Malware Analysis Report

2024-11-13 13:55

Sample ID 240722-me5yzatalq
Target open ai sora.zip
SHA256 39f2614e343b7a2f507e71ab706ab6d83f5016401598d6464f43a38065947f6d
Tags
persistence spyware stealer ducktail
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39f2614e343b7a2f507e71ab706ab6d83f5016401598d6464f43a38065947f6d

Threat Level: Known bad

The file open ai sora.zip was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer ducktail

Ducktail family

Detect Ducktail Third Stage Payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 10:25

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 10:23

Reported

2024-07-22 10:29

Platform

win7-20240705-en

Max time kernel

121s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2712 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2712 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2712 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2712-1-0x0000000006A20000-0x00000000073A9000-memory.dmp

memory/2712-12-0x0000000002830000-0x000000000284D000-memory.dmp

memory/2712-9-0x0000000002830000-0x000000000284D000-memory.dmp

memory/2712-8-0x0000000005E10000-0x0000000005EB7000-memory.dmp

memory/2712-5-0x0000000005E10000-0x0000000005EB7000-memory.dmp

memory/2712-4-0x0000000000574000-0x0000000000575000-memory.dmp

memory/2712-3-0x0000000006A20000-0x00000000073A9000-memory.dmp

memory/2712-16-0x00000000028D0000-0x00000000028F8000-memory.dmp

memory/2712-13-0x00000000028D0000-0x00000000028F8000-memory.dmp

memory/2712-21-0x0000000002B30000-0x0000000002B60000-memory.dmp

memory/2712-24-0x0000000002B30000-0x0000000002B60000-memory.dmp

memory/2712-20-0x0000000008F90000-0x000000000911E000-memory.dmp

memory/2712-17-0x0000000008F90000-0x000000000911E000-memory.dmp

memory/2712-25-0x0000000009480000-0x00000000097D6000-memory.dmp

memory/2712-28-0x0000000009480000-0x00000000097D6000-memory.dmp

memory/2712-33-0x0000000002C50000-0x0000000002C65000-memory.dmp

memory/2712-60-0x00000000060F0000-0x000000000612C000-memory.dmp

memory/2712-64-0x0000000006130000-0x0000000006142000-memory.dmp

memory/2712-61-0x0000000006130000-0x0000000006142000-memory.dmp

memory/2712-57-0x00000000060F0000-0x000000000612C000-memory.dmp

memory/2712-56-0x0000000008F00000-0x0000000008F7A000-memory.dmp

memory/2712-52-0x00000000091D0000-0x0000000009266000-memory.dmp

memory/2712-49-0x00000000091D0000-0x0000000009266000-memory.dmp

memory/2712-48-0x0000000008EA0000-0x0000000008EF4000-memory.dmp

memory/2712-45-0x0000000008EA0000-0x0000000008EF4000-memory.dmp

memory/2712-44-0x0000000006170000-0x00000000061E5000-memory.dmp

memory/2712-41-0x0000000006170000-0x00000000061E5000-memory.dmp

memory/2712-40-0x0000000002C70000-0x0000000002C81000-memory.dmp

memory/2712-37-0x0000000002C70000-0x0000000002C81000-memory.dmp

memory/2712-36-0x0000000002C50000-0x0000000002C65000-memory.dmp

memory/2712-32-0x0000000008DF0000-0x0000000008E95000-memory.dmp

memory/2712-29-0x0000000008DF0000-0x0000000008E95000-memory.dmp

memory/2712-53-0x0000000008F00000-0x0000000008F7A000-memory.dmp

memory/272-144-0x0000000073791000-0x0000000073792000-memory.dmp

memory/272-145-0x0000000073790000-0x0000000073D3B000-memory.dmp

memory/272-146-0x0000000073790000-0x0000000073D3B000-memory.dmp

memory/272-147-0x0000000073790000-0x0000000073D3B000-memory.dmp

memory/272-148-0x0000000073790000-0x0000000073D3B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 c64e6bd139b059a89b7891b71849a8a6
SHA1 1239693fc282a0af76d5bd6dd058d07bd2a006fc
SHA256 3d936475f1f61e16db2337ab1ebc87f64b75cf3a23359c3109bb2cce4bd7d361
SHA512 26432a86b464756742eca563f8e89c877f8e7192bcd219c5be308cfbc65b1fc8ab9057406e275028e33a19a9fe68933b2e6d3e6d1c672a8df068c41159be0923

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 10:23

Reported

2024-07-22 10:29

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4800 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 4800 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 4800 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe

