Malware Analysis Report

2024-11-30 05:42

Sample ID 240619-cvhs9swfqq
Target a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0
SHA256 a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0

Threat Level: Known bad

The file a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 02:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 02:23

Reported

2024-06-19 02:26

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2176 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe

"C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fXRbQKPp.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fXRbQKPp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp"

C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe

"C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 ip-api.com udp

Files

memory/2176-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

memory/2176-1-0x0000000000BA0000-0x0000000000C4A000-memory.dmp

memory/2176-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp

memory/2176-3-0x0000000000310000-0x0000000000322000-memory.dmp

memory/2176-4-0x0000000000390000-0x0000000000398000-memory.dmp

memory/2176-5-0x00000000003A0000-0x00000000003AC000-memory.dmp

memory/2176-6-0x00000000044A0000-0x0000000004524000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 abe3cecb7553396602e5c94846258fae
SHA1 57aad9b5ff81f723a8de539ad5aa585e3ff694b3
SHA256 0d932a3cc07f55225c4701accbb137c945ed93f6bb3933ef69b910b600e0769f
SHA512 fd0ef30757e160536f1a540bde76b7609ece147b67e0185da9ac11eadf226a7f2ff3aef94e4700f17945fa932ce4196f23bac946326f91292137a567f4b0b265

C:\Users\Admin\AppData\Local\Temp\tmp4D36.tmp

MD5 ffa1fb77b0c6db7a98e267313a804b0d
SHA1 4f57e77b67164cd5ff0064915bc2f0ffad1198dd
SHA256 0dde9e83f15bf78afbc33b3fc1796ba8b7bb7be42d37f4b90539dcc3c7926897
SHA512 5e5927da23f65cc4730e67ec4a1f07c6ad7d883edb67105671736737581ce98270fc94fd9f7454d65d3b35f5be19ba5d9c187bc19bf345437ce423e553f01524

memory/2684-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2684-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2684-30-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2684-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2684-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2684-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2684-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2684-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2176-31-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 02:23

Reported

2024-06-19 02:26

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2948 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2948 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe
PID 2948 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe

"C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fXRbQKPp.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fXRbQKPp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp"

C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe

"C:\Users\Admin\AppData\Local\Temp\a64fa2cb33b474ad9818a3db9850cd3a0403efcfa450cff2b47c3ba915fb5ca0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 mail.usgrovemall.com udp
US 192.250.227.28:587 mail.usgrovemall.com tcp
US 8.8.8.8:53 28.227.250.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2948-0-0x000000007463E000-0x000000007463F000-memory.dmp

memory/2948-1-0x0000000000F80000-0x000000000102A000-memory.dmp

memory/2948-2-0x0000000006030000-0x00000000065D4000-memory.dmp

memory/2948-3-0x0000000005A80000-0x0000000005B12000-memory.dmp

memory/2948-4-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2948-5-0x0000000005A20000-0x0000000005A2A000-memory.dmp

memory/2948-6-0x0000000005D20000-0x0000000005DBC000-memory.dmp

memory/2948-7-0x0000000005CA0000-0x0000000005CB2000-memory.dmp

memory/2948-8-0x0000000005CE0000-0x0000000005CE8000-memory.dmp

memory/2948-9-0x0000000005CF0000-0x0000000005CFC000-memory.dmp

memory/2948-10-0x0000000006D10000-0x0000000006D94000-memory.dmp

memory/4200-15-0x0000000002310000-0x0000000002346000-memory.dmp

memory/4200-16-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/4200-17-0x0000000004D30000-0x0000000005358000-memory.dmp

memory/4200-18-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2676-19-0x0000000074630000-0x0000000074DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp686E.tmp

MD5 c8fbcccd0098b01351537eef228cebb2
SHA1 834dc19b1cac113448c37a6760a8f489997dd624
SHA256 a6d33f3397efdc990f4ea20c15b256b72b1b9523fd8598df5bd99a9a38be9ece
SHA512 0e0ba8730392362663438f9b658ef386e6bfef5f24a8da9e1415f1080c9e6425e7ae31c5302232e4f6395741a5181ba525c49853b06b1e37bebe466baa8729fb

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eouj2gt1.voz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4200-28-0x0000000005530000-0x0000000005596000-memory.dmp

memory/4200-34-0x0000000005610000-0x0000000005676000-memory.dmp

memory/4200-39-0x0000000005680000-0x00000000059D4000-memory.dmp

memory/2676-44-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2624-45-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2676-27-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/4200-26-0x0000000005490000-0x00000000054B2000-memory.dmp

memory/2676-47-0x0000000006180000-0x000000000619E000-memory.dmp

memory/2948-48-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2676-49-0x0000000006430000-0x000000000647C000-memory.dmp

memory/2676-61-0x0000000007360000-0x000000000737E000-memory.dmp

memory/2676-51-0x000000006F590000-0x000000006F5DC000-memory.dmp

memory/2676-50-0x0000000007320000-0x0000000007352000-memory.dmp

memory/2676-62-0x0000000007390000-0x0000000007433000-memory.dmp

memory/2676-64-0x00000000076D0000-0x00000000076EA000-memory.dmp

memory/2676-63-0x0000000007D10000-0x000000000838A000-memory.dmp

memory/2676-75-0x0000000007740000-0x000000000774A000-memory.dmp

memory/4200-65-0x000000006F590000-0x000000006F5DC000-memory.dmp

memory/2676-76-0x0000000007950000-0x00000000079E6000-memory.dmp

memory/2676-77-0x00000000078D0000-0x00000000078E1000-memory.dmp

memory/2676-78-0x0000000007900000-0x000000000790E000-memory.dmp

memory/4200-79-0x0000000007190000-0x00000000071A4000-memory.dmp

memory/2676-80-0x0000000007A10000-0x0000000007A2A000-memory.dmp

memory/2676-81-0x00000000079F0000-0x00000000079F8000-memory.dmp

memory/2676-87-0x0000000074630000-0x0000000074DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3c06f7c35e31239437bfdd70bea4dfcd
SHA1 dadf4ac07ca5c71b9ce563a5a484334f33874c88
SHA256 68e3cb100fc7208d7183f0ed0edca80a936101a07bb8e710d725d4581a7c043e
SHA512 808b74ac35a5953cdc8d94adb9e99b815d6d60d4258969510ec2b03b0c64ebb0ae330bbfa13c60b69188ab5c2aff6828fc6661dc322db33659d20ee4575b26ec

memory/4200-88-0x0000000074630000-0x0000000074DE0000-memory.dmp

memory/2624-89-0x0000000006CA0000-0x0000000006CF0000-memory.dmp