Malware Analysis Report

2024-12-07 22:17

Sample ID 240808-nmvzeashlq
Target Request for Quotation.jar
SHA256 6afa6e45dd17f3db5a8d4e3856f735844a6607ed805fef058e207b1bdc5c19f7
Tags
remcos remotehost discovery execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6afa6e45dd17f3db5a8d4e3856f735844a6607ed805fef058e207b1bdc5c19f7

Threat Level: Known bad

The file Request for Quotation.jar was found to be: Known bad.

Malicious Activity Summary

remcos remotehost discovery execution rat

Remcos

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-08 11:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-08 11:31

Reported

2024-08-08 11:33

Platform

win7-20240704-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1824 set thread context of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1824 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1824 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 1824 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ToHYZKAyCCa.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ToHYZKAyCCa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA39F.tmp"

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 eadzagba1.duckdns.org udp
US 198.46.178.133:4877 eadzagba1.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/1824-0-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

memory/1824-1-0x00000000009A0000-0x0000000000A92000-memory.dmp

memory/1824-3-0x0000000000600000-0x000000000061A000-memory.dmp

memory/1824-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp

memory/1824-4-0x0000000000370000-0x000000000037E000-memory.dmp

memory/1824-5-0x0000000000430000-0x0000000000446000-memory.dmp

memory/1824-6-0x0000000007380000-0x0000000007440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA39F.tmp

MD5 194b5da42933d8f211411cc5882ac3e4
SHA1 27f24071bb3202b5f82d8d228e14f7cd1f7a0884
SHA256 9fe6b46cebaf69979c265dd644149f4969e16cae48d9a302b23ab1be8070d6ee
SHA512 380c37f51b7fd704263fd9d18187626840dcecc912cb0d07dd74770b26e6a79c30b93e461438dfd404f5a5cfa55f0608dff694c939e696c895eb8905004ce900

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YWVD1YYL5UXYECHF3UR6.temp

MD5 afd0c0b850d55100d9fdeae0c4d1a227
SHA1 0e63192301bbf8fb7095566d78755ee519316096
SHA256 6f4098aa13c903dc9215441442ae3cfc4f82bce534a47e57cdc0f3444fc03867
SHA512 90f8267ee75a617925be99e5bce9883a79fbc34439682c1f64628c1de47274a56c93c44850fc014f9c9e57ce00e016b66be9c12a30e8f8736693f0db884b17ec

memory/3036-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3036-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-31-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-27-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1824-39-0x0000000073EE0000-0x00000000745CE000-memory.dmp

memory/3036-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-43-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-52-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-08 11:31

Reported

2024-08-08 11:33

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4696 set thread context of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4696 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4696 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4696 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4696 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4696 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4696 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 4696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 4696 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Windows\SysWOW64\schtasks.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
PID 4696 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ToHYZKAyCCa.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ToHYZKAyCCa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF03.tmp"

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe

"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 eadzagba1.duckdns.org udp
US 198.46.178.133:4877 eadzagba1.duckdns.org tcp
US 8.8.8.8:53 133.178.46.198.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4696-0-0x00000000750DE000-0x00000000750DF000-memory.dmp

memory/4696-1-0x0000000000740000-0x0000000000832000-memory.dmp

memory/4696-2-0x00000000056E0000-0x0000000005C84000-memory.dmp

memory/4696-3-0x00000000051E0000-0x0000000005272000-memory.dmp

memory/4696-4-0x00000000053A0000-0x00000000053AA000-memory.dmp

memory/4696-5-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/4696-6-0x0000000005480000-0x000000000551C000-memory.dmp

memory/4696-7-0x0000000005520000-0x000000000553A000-memory.dmp

memory/4696-8-0x0000000005540000-0x000000000554E000-memory.dmp

memory/4696-9-0x0000000005560000-0x0000000005576000-memory.dmp

memory/4696-10-0x00000000081B0000-0x0000000008270000-memory.dmp

memory/4772-15-0x0000000002AF0000-0x0000000002B26000-memory.dmp

memory/4772-16-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/4772-17-0x00000000056E0000-0x0000000005D08000-memory.dmp

memory/4772-18-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/4772-19-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2028-20-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/4772-23-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/4772-22-0x0000000005D80000-0x0000000005DE6000-memory.dmp

memory/4772-21-0x0000000005650000-0x0000000005672000-memory.dmp

memory/2028-24-0x00000000750D0000-0x0000000075880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j44zdviv.wfj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4772-32-0x0000000005E60000-0x00000000061B4000-memory.dmp

memory/2028-31-0x00000000750D0000-0x0000000075880000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEF03.tmp

MD5 f2e7c5c9f848044d277b5407e57ac142
SHA1 d99b30c14f3540a2f70d1a3e405b232528b5e1c3
SHA256 7f0a0939b64d11b8f6b1db1239a85b743983be10bfcfe73d5f6e9cc0fc9d5ec0
SHA512 27dc485c94c5189bfce1646972792a52a9b653bbcb5bc3a311bd845797884b7d3866ac0ba8e28a03d5f8cede9bccdc8b3bbd23f8fa883bed986c963182d6be67

memory/4980-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4696-50-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/4980-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4772-51-0x0000000006420000-0x000000000643E000-memory.dmp

memory/4772-52-0x00000000068D0000-0x000000000691C000-memory.dmp

memory/4980-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2028-54-0x00000000073D0000-0x0000000007402000-memory.dmp

memory/4772-55-0x0000000075980000-0x00000000759CC000-memory.dmp

memory/2028-66-0x0000000075980000-0x00000000759CC000-memory.dmp

memory/4772-65-0x0000000007600000-0x000000000761E000-memory.dmp

memory/2028-76-0x0000000007440000-0x00000000074E3000-memory.dmp

memory/2028-77-0x0000000007BB0000-0x000000000822A000-memory.dmp

memory/2028-78-0x0000000007570000-0x000000000758A000-memory.dmp

memory/4980-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-80-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4772-81-0x00000000077B0000-0x00000000077BA000-memory.dmp

memory/4980-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4772-83-0x00000000079C0000-0x0000000007A56000-memory.dmp

memory/4772-84-0x0000000007940000-0x0000000007951000-memory.dmp

memory/2028-87-0x00000000077A0000-0x00000000077AE000-memory.dmp

memory/2028-88-0x00000000077B0000-0x00000000077C4000-memory.dmp

memory/4772-89-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/4772-90-0x0000000007A60000-0x0000000007A68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bef314ceaec63f2bb2f47b26cdf92c09
SHA1 68d8d78e6efdb806aa2b750e9c1269c661def8ad
SHA256 b0b93e57d9ec894d53eefcd629bd81179c14e2d3956128209023469661cc15aa
SHA512 d733747fe6b9de375a8ef731cf56f15e241b5f3b70c3417453d3545a8332d74ded92318439c0e63e2a450c8e915a647fa47ca88ccd062c8aa21536d3d88c0fbe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4772-97-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/2028-96-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/4980-98-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-101-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4980-104-0x0000000000400000-0x0000000000482000-memory.dmp