Malware Analysis Report

2025-06-15 20:06

Sample ID 240515-mnj3vsde86
Target 62deef167c5cb95c907dd65550e619ffc6dfa504cde7b4c1e6102bd48f800210
SHA256 62deef167c5cb95c907dd65550e619ffc6dfa504cde7b4c1e6102bd48f800210
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62deef167c5cb95c907dd65550e619ffc6dfa504cde7b4c1e6102bd48f800210

Threat Level: Known bad

The file 62deef167c5cb95c907dd65550e619ffc6dfa504cde7b4c1e6102bd48f800210 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 10:36

Reported

2024-05-15 10:39

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2932 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 2932 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe

"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\isgjyvIx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\isgjyvIx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A71.tmp"

C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe

"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"

Network

N/A

Files

memory/2932-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/2932-1-0x0000000000D80000-0x0000000000E38000-memory.dmp

memory/2932-2-0x0000000074A50000-0x000000007513E000-memory.dmp

memory/2932-3-0x0000000000390000-0x00000000003AC000-memory.dmp

memory/2932-4-0x00000000003C0000-0x00000000003CE000-memory.dmp

memory/2932-5-0x00000000003E0000-0x00000000003F6000-memory.dmp

memory/2932-6-0x0000000004CC0000-0x0000000004D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3A71.tmp

MD5 ed389962ae3e4b99bd023bccd88b239d
SHA1 b7a88925d8bca29133a5d4556abea796d70a612e
SHA256 49777157ad04bfb29ca21688f56d3e288cfaf047cb1d8e0a6094e4ad50b4838b
SHA512 1dbb68a9a53a4d49adcb23e4105aaed64edb8ceb835da5791014ce8fc4bec3dca42f0375dd84dcfaabffad6f9e2a18df5aa7b02c1c53c4cc055214f5d88a62aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 29b35910405a9c15379d786092756924
SHA1 d5abd3223592f3975eab8e3843a8ff836ea6773c
SHA256 32a4e6e649c04d5c2ea7049768d5423adfc3bc6fd15289816be6e50ebbad47b1
SHA512 2ea48f3a3f3514c397c44527f3dbc399bd761420acdbe131042d1f9748175296247691c83e67107f6b0bd48aa9e6f36d98ec6129b4f2fab8a7033a44f0374c84

memory/2024-19-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2024-29-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2024-31-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2024-28-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2024-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2024-25-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2024-23-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2024-21-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2932-32-0x0000000074A50000-0x000000007513E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 10:36

Reported

2024-05-15 10:39

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1420 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1420 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 1420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 1420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 1420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 1420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 1420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 1420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
PID 1420 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe

"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\isgjyvIx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\isgjyvIx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59D8.tmp"

C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe

"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 2.17.107.114:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 114.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 us2.smtp.mailhostbox.com udp
US 208.91.198.143:587 us2.smtp.mailhostbox.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 208.91.199.224:587 us2.smtp.mailhostbox.com tcp
US 208.91.199.223:587 us2.smtp.mailhostbox.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 208.91.199.225:587 us2.smtp.mailhostbox.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1420-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

memory/1420-1-0x0000000000D20000-0x0000000000DD8000-memory.dmp

memory/1420-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

memory/1420-3-0x00000000057C0000-0x0000000005852000-memory.dmp

memory/1420-4-0x0000000005970000-0x000000000597A000-memory.dmp

memory/1420-5-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/1420-6-0x0000000005A60000-0x0000000005AFC000-memory.dmp

memory/1420-7-0x0000000005E10000-0x0000000005E2C000-memory.dmp

memory/1420-8-0x0000000006A00000-0x0000000006A0E000-memory.dmp

memory/1420-9-0x0000000006B30000-0x0000000006B46000-memory.dmp

memory/1420-10-0x0000000007040000-0x00000000070C2000-memory.dmp

memory/2972-15-0x0000000002300000-0x0000000002336000-memory.dmp

memory/2972-16-0x0000000004D00000-0x0000000005328000-memory.dmp

memory/2972-17-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2972-18-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2972-19-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2972-23-0x0000000005550000-0x00000000055B6000-memory.dmp

memory/2972-22-0x0000000005430000-0x0000000005496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp59D8.tmp

MD5 60f233802fd12e526c4bc002ae4a26fb
SHA1 53c6052d10bf5f067f6b7ded2b0b32f0c2abc11e
SHA256 61422ef1eb0f120e02ee950c98ce90d2e90731a82e7e6cba0e2c2a6e8f8869c9
SHA512 8d681696bc73e8c9879ebf544d8f14b51db924ec26416542ffa3b3525fc7fa70af23c7b46a2eb4aed7fda5dc6a51eeb034103f304d9cdbd90ac6dbb7cb77be75

memory/5008-24-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2972-20-0x0000000004C60000-0x0000000004C82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yiwqyco.y25.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2972-34-0x0000000005600000-0x0000000005954000-memory.dmp

memory/5008-38-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/4060-36-0x0000000000400000-0x0000000000440000-memory.dmp

memory/5008-35-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/1420-39-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/2972-49-0x0000000005C00000-0x0000000005C1E000-memory.dmp

memory/2972-50-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

memory/2972-51-0x0000000006C00000-0x0000000006C32000-memory.dmp

memory/5008-58-0x0000000070EB0000-0x0000000070EFC000-memory.dmp

memory/2972-73-0x0000000006E40000-0x0000000006EE3000-memory.dmp

memory/2972-52-0x0000000070EB0000-0x0000000070EFC000-memory.dmp

memory/2972-63-0x00000000061F0000-0x000000000620E000-memory.dmp

memory/5008-74-0x0000000008210000-0x000000000888A000-memory.dmp

memory/5008-75-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

memory/2972-76-0x0000000006FC0000-0x0000000006FCA000-memory.dmp

memory/5008-77-0x0000000007E50000-0x0000000007EE6000-memory.dmp

memory/2972-78-0x0000000007150000-0x0000000007161000-memory.dmp

memory/5008-79-0x0000000007E00000-0x0000000007E0E000-memory.dmp

memory/2972-80-0x0000000007190000-0x00000000071A4000-memory.dmp

memory/2972-81-0x0000000007290000-0x00000000072AA000-memory.dmp

memory/5008-82-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

memory/2972-85-0x00000000747C0000-0x0000000074F70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 94fb35345af29db03fe090e25efc881a
SHA1 0665b8c6c3e4938624c7a6a9ef84cd7265021cdb
SHA256 9a14b1a255eeb0deb3bca64ce116dfcb8b839699ceeee4fcc171c216f1aab818
SHA512 06b81c842bdb07a8d7bb6fe8ae1bf6e352a96fbbe37ea1237a5becc067a99b7a3a0a0965b8ac27dc74c6fe66d71edaab104fc0d7d860bf7958ab26cb8c0e4399

memory/5008-89-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/4060-90-0x0000000006640000-0x0000000006690000-memory.dmp