dmp

memory/1284-5-0x0000000005330000-0x00000000053B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC755.tmp

MD5 292ddc28eb7333f8f58bf53007c9f0d8
SHA1 7e10c6dc099a0ec02cba02625128f0b680ec75b1
SHA256 e0ddbacbb10df72a019f877ee0e3257b91cfd335bcc17653298d741d6621b97e
SHA512 4357d8a04856b7d0057f5500414a741d29224fea278d228a349309134cc92904fd5af01db54879e933e3a45622c10b22628cfd50f68c6a6dde7e5a33d40ee0f8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VMWBP3UE79OAXX0Y03I8.temp

MD5 98a2a81daa3f44ca88c70b40c889f8bf
SHA1 c0aacaaff6bd23176fca6efb80b22fbb66642992
SHA256 ccf821bc856b2bcfb1c2bdd31de739b1a4a291fe5cb91d5b2a4579a2f326b73f
SHA512 d117df9c42e4649908c5074373871e10084b0cd9acd87f5ea500615192da849405ccb9f33016e82cb28ddbc816fbdac1adc78b243c4eef99cdcd1cbefe737b93

memory/2992-29-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2992-28-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2992-27-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2992-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2992-25-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2992-22-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2992-20-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2992-18-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1284-30-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:11

Reported

2024-06-01 07:14

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Windows\SysWOW64\schtasks.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe
PID 1968 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe

"C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zhtUkOnXfvAhiZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhtUkOnXfvAhiZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69E5.tmp"

C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe

"C:\Users\Admin\AppData\Local\Temp\04247ecef21dfc90bca496a3c8419dfef5c82592114eabb4bb80ff9084463988.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 cp5ua.hyperhost.ua udp
UA 91.235.128.141:587 cp5ua.hyperhost.ua tcp
US 8.8.8.8:53 141.128.235.91.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp

Files

memory/1968-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

memory/1968-1-0x0000000000010000-0x00000000000BA000-memory.dmp

memory/1968-2-0x0000000005000000-0x00000000055A4000-memory.dmp

memory/1968-3-0x0000000004AF0000-0x0000000004B82000-memory.dmp

memory/1968-4-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

memory/1968-5-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/1968-6-0x0000000004CC0000-0x0000000004CD8000-memory.dmp

memory/1968-7-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/1968-8-0x00000000064F0000-0x0000000006572000-memory.dmp

memory/1968-9-0x0000000008B60000-0x0000000008BFC000-memory.dmp

memory/1688-14-0x0000000002180000-0x00000000021B6000-memory.dmp

memory/1688-15-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/1688-16-0x0000000004E00000-0x0000000005428000-memory.dmp

memory/1688-17-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4784-18-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4784-19-0x0000000074CB0000-0x0000000075460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1peteski.nab.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1688-24-0x0000000004D20000-0x0000000004D86000-memory.dmp

memory/4784-32-0x0000000074CB0000-0x0000000075460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp69E5.tmp

MD5 19179d94afdee6f0a39ba748d0486f3a
SHA1 5d0c5a7d2505ff5f44eb32fd6631fa6b38b671db
SHA256 3bb1e2281fc35c0f4727a109cadd18aaf98b0f349315fe09925cda0d9d6047c8
SHA512 bc1959f2903f87c8ad1cc3e54c15db33c9734df45e2ed568cf556174fdf8da8f9599516b64ee434855713ec8f7088ce6e4127e1624fe959e7cf73ed08f3ecd8b

memory/1688-34-0x0000000005570000-0x00000000058C4000-memory.dmp

memory/1688-21-0x0000000004CB0000-0x0000000004D16000-memory.dmp

memory/2252-44-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1688-20-0x0000000004AF0000-0x0000000004B12000-memory.dmp

memory/1968-46-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/4784-47-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

memory/4784-48-0x0000000006520000-0x000000000656C000-memory.dmp

memory/1688-51-0x0000000075560000-0x00000000755AC000-memory.dmp

memory/4784-50-0x0000000075560000-0x00000000755AC000-memory.dmp

memory/4784-49-0x00000000071A0000-0x00000000071D2000-memory.dmp

memory/4784-70-0x0000000007160000-0x000000000717E000-memory.dmp

memory/1688-71-0x0000000006CA0000-0x0000000006D43000-memory.dmp

memory/4784-72-0x0000000007920000-0x0000000007F9A000-memory.dmp

memory/1688-73-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

memory/1688-74-0x0000000006E40000-0x0000000006E4A000-memory.dmp

memory/4784-75-0x0000000007560000-0x00000000075F6000-memory.dmp

memory/1688-76-0x0000000006FD0000-0x0000000006FE1000-memory.dmp

memory/1688-77-0x0000000007000000-0x000000000700E000-memory.dmp

memory/1688-78-0x0000000007010000-0x0000000007024000-memory.dmp

memory/1688-79-0x0000000007110000-0x000000000712A000-memory.dmp

memory/1688-80-0x00000000070F0000-0x00000000070F8000-memory.dmp

memory/4784-86-0x0000000074CB0000-0x0000000075460000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa5d5171c37b63ecbe0fda17338a6408
SHA1 c2c3eb9c45d49506af974a7066d484813054d8e7
SHA256 896c336b3af543fa38e23c6da474b21342449d09509bc0a7706ad96e3a092791
SHA512 df854b553993b14fe7f496f17edc165d17ebba81c53a669d7636fec1d27e2c1d9e19b4004e43d3c343e6c12902d95852eb6fe4e523a3df650b466384910c3104

memory/1688-87-0x0000000074CB0000-0x0000000075460000-memory.dmp

memory/2252-88-0x0000000005E20000-0x0000000005E70000-memory.dmp