Malware Analysis Report

2024-10-23 21:59

Sample ID 240612-b2hleaxhng
Target 8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186
SHA256 8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186

Threat Level: Known bad

The file 8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads WinSCP keys stored on the system

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:38

Reported

2024-06-12 01:40

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\schtasks.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\schtasks.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\schtasks.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\schtasks.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 2284 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe

"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nsVJycmpjslUz.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nsVJycmpjslUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp"

C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe

"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"

Network

N/A

Files

memory/2284-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

memory/2284-1-0x0000000000B10000-0x0000000000BC6000-memory.dmp

memory/2284-2-0x00000000742D0000-0x00000000749BE000-memory.dmp

memory/2284-3-0x0000000000A70000-0x0000000000A92000-memory.dmp

memory/2284-4-0x0000000000740000-0x0000000000750000-memory.dmp

memory/2284-5-0x0000000004E00000-0x0000000004E82000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DI5ZDK21JXCIMPCHQJ7L.temp

MD5 7c5315d407c4d7122f9426f29c94f6a2
SHA1 a5355eb128ec520ae4b96a3dc9b03770b5668c6c
SHA256 661e45282867eb21efc9d8b99ff2060d182030098a418e7750c3b9ce70ee2f8f
SHA512 dc10bb967d1b048d3163f83b18453d95cb68761cb1d432f7f9b14d3a1c2d5f71609b06c1ec0ba7408380092061b54353736588b1d3286513ae44e48e6bf0d142

C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp

MD5 272687b57c8938211ea5e6c8378484fa
SHA1 a37cfaeab031865ca30b89acede155b3d2295806
SHA256 6919ebe25a12192042ce7309b7c8a56becf2c719f1b5694d0dba0af7a3c65fb4
SHA512 2f70e73774d3b031c2c79900713b4a5ae6f4f53feff16ee56add77f3123fb111462d3b177d2a656e25ed6419e32fd22ef122f843f1d3352dcd9d23427d79b9d4

memory/2608-18-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2608-24-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2608-22-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2608-29-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2608-28-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2608-27-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2608-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2608-20-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2284-30-0x00000000742D0000-0x00000000749BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:38

Reported

2024-06-12 01:40

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\schtasks.exe
PID 3780 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\schtasks.exe
PID 3780 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Windows\SysWOW64\schtasks.exe
PID 3780 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 3780 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 3780 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 3780 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 3780 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 3780 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 3780 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
PID 3780 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe

"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nsVJycmpjslUz.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nsVJycmpjslUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21CB.tmp"

C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe

"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 smtp.mail.ru udp

Files

memory/3780-0-0x000000007467E000-0x000000007467F000-memory.dmp

memory/3780-1-0x0000000000FC0000-0x0000000001076000-memory.dmp

memory/3780-2-0x0000000005FE0000-0x0000000006584000-memory.dmp

memory/3780-3-0x0000000005940000-0x00000000059D2000-memory.dmp

memory/3780-4-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/3780-5-0x0000000005930000-0x000000000593A000-memory.dmp

memory/3780-6-0x0000000005D00000-0x0000000005D22000-memory.dmp

memory/3780-7-0x0000000005BD0000-0x0000000005BE0000-memory.dmp

memory/3780-8-0x0000000006E40000-0x0000000006EC2000-memory.dmp

memory/3780-9-0x0000000008550000-0x00000000085EC000-memory.dmp

memory/5104-14-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/5104-15-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/5104-16-0x00000000059E0000-0x0000000006008000-memory.dmp

memory/5104-17-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/3244-18-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/5104-19-0x0000000074670000-0x0000000074E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp21CB.tmp

MD5 63e241fd81fe33e85c491a8a7edbc60f
SHA1 36b8ae81b0d4efa294d3b44a58fde29d62878227
SHA256 aa7bec0cc99387f0a95da99e00f440826805547cabfe0e362d77c17102871553
SHA512 0cd0a37eecc50bf6ba4ac7f3035aeb4346b310b7fc2a4c65f37d7efd61ec657bd7aaeec313b49280e45fd4b3191e19cbca92753e54b5c862f0d213f6110935ea

memory/3244-24-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/5104-22-0x0000000006130000-0x0000000006196000-memory.dmp

memory/3244-44-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/5104-43-0x00000000062A0000-0x00000000065F4000-memory.dmp

memory/4408-45-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzyd0av1.kc5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5104-21-0x0000000006010000-0x0000000006076000-memory.dmp

memory/5104-20-0x00000000058F0000-0x0000000005912000-memory.dmp

memory/3780-48-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/5104-49-0x0000000006D10000-0x0000000006D5C000-memory.dmp

memory/5104-47-0x00000000068B0000-0x00000000068CE000-memory.dmp

memory/5104-50-0x0000000006E70000-0x0000000006EA2000-memory.dmp

memory/5104-51-0x0000000074F20000-0x0000000074F6C000-memory.dmp

memory/5104-61-0x0000000007860000-0x000000000787E000-memory.dmp

memory/3244-63-0x0000000074F20000-0x0000000074F6C000-memory.dmp

memory/5104-62-0x0000000007890000-0x0000000007933000-memory.dmp

memory/5104-74-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

memory/3244-73-0x0000000007D70000-0x00000000083EA000-memory.dmp

memory/5104-75-0x0000000007C40000-0x0000000007C4A000-memory.dmp

memory/5104-76-0x0000000007E50000-0x0000000007EE6000-memory.dmp

memory/3244-77-0x0000000007920000-0x0000000007931000-memory.dmp

memory/5104-78-0x0000000007E00000-0x0000000007E0E000-memory.dmp

memory/5104-79-0x0000000007E10000-0x0000000007E24000-memory.dmp

memory/5104-80-0x0000000007F10000-0x0000000007F2A000-memory.dmp

memory/5104-81-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/5104-87-0x0000000074670000-0x0000000074E20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39f0a887929792c946908657a6c02691
SHA1 9b1272b5e5c702df9100da2e9b861b6fc916dfce
SHA256 f09e5f5086163530c516d5b2513c798c6008600136582325af58809a0fa174a8
SHA512 833d2407649b302f21d3df4d9a31e868ec6cc7043790f4427cce423fc928ee79bdae6e6c7740df58e761bf0875e0ac4259f7b935645b4e48c7001628e9228a84

memory/3244-88-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/4408-89-0x00000000066E0000-0x0000000006730000-memory.dmp