"C:\Users\Admin\AppData\Local\Temp\Open AI Sora Vesion 5.42.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4800-0-0x0000000006F10000-0x0000000007899000-memory.dmp

memory/4800-3-0x0000000006F10000-0x0000000007899000-memory.dmp

memory/4800-4-0x0000000000FF4000-0x0000000000FF5000-memory.dmp

memory/4800-9-0x0000000006930000-0x000000000694D000-memory.dmp

memory/4800-12-0x0000000006930000-0x000000000694D000-memory.dmp

memory/4800-16-0x0000000006990000-0x00000000069B8000-memory.dmp

memory/4800-13-0x0000000006990000-0x00000000069B8000-memory.dmp

memory/4800-8-0x0000000006810000-0x00000000068B7000-memory.dmp

memory/4800-5-0x0000000006810000-0x00000000068B7000-memory.dmp

memory/4800-21-0x0000000006DB0000-0x0000000006DE0000-memory.dmp

memory/4800-25-0x000000000B1E0000-0x000000000B536000-memory.dmp

memory/4800-24-0x0000000006DB0000-0x0000000006DE0000-memory.dmp

memory/4800-20-0x000000000ACF0000-0x000000000AE7E000-memory.dmp

memory/4800-17-0x000000000ACF0000-0x000000000AE7E000-memory.dmp

memory/4800-29-0x000000000AF40000-0x000000000AFE5000-memory.dmp

memory/4800-60-0x000000000B030000-0x000000000B06C000-memory.dmp

memory/4800-57-0x000000000B030000-0x000000000B06C000-memory.dmp

memory/4800-56-0x000000000B150000-0x000000000B1CA000-memory.dmp

memory/4800-53-0x000000000B150000-0x000000000B1CA000-memory.dmp

memory/4800-52-0x000000000B5F0000-0x000000000B686000-memory.dmp

memory/4800-49-0x000000000B5F0000-0x000000000B686000-memory.dmp

memory/4800-48-0x000000000B0F0000-0x000000000B144000-memory.dmp

memory/4800-45-0x000000000B0F0000-0x000000000B144000-memory.dmp

memory/4800-44-0x000000000B070000-0x000000000B0E5000-memory.dmp

memory/4800-41-0x000000000B070000-0x000000000B0E5000-memory.dmp

memory/4800-40-0x000000000AEE0000-0x000000000AEF1000-memory.dmp

memory/4800-37-0x000000000AEE0000-0x000000000AEF1000-memory.dmp

memory/4800-36-0x0000000006EE0000-0x0000000006EF5000-memory.dmp

memory/4800-33-0x0000000006EE0000-0x0000000006EF5000-memory.dmp

memory/4800-32-0x000000000AF40000-0x000000000AFE5000-memory.dmp

memory/4800-28-0x000000000B1E0000-0x000000000B536000-memory.dmp

memory/4800-64-0x000000000B580000-0x000000000B592000-memory.dmp

memory/4800-61-0x000000000B580000-0x000000000B592000-memory.dmp

memory/2096-139-0x000000007318E000-0x000000007318F000-memory.dmp

memory/2096-140-0x0000000002550000-0x0000000002586000-memory.dmp

memory/2096-142-0x0000000005040000-0x0000000005668000-memory.dmp

memory/2096-141-0x0000000073180000-0x0000000073930000-memory.dmp

memory/2096-143-0x0000000073180000-0x0000000073930000-memory.dmp

memory/2096-144-0x00000000056A0000-0x00000000056C2000-memory.dmp

memory/2096-145-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/2096-146-0x0000000005820000-0x0000000005886000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_se04fo25.4un.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2096-156-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/2096-157-0x0000000005E10000-0x0000000005E2E000-memory.dmp

memory/2096-158-0x0000000005E50000-0x0000000005E9C000-memory.dmp

memory/2096-159-0x0000000006390000-0x0000000006426000-memory.dmp

memory/2096-160-0x0000000006310000-0x000000000632A000-memory.dmp

memory/2096-161-0x0000000006360000-0x0000000006382000-memory.dmp

memory/2096-162-0x0000000007590000-0x0000000007B34000-memory.dmp

memory/2096-165-0x0000000073180000-0x0000000073930000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/3052-176-0x0000000073180000-0x0000000073930000-memory.dmp

memory/3052-177-0x0000000073180000-0x0000000073930000-memory.dmp

memory/3052-183-0x0000000005450000-0x00000000057A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d05d6497e72db714e9514d94c9637eb
SHA1 8b73f21ce949081fadc765c115b69a296ef4a348
SHA256 39fb85e1825a49836197b296cb43ce2179c11a5ea8c9b30b1136d568a3d62eb4
SHA512 4aa8b28c4c54deb6db4294776f2ad850dddb65bd7105248f2967ea1d751b74674e4db50f1390f20357566021b8449eff5d27d4ba45c0e6598ae9a47c61a38bb8

memory/3052-190-0x0000000073180000-0x0000000073930000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0b4097d9637a3f2f66caed369d4dc348
SHA1 d1965264232a936c0ab1d0716c3ef821168966f1
SHA256 c401368a6b1bd05664d5c48ca7f9ac4977f30ead189b90e6b5c468a08ec6952d
SHA512 c2136bd5ebef8b2665d01098001a755964d6670ca5317f33eb93a4494e9b26e2f715a299d25b44a8407b6b2e7a32840b8d239ad1e301c48965c7c55fe45c7052