Malware Analysis Report

2025-08-11 08:30

Sample ID 241103-zjjmratglh
Target 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338
SHA256 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338
Tags
discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338

Threat Level: Likely malicious

The file 24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338 was found to be: Likely malicious.

Malicious Activity Summary

discovery execution

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Drops startup file

Deletes itself

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 20:44

Reported

2024-11-03 20:47

Platform

win7-20240903-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2088 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\schtasks.exe
PID 2088 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\schtasks.exe
PID 2088 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\schtasks.exe
PID 2088 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\schtasks.exe
PID 2088 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
PID 2088 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
PID 2088 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
PID 2088 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
PID 2088 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2232 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2232 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2232 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe

"C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 20:50 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe

"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC12D.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

N/A

Files

memory/2088-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

memory/2088-1-0x0000000001300000-0x0000000001324000-memory.dmp

\Users\Admin\AppData\Roaming\ACCApi\apihost.exe

MD5 585c7471080b240b532ac06e6f2b1abd
SHA1 5d61da778845d49fe7b60e7195d68d5af4341fb5
SHA256 868573d904c4ec22f1e4402329864881b681a0683a96b5b1094bad9a0bc65342
SHA512 e9a18f63810aa3bc8ed642217f3427d34a64034e1c5a788abae39c2f3b3e603b7e8c751e4cf78937212cbb95d88b8a658881c2d8584a36044936357e87d81752

memory/1584-10-0x0000000000CD0000-0x0000000000CF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC12D.tmp.cmd

MD5 fc60269505c04780d70aa55947f209bb
SHA1 e31c5fac2521d556546e0aff041e9735f841800c
SHA256 a1469c80b4506bf2bd5ffead834ff586d197a332e7c3581d5cada5d376181963
SHA512 21978ada659ff7301868e7577db371ab2b31855a419118daadb0ec5fe02a4b5386269cc839ca2ea3547ca61e18d69834d4028e69d4ecdf1aa9f9df6d959e62bb

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 20:44

Reported

2024-11-03 20:47

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\apihost.exe.lnk C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3076 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3076 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\schtasks.exe
PID 3076 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\schtasks.exe
PID 3076 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\schtasks.exe
PID 3076 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
PID 3076 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
PID 3076 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe
PID 3076 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\cmd.exe
PID 3076 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2160 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2160 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe

"C:\Users\Admin\AppData\Local\Temp\24a23986595cddd1f5ece2a39b39349a0d7101dd98c69b000b54432a3bb9e338.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe" /st 20:50 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe

"C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC38E.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3076-0-0x000000007495E000-0x000000007495F000-memory.dmp

memory/3076-1-0x0000000000AE0000-0x0000000000B04000-memory.dmp

memory/3076-2-0x00000000059C0000-0x0000000005F64000-memory.dmp

memory/3076-3-0x0000000005510000-0x00000000055A2000-memory.dmp

memory/2860-5-0x0000000004D40000-0x0000000004D76000-memory.dmp

memory/2860-9-0x0000000005460000-0x0000000005A88000-memory.dmp

memory/2860-10-0x0000000074950000-0x0000000075100000-memory.dmp

memory/2860-12-0x0000000074950000-0x0000000075100000-memory.dmp

C:\Users\Admin\AppData\Roaming\ACCApi\apihost.exe

MD5 1d05ba175d6c78ed694dec4625826759
SHA1 1da12c706cd2d8b4150a873c15e2580921888a44
SHA256 793290ad562a6a9a8b41f37554ecb0b1656aea8b8af84f521deb39f9d0414c5a
SHA512 a719602692f3d13c3ff97929afd3e0868958c758855d65d26ab90a2bbbd838d89162b4ac801cd900afc01b5884ab1fc56dc74b1824b7fc4ebb918087a4edc141

memory/2860-19-0x0000000005A90000-0x0000000005AB2000-memory.dmp

memory/2860-21-0x0000000074950000-0x0000000075100000-memory.dmp

memory/2860-22-0x0000000005CD0000-0x0000000005D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_riggcscd.fys.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2860-20-0x0000000005BF0000-0x0000000005C56000-memory.dmp

memory/3312-39-0x0000000074950000-0x0000000075100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC38E.tmp.cmd

MD5 22efc612a01c7d3dc23e7174118bdaa4
SHA1 06f59e4221ad6aed725f09b06462bc0d140f177e
SHA256 826011bb724cf5fae821d49be1aa7f77c4835667cc2b5cb8b8e5236a195974bb
SHA512 229756e3305315d37962bfcbfded2fc8d3b8b119975f7796c8b91bd3bd13f361a74990dd1917e7ed8a1cc9ffa7b0d50941814c338064c2efb1af97eb10398fad

memory/2860-38-0x0000000005F10000-0x0000000006264000-memory.dmp

memory/2860-41-0x00000000062D0000-0x00000000062EE000-memory.dmp

memory/2860-42-0x0000000006320000-0x000000000636C000-memory.dmp

memory/3312-43-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

memory/2860-44-0x00000000072A0000-0x00000000072D2000-memory.dmp

memory/2860-45-0x0000000072240000-0x000000007228C000-memory.dmp

memory/2860-55-0x00000000068C0000-0x00000000068DE000-memory.dmp

memory/2860-56-0x00000000074E0000-0x0000000007583000-memory.dmp

memory/2860-57-0x0000000007C60000-0x00000000082DA000-memory.dmp

memory/2860-58-0x0000000007620000-0x000000000763A000-memory.dmp

memory/2860-59-0x0000000007690000-0x000000000769A000-memory.dmp

memory/2860-60-0x00000000078A0000-0x0000000007936000-memory.dmp

memory/2860-61-0x0000000007820000-0x0000000007831000-memory.dmp

memory/2860-62-0x0000000007850000-0x000000000785E000-memory.dmp

memory/2860-63-0x0000000007860000-0x0000000007874000-memory.dmp

memory/2860-64-0x0000000007960000-0x000000000797A000-memory.dmp

memory/2860-65-0x0000000007940000-0x0000000007948000-memory.dmp

memory/2860-68-0x0000000074950000-0x0000000075100000-memory.dmp

memory/3312-69-0x0000000074950000-0x0000000075100000-memory.dmp