Malware Analysis Report

2024-11-30 05:47

Sample ID 240619-cec8vasalh
Target 7229b8bff6aef0e623b2b2e786aea131f33f764428c4dab9b0fd007d85c74346
SHA256 7229b8bff6aef0e623b2b2e786aea131f33f764428c4dab9b0fd007d85c74346
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7229b8bff6aef0e623b2b2e786aea131f33f764428c4dab9b0fd007d85c74346

Threat Level: Known bad

The file 7229b8bff6aef0e623b2b2e786aea131f33f764428c4dab9b0fd007d85c74346 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:59

Reported

2024-06-19 02:01

Platform

win7-20240611-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2436 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2436 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\schtasks.exe
PID 2436 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\schtasks.exe
PID 2436 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\schtasks.exe
PID 2436 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\schtasks.exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 2436 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

Processes

C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgvUYcgWaiQFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgvUYcgWaiQFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AB3.tmp"

C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp

Files

memory/2436-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

memory/2436-1-0x0000000000840000-0x00000000008E8000-memory.dmp

memory/2436-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2436-3-0x0000000000570000-0x0000000000582000-memory.dmp

memory/2436-4-0x00000000005E0000-0x00000000005E8000-memory.dmp

memory/2436-5-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/2436-6-0x00000000020B0000-0x0000000002134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8AB3.tmp

MD5 632fd92b0c6ba25fc7291418c3215fae
SHA1 ae1bae37baebc5ec59d2f6743cc9631b5ef13dca
SHA256 a87f2b615b6b35e2c2278f894180b5f80fb7501619fccbd65c116e2ec0c6a003
SHA512 1a02d2b27982e10a6d34f31656f2470d93687b788ca839b522d4047e11c29c9f4776b3e0af19e368ed787202e9938764a632f1ea74de799fe42b68c3e47899f4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A9X92O70QW5JAJDJGRNJ.temp

MD5 786c4a17e15926e1195b52708269a474
SHA1 e27be28311ab146edcce72d94c27d6f1867f311f
SHA256 a915ecbe15186f3086e5f51f79b13e3dcb99509f26a3242b87a0281223b31ac9
SHA512 003d3bdf321341a095ca4371a3cdd89ec8eeddcea67453e4aa0eebdc44018a8a1ee7d273d1e2669c34d60567269325a2e5a9b92fdfe90b3d2b9aa0c37b6311ea

memory/2604-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2604-30-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2604-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2604-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2604-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2604-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2604-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2436-31-0x00000000748A0000-0x0000000074F8E000-memory.dmp

memory/2604-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:59

Reported

2024-06-19 02:01

Platform

win10v2004-20240508-en

Max time kernel

48s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3156 set thread context of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3156 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\schtasks.exe
PID 3156 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\schtasks.exe
PID 3156 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Windows\SysWOW64\schtasks.exe
PID 3156 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe
PID 3156 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

Processes

C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZgvUYcgWaiQFD.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZgvUYcgWaiQFD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AAA.tmp"

C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe

"C:\Users\Admin\AppData\Local\Temp\new order (June - 2024).exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp

Files

memory/3156-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/3156-1-0x0000000000770000-0x0000000000818000-memory.dmp

memory/3156-2-0x00000000057D0000-0x0000000005D74000-memory.dmp

memory/3156-3-0x0000000005220000-0x00000000052B2000-memory.dmp

memory/3156-4-0x00000000051D0000-0x00000000051DA000-memory.dmp

memory/3156-6-0x00000000054D0000-0x000000000556C000-memory.dmp

memory/3156-5-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3156-7-0x0000000005410000-0x0000000005422000-memory.dmp

memory/3156-8-0x0000000005580000-0x0000000005588000-memory.dmp

memory/3156-9-0x00000000057A0000-0x00000000057AC000-memory.dmp

memory/3156-10-0x0000000007CA0000-0x0000000007D24000-memory.dmp

memory/4000-15-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4000-16-0x0000000002100000-0x0000000002136000-memory.dmp

memory/4000-17-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4000-18-0x0000000004C00000-0x0000000005228000-memory.dmp

memory/2404-19-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/2404-21-0x0000000074AC0000-0x0000000075270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9AAA.tmp

MD5 fb25d31e94410f245705b800fffc5984
SHA1 268cda48a9efef79d847496294093df5f861f6e4
SHA256 de03c1d7f2871a5a520afbfc5268ec11e168573ac5e4a823dbf357918d98fecc
SHA512 bde87dc091d7874d9b4f34b683a8834f9272a87a72a199f6678049879119ec2d8aaddcd0ea8561e25a9a6d80715d1a6635e937673bd7e2eb1c53901c9238df11

memory/2404-22-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4000-23-0x0000000004A60000-0x0000000004A82000-memory.dmp

memory/4000-24-0x0000000005230000-0x0000000005296000-memory.dmp

memory/4000-25-0x00000000053D0000-0x0000000005436000-memory.dmp

memory/4000-44-0x0000000005540000-0x0000000005894000-memory.dmp

memory/3048-45-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u23svih4.r1u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4000-47-0x0000000005A10000-0x0000000005A2E000-memory.dmp

memory/3156-49-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4000-48-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

memory/2404-51-0x000000006FA10000-0x000000006FA5C000-memory.dmp

memory/4000-61-0x000000006FA10000-0x000000006FA5C000-memory.dmp

memory/2404-67-0x0000000006CA0000-0x0000000006CBE000-memory.dmp

memory/4000-72-0x0000000006C30000-0x0000000006CD3000-memory.dmp

memory/2404-50-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

memory/2404-73-0x0000000007480000-0x0000000007AFA000-memory.dmp

memory/2404-74-0x0000000006E40000-0x0000000006E5A000-memory.dmp

memory/4000-75-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

memory/4000-76-0x0000000006FC0000-0x0000000007056000-memory.dmp

memory/4000-77-0x0000000006F50000-0x0000000006F61000-memory.dmp

memory/4000-78-0x0000000006F80000-0x0000000006F8E000-memory.dmp

memory/4000-79-0x0000000006F90000-0x0000000006FA4000-memory.dmp

memory/2404-80-0x0000000007180000-0x000000000719A000-memory.dmp

memory/2404-81-0x0000000007160000-0x0000000007168000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c545b4f21ff23409b2648883cfb53a8
SHA1 784fd56f8083988e4004d27c137b85f0d2039a08
SHA256 208e0578eb58051593c29a4a380d81cda9015f49ea402ddb56354131f98a96fa
SHA512 1a50bdb0792f7515f13c91f986e85482ed40bec091986b65258d946c5bdc541344b7e593c9b80ee65b4b016af004767e8f875c68ec08f023b0de91dc45dea026

memory/2404-88-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/4000-87-0x0000000074AC0000-0x0000000075270000-memory.dmp

memory/3048-90-0x00000000071A0000-0x00000000071F0000-memory.dmp