Malware Analysis Report

2024-12-07 16:02

Sample ID 241113-qq36aswlck
Target 36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5
SHA256 36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5
Tags
discovery execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5

Threat Level: Likely malicious

The file 36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5 was found to be: Likely malicious.

Malicious Activity Summary

discovery execution

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Drops startup file

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 13:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 13:28

Reported

2024-11-13 13:31

Platform

win7-20241010-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\schtasks.exe
PID 2636 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
PID 2636 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
PID 2636 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
PID 2636 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
PID 2636 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2964 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2964 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2964 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe

"C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 13:33 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe

"C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDF2.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

N/A

Files

memory/2636-0-0x000000007468E000-0x000000007468F000-memory.dmp

memory/2636-1-0x00000000012C0000-0x00000000012FE000-memory.dmp

\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe

MD5 50d015016f20da0905fd5b37d7834823
SHA1 6c39c84acf3616a12ae179715a3369c4e3543541
SHA256 36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5
SHA512 55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc

memory/3028-10-0x0000000000D50000-0x0000000000D8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBDF2.tmp.cmd

MD5 76b98eaa3efc2484fcf21c3cf8c96a1b
SHA1 52b8ad57e6d2cc1bcfa818e26dfbb413e1a16ac2
SHA256 899b31cc77f1161893ad0064ca0f2e852d62d01d38da821a143f78c5781e25b4
SHA512 eedeeec32fa93b26362412e56ad206774e6ec7cfb9f8a98ac4a276e74530dc602f65a909a2f23480f15b7decfc8c2193ff2b8c1b9ede37d00fc25f041a6c8a1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 13:28

Reported

2024-11-13 13:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4484 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\schtasks.exe
PID 4484 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\schtasks.exe
PID 4484 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\schtasks.exe
PID 4484 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
PID 4484 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
PID 4484 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
PID 4484 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\cmd.exe
PID 4484 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe C:\Windows\SysWOW64\cmd.exe
PID 528 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 528 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 528 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe

"C:\Users\Admin\AppData\Local\Temp\36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 13:34 /du 23:59 /sc daily /ri 1 /f

C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe

"C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA46E.tmp.cmd""

C:\Windows\SysWOW64\timeout.exe

timeout 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4484-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

memory/4484-1-0x0000000000160000-0x000000000019E000-memory.dmp

memory/4484-2-0x00000000050A0000-0x0000000005644000-memory.dmp

memory/4484-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp

memory/4972-5-0x0000000002570000-0x00000000025A6000-memory.dmp

memory/4972-9-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/4972-10-0x0000000005100000-0x0000000005728000-memory.dmp

memory/4972-11-0x0000000074D70000-0x0000000075520000-memory.dmp

C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe

MD5 50d015016f20da0905fd5b37d7834823
SHA1 6c39c84acf3616a12ae179715a3369c4e3543541
SHA256 36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5
SHA512 55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc

memory/4972-19-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

memory/4972-20-0x0000000004F70000-0x0000000004FD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wx0g10bm.4fp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4972-26-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/2096-38-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/4972-37-0x0000000005A10000-0x0000000005D64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA46E.tmp.cmd

MD5 06150987c8e237fa402481b7ae512af2
SHA1 6f7d9a112980748d6b9bdaeeba6fd93116f41df3
SHA256 f2e52c18d9f592f8a52e2d2fd33a691b80f71c9f07c96a4cd707f64fd099188e
SHA512 520827125a0478dc2a55d1c28eec25a7bade0b68b17da5a1c83e83c159d4ced88d53b83f4a726d77c9721aac4a9404ace6ddbd14204743aea5d177b454b9806f

memory/4972-40-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/4972-41-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

memory/4972-42-0x0000000006450000-0x0000000006482000-memory.dmp

memory/4972-43-0x0000000072500000-0x000000007254C000-memory.dmp

memory/4972-53-0x0000000006490000-0x00000000064AE000-memory.dmp

memory/4972-54-0x0000000007070000-0x0000000007113000-memory.dmp

memory/2096-55-0x00000000061F0000-0x00000000061FA000-memory.dmp

memory/4972-56-0x00000000077F0000-0x0000000007E6A000-memory.dmp

memory/4972-57-0x00000000071B0000-0x00000000071CA000-memory.dmp

memory/4972-58-0x0000000007220000-0x000000000722A000-memory.dmp

memory/4972-59-0x0000000007430000-0x00000000074C6000-memory.dmp

memory/4972-60-0x00000000073B0000-0x00000000073C1000-memory.dmp

memory/4972-61-0x00000000073E0000-0x00000000073EE000-memory.dmp

memory/4972-62-0x00000000073F0000-0x0000000007404000-memory.dmp

memory/4972-63-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/4972-64-0x00000000074D0000-0x00000000074D8000-memory.dmp

memory/4972-67-0x0000000074D70000-0x0000000075520000-memory.dmp

memory/2096-68-0x0000000074D70000-0x0000000075520000-memory.dmp