Malware Analysis Report

2025-08-05 09:59

Sample ID 240403-x53lmsag49
Target SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
SHA256 24798002b81be4c9b37539e1abea61cccb014cbd427fe1a27d6822e1ffedc7d9
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24798002b81be4c9b37539e1abea61cccb014cbd427fe1a27d6822e1ffedc7d9

Threat Level: Known bad

The file SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Checks computer location settings

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 19:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 19:27

Reported

2024-04-03 19:29

Platform

win7-20240221-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\schtasks.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 2176 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aKEhifRzA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aKEhifRzA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3978.tmp"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2176-0-0x0000000000960000-0x0000000000A02000-memory.dmp

memory/2176-1-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/2176-2-0x0000000004760000-0x00000000047A0000-memory.dmp

memory/2176-3-0x0000000000310000-0x0000000000320000-memory.dmp

memory/2176-4-0x0000000000330000-0x000000000033C000-memory.dmp

memory/2176-5-0x00000000050C0000-0x0000000005144000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RDTC81IJP43ICD6REH3H.temp

MD5 e42912c3d64a3b6821e0cbdc23f14f79
SHA1 e21d58dd1f81b47d61666e6efa1d660fc7993634
SHA256 3bcfc9ea2b6f4b394571b31847ca69b2cbc6d2837f34fb5f98a2dfffee666816
SHA512 1599c6a948e899a0d65e59800c124c54966bead910e6163597a3c83ad7264f6640192ccc420827f2f5c1bdfc0af0b199ba6141fb8a8612c922857b429ada7ff8

memory/2560-18-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2176-30-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/2560-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2560-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2012-31-0x000000006F0E0000-0x000000006F68B000-memory.dmp

memory/2492-35-0x000000006F0E0000-0x000000006F68B000-memory.dmp

memory/2012-41-0x0000000002A70000-0x0000000002AB0000-memory.dmp

memory/2560-40-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2560-42-0x0000000074520000-0x0000000074C0E000-memory.dmp

memory/2492-39-0x0000000002F00000-0x0000000002F40000-memory.dmp

memory/2012-38-0x0000000002A70000-0x0000000002AB0000-memory.dmp

memory/2492-37-0x0000000002F00000-0x0000000002F40000-memory.dmp

memory/2012-36-0x000000006F0E0000-0x000000006F68B000-memory.dmp

memory/2492-44-0x000000006F0E0000-0x000000006F68B000-memory.dmp

memory/2012-43-0x000000006F0E0000-0x000000006F68B000-memory.dmp

memory/2012-34-0x0000000002A70000-0x0000000002AB0000-memory.dmp

memory/2492-33-0x0000000002F00000-0x0000000002F40000-memory.dmp

memory/2492-32-0x000000006F0E0000-0x000000006F68B000-memory.dmp

memory/2560-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2560-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2560-22-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2560-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2560-20-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3978.tmp

MD5 146ea0b5420fb8223052b50cb66a4774
SHA1 9b428d0dd752031218d60db276a6b2a2989c6b0a
SHA256 69c83d3714538b6ebcf675a562eb4360b235aa97d6c65a7d108c13da52faad28
SHA512 39d4b6e60fd05e4b8723ff1ca3223a00915962b65c4cd0d86d4d0aafa23d4d3bf2e659430eca75493f8754f7f8f45fdd86ac66b34c0de8f1f1310a897dac73ac

memory/2560-45-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2560-46-0x0000000074520000-0x0000000074C0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 19:27

Reported

2024-04-03 19:29

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1092 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1092 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Windows\SysWOW64\schtasks.exe
PID 1092 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 1092 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 1092 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 1092 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 1092 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 1092 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 1092 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe
PID 1092 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aKEhifRzA.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aKEhifRzA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A6.tmp"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.30548.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.86.19.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 us2.smtp.mailhostbox.com udp
US 208.91.199.223:587 us2.smtp.mailhostbox.com tcp
US 8.8.8.8:53 223.199.91.208.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/1092-0-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/1092-1-0x0000000000FC0000-0x0000000001062000-memory.dmp

