Malware Analysis Report

2024-12-07 16:13

Sample ID 241113-lmhb7ssnhp
Target 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe
SHA256 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c
Tags
discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c

Threat Level: Likely malicious

The file 2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery execution

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Drops startup file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 09:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 09:38

Reported

2024-11-13 09:40

Platform

win7-20241023-en

Max time kernel

64s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 1980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 1980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 1980 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 1980 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2820 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2820 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2820 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe

"C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 09:43 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC6F7.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

N/A

Files

memory/1980-0-0x000000007411E000-0x000000007411F000-memory.dmp

memory/1980-1-0x0000000001160000-0x000000000117C000-memory.dmp

\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

MD5 bbeed0d9c6692d2a8d3cbf10cb77e41f
SHA1 414ba4dc776491e96973e5838d20e8dabb55a82c
SHA256 6fca7d1e3548674cb6a62fcdee6999f2d1a96400aa8225a3290e8e4feff89a2b
SHA512 18bb8882a8dcfeb00b3b54a0d4244f579d3ceb69acbcbfea5e1d5ac369df81e572abfc90626596f0aa56d98eb47e900784fae1fda1e0a36c544f845592d13f68

C:\Users\Admin\AppData\Local\Temp\tmpC6F7.tmp.cmd

MD5 df16595c2d8b7a205518b629fe912980
SHA1 d8de8d473a8a9ccbf93a87bbd3aaf1e08ec132de
SHA256 b45b62d188b00c862d536b5de319cfc3cdf91c53d1e34ae6f96d8b6b80fb96db
SHA512 dd5dbff7ac7299f538d41e54af45cb2ae4c17feb9162ff9fab243b836f39338990ed3db0ca082251c0d9a7c9b5269785f0534d709d2f8a076b91560601f8b4ea

memory/2876-17-0x00000000003E0000-0x00000000003FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 09:38

Reported

2024-11-13 09:40

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SeedPhrase Converter.exe.lnk C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4132 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4132 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4132 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4132 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 4132 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 4132 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe
PID 4132 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\cmd.exe
PID 4132 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4872 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4872 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe

"C:\Users\Admin\AppData\Local\Temp\2dff8c8875b3244143e5dcb63aa94985f4ef1650a1bcef446d50341a9424949c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Conventer.exe'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn Conventer /tr "C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe" /st 09:43 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

"C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9069.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4132-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

memory/4132-1-0x0000000000C70000-0x0000000000C8C000-memory.dmp

memory/4132-2-0x0000000005D60000-0x0000000006304000-memory.dmp

memory/4132-3-0x00000000056A0000-0x0000000005732000-memory.dmp

memory/4672-6-0x00000000023C0000-0x00000000023F6000-memory.dmp

memory/4672-10-0x0000000004F70000-0x0000000005598000-memory.dmp

memory/4672-9-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/4672-12-0x0000000074C40000-0x00000000753F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Conventer.exe\SeedPhrase Converter.exe

MD5 426204109bb4aa0d1f70472b65c40412
SHA1 8bc861d2e04c0ca9f3adbb5585bda6fe8ea06bb4
SHA256 c33464f3642fdd812f4f529d3751be4b46aced6807616106b36fd7abae1a8de2
SHA512 3354c5aef2edcf3e561f6ba2054b83636d8c63010a3149742b4d601e74a69fc426b1203a4117eaf26ac28e0dd3b8e663efab6051b202382a7b546b6691b5647d

memory/4672-19-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/4672-20-0x00000000055A0000-0x00000000055C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzskzffy.4mx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4672-22-0x00000000056B0000-0x0000000005716000-memory.dmp

memory/4672-21-0x0000000005640000-0x00000000056A6000-memory.dmp

memory/4672-37-0x0000000005720000-0x0000000005A74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9069.tmp.cmd

MD5 bb7c08ea7749cb0b92b3ad665aade848
SHA1 df15a354a25fbd5cf5726ff9e64bb641ed6d1e09
SHA256 43bf31aff72d16b2d09e8346c8060c35987916a72aafd65e244dae105e09e22b
SHA512 6b89b9c65a76a58bcbc267a94b9d419c8780bf84928a4d29652e4330315afc594ee87332076768c70af4bb3e46192244de87aca5ebf034a44a15fc030d45ac0b

memory/4672-41-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

memory/4672-42-0x0000000005D30000-0x0000000005D7C000-memory.dmp

memory/2568-39-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/4672-43-0x00000000062C0000-0x00000000062F2000-memory.dmp

memory/4672-44-0x0000000072530000-0x000000007257C000-memory.dmp

memory/4672-54-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

memory/4672-55-0x0000000006EE0000-0x0000000006F83000-memory.dmp

memory/4672-56-0x0000000007650000-0x0000000007CCA000-memory.dmp

memory/4672-57-0x0000000007010000-0x000000000702A000-memory.dmp

memory/4672-58-0x0000000007080000-0x000000000708A000-memory.dmp

memory/4672-59-0x0000000007290000-0x0000000007326000-memory.dmp

memory/4672-60-0x0000000007210000-0x0000000007221000-memory.dmp

memory/4672-61-0x0000000007240000-0x000000000724E000-memory.dmp

memory/4672-62-0x0000000007250000-0x0000000007264000-memory.dmp

memory/4672-63-0x0000000007350000-0x000000000736A000-memory.dmp

memory/4672-64-0x0000000007330000-0x0000000007338000-memory.dmp

memory/2568-65-0x0000000005840000-0x000000000584A000-memory.dmp

memory/4672-68-0x0000000074C40000-0x00000000753F0000-memory.dmp

memory/2568-69-0x0000000074C40000-0x00000000753F0000-memory.dmp