Malware Analysis Report

2024-11-30 05:43

Sample ID 240619-pcgjpsvbnj
Target Material Attached.rar
SHA256 6ca918364f245de1a51b369ba01fd5153084d19815a2e3d254f4a86c77d6d2c5
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ca918364f245de1a51b369ba01fd5153084d19815a2e3d254f4a86c77d6d2c5

Threat Level: Known bad

The file Material Attached.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 12:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 12:10

Reported

2024-06-19 12:13

Platform

win7-20240220-en

Max time kernel

120s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\VmkjVd = "C:\\Users\\Admin\\AppData\\Roaming\\VmkjVd\\VmkjVd.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3012 set thread context of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\schtasks.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3012 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Material Attached.exe

"C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kDtrwbEktsDpCd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kDtrwbEktsDpCd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7169.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 webmail.standardengg-works.com udp
US 198.12.232.100:587 webmail.standardengg-works.com tcp

Files

memory/3012-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

memory/3012-1-0x0000000000C50000-0x0000000000D48000-memory.dmp

memory/3012-2-0x00000000742A0000-0x000000007498E000-memory.dmp

memory/3012-3-0x00000000003C0000-0x00000000003D2000-memory.dmp

memory/3012-4-0x0000000000630000-0x0000000000638000-memory.dmp

memory/3012-5-0x0000000000640000-0x000000000064C000-memory.dmp

memory/3012-6-0x00000000050F0000-0x0000000005186000-memory.dmp

memory/3012-7-0x00000000056A0000-0x0000000005724000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7169.tmp

MD5 e24b795e062083d1c6b97b37ce69a25c
SHA1 e95821380d8d0f1c001f1d97d073c50dccc6ba28
SHA256 4f70af7b44382695555d1f26841112ea04c6fda05f3e5ecac9008309b9f5f2cc
SHA512 4a1afebc3acd9921d1e1d395453a8a7d7dc2f8d41c1bf65b4813193c8bfbe7d923dbe5b658f0e0eb8fb5f0d73f640021df557f1bb8f8282463357eee4d7c41bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3FO364L27K6TLJOGO8KC.temp

MD5 e184671217f5ab78d6c798c6351411ef
SHA1 81fdbd843635ba805fbc5c8109496f6da3d49b27
SHA256 b6891991bb366dc140867a2ad4fb7e31c2c220cce1e0b4204aeb3a00dd129c1d
SHA512 196196dc68a4d53e5dab72f7815f48d4f58c6a67030946af7a648cc76902d87abfeb3ede55fc44dc54ab0ab9872223fcdf17b9bf5050a7f045dc3abf2ecc5d83

memory/2808-20-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2808-31-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2808-30-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2808-29-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2808-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2808-24-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2808-22-0x0000000000400000-0x0000000000444000-memory.dmp

memory/2808-26-0x0000000000400000-0x0000000000444000-memory.dmp

memory/3012-32-0x00000000742A0000-0x000000007498E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 12:10

Reported

2024-06-19 12:13

Platform

win10v2004-20240611-en

Max time kernel

136s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Material Attached.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VmkjVd = "C:\\Users\\Admin\\AppData\\Roaming\\VmkjVd\\VmkjVd.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1852 set thread context of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1852 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\schtasks.exe
PID 1852 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\schtasks.exe
PID 1852 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\SysWOW64\schtasks.exe
PID 1852 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1852 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\Material Attached.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Material Attached.exe

"C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Material Attached.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kDtrwbEktsDpCd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kDtrwbEktsDpCd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA33.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 webmail.standardengg-works.com udp
US 198.12.232.100:587 webmail.standardengg-works.com tcp
US 8.8.8.8:53 100.232.12.198.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/1852-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/1852-1-0x0000000000B50000-0x0000000000C48000-memory.dmp

memory/1852-2-0x0000000005D60000-0x0000000006304000-memory.dmp

memory/1852-3-0x0000000005640000-0x00000000056D2000-memory.dmp

memory/1852-4-0x00000000031E0000-0x00000000031EA000-memory.dmp

memory/1852-5-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1852-6-0x00000000058A0000-0x000000000593C000-memory.dmp

memory/1852-7-0x0000000006840000-0x0000000006D6C000-memory.dmp

memory/1852-8-0x0000000005D50000-0x0000000005D62000-memory.dmp

memory/1852-9-0x0000000006800000-0x0000000006808000-memory.dmp

memory/1852-10-0x0000000006810000-0x000000000681C000-memory.dmp

memory/1852-11-0x00000000092B0000-0x0000000009346000-memory.dmp

memory/1852-12-0x0000000009840000-0x00000000098C4000-memory.dmp

memory/4292-17-0x0000000002280000-0x00000000022B6000-memory.dmp

memory/4292-19-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4292-20-0x0000000004E00000-0x0000000005428000-memory.dmp

memory/1852-18-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/4292-22-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4292-21-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4296-23-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q21rfnsh.n3d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4292-30-0x0000000005520000-0x0000000005586000-memory.dmp

memory/4292-31-0x0000000005590000-0x00000000055F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDA33.tmp

MD5 3c529f40835665622a2a05de90345d2d
SHA1 b31a4c3b17f14cdb73148328bbe96e009d766722
SHA256 9fae04574a0407954b989adf0b982b8ffe498fd2789466ac990c2ee651473aff
SHA512 adc01db08e9a869df5fa8954e8d349651b750185fe99f2607e07f8c9c49d2856e89a7d62980af85e93c3cc0d7a7d494e427c0fe0ed610dbcd1e75ee1263a5755

memory/1852-44-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4292-43-0x0000000005600000-0x0000000005954000-memory.dmp

memory/4296-49-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/3768-50-0x0000000000400000-0x0000000000444000-memory.dmp

memory/4296-38-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1852-52-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4292-29-0x0000000005480000-0x00000000054A2000-memory.dmp

memory/4296-53-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

memory/4296-54-0x0000000005D10000-0x0000000005D5C000-memory.dmp

memory/4296-55-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

memory/4296-66-0x0000000006C80000-0x0000000006C9E000-memory.dmp

memory/4292-67-0x0000000074E60000-0x0000000074EAC000-memory.dmp

memory/4296-77-0x0000000006F00000-0x0000000006FA3000-memory.dmp

memory/4296-56-0x0000000074E60000-0x0000000074EAC000-memory.dmp

memory/4292-78-0x0000000007570000-0x0000000007BEA000-memory.dmp

memory/4292-79-0x0000000006F20000-0x0000000006F3A000-memory.dmp

memory/4292-80-0x0000000006F90000-0x0000000006F9A000-memory.dmp

memory/4296-81-0x0000000007270000-0x0000000007306000-memory.dmp

memory/4292-82-0x0000000007120000-0x0000000007131000-memory.dmp

memory/4296-84-0x0000000007220000-0x000000000722E000-memory.dmp

memory/4296-85-0x0000000007230000-0x0000000007244000-memory.dmp

memory/4296-86-0x0000000007330000-0x000000000734A000-memory.dmp

memory/4292-87-0x0000000007240000-0x0000000007248000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0aa83a93781c39a58f0f4323db0b3bd9
SHA1 1d227818b583db26f58d042ad9428f73d11cc9f0
SHA256 861c4855f162b020a22faa5ec54baee54aa87f1c132cecaad145fd50573ed001
SHA512 b584964d17973a3a6893c0738fcd79cf66b2add7949409619b6573f5522bd801a3b983e555eba22ea93c78365d69409ad96618aaecd24598412c4fd18310f6cd

memory/4292-94-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4296-93-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/3768-95-0x0000000006CC0000-0x0000000006D10000-memory.dmp