memory/1092-2-0x0000000005F40000-0x00000000064E4000-memory.dmp

memory/1092-3-0x00000000058C0000-0x0000000005952000-memory.dmp

memory/1092-4-0x0000000005B00000-0x0000000005B10000-memory.dmp

memory/1092-5-0x0000000005A90000-0x0000000005A9A000-memory.dmp

memory/1092-6-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

memory/1092-7-0x0000000005EE0000-0x0000000005EEC000-memory.dmp

memory/1092-8-0x0000000006F60000-0x0000000006FE4000-memory.dmp

memory/1092-9-0x0000000009590000-0x000000000962C000-memory.dmp

memory/4552-14-0x0000000002800000-0x0000000002836000-memory.dmp

memory/4552-15-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/3240-17-0x0000000002400000-0x0000000002410000-memory.dmp

memory/4552-16-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3240-18-0x0000000004E60000-0x0000000005488000-memory.dmp

memory/3240-19-0x0000000002400000-0x0000000002410000-memory.dmp

memory/4552-20-0x0000000004D40000-0x0000000004D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8A6.tmp

MD5 206e04a333d2be1bf67fe3bd9a52b664
SHA1 4778846a3ce3ee048ff54f7de1a4582d2734338a
SHA256 98ebea6b43ff193f259742a70c21dc59966a58d2ee0c33e78d852b5f5232bbb2
SHA512 24c5fc57692452c244f98660ec0618b6efe390858f2defcb530869f12ed01de5178a13e92516a79a13b15fd6adfa813bb78ef0e90fc5cbc1bb985ea85458c6ff

memory/3240-22-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/4552-23-0x0000000005060000-0x0000000005082000-memory.dmp

memory/3240-25-0x0000000005500000-0x0000000005566000-memory.dmp

memory/4552-24-0x0000000005280000-0x00000000052E6000-memory.dmp

memory/1048-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4552-38-0x0000000005B90000-0x0000000005EE4000-memory.dmp

memory/1092-47-0x0000000074CE0000-0x0000000075490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lbyrrejd.34r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1048-48-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/1048-49-0x0000000004F90000-0x0000000004FA0000-memory.dmp

memory/3240-50-0x0000000005D50000-0x0000000005D6E000-memory.dmp

memory/3240-51-0x00000000062B0000-0x00000000062FC000-memory.dmp

memory/3240-52-0x0000000002400000-0x0000000002410000-memory.dmp

memory/4552-53-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3240-54-0x000000007F460000-0x000000007F470000-memory.dmp

memory/3240-55-0x0000000006360000-0x0000000006392000-memory.dmp

memory/3240-57-0x0000000071490000-0x00000000714DC000-memory.dmp

memory/3240-67-0x0000000006270000-0x000000000628E000-memory.dmp

memory/4552-56-0x0000000071490000-0x00000000714DC000-memory.dmp

memory/4552-77-0x0000000007140000-0x00000000071E3000-memory.dmp

memory/4552-78-0x0000000007A90000-0x000000000810A000-memory.dmp

memory/4552-79-0x0000000004EA0000-0x0000000004EBA000-memory.dmp

memory/4552-80-0x00000000074E0000-0x00000000074EA000-memory.dmp

memory/4552-81-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/3240-82-0x00000000072E0000-0x0000000007376000-memory.dmp

memory/3240-83-0x0000000007280000-0x0000000007291000-memory.dmp

memory/4552-87-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/3240-86-0x0000000002400000-0x0000000002410000-memory.dmp

memory/3240-85-0x0000000002400000-0x0000000002410000-memory.dmp

memory/4552-84-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/1048-88-0x0000000006700000-0x0000000006750000-memory.dmp

memory/4552-89-0x00000000076A0000-0x00000000076AE000-memory.dmp

memory/3240-90-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/4552-91-0x00000000076B0000-0x00000000076C4000-memory.dmp

memory/3240-92-0x00000000073B0000-0x00000000073CA000-memory.dmp

memory/3240-93-0x0000000007390000-0x0000000007398000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4552-99-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/3240-98-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/1048-100-0x0000000074CE0000-0x0000000075490000-memory.dmp

memory/1048-101-0x0000000004F90000-0x0000000004FA0000-memory.dmp