Analysis Overview
SHA256
137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba
Threat Level: Known bad
The file 137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Checks computer location settings
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:38
Reported
2024-06-04 01:40
Platform
win7-20240221-en
Max time kernel
139s
Max time network
153s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe
"C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nriinvestmentservices.com | udp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
Files
memory/2732-0-0x00000000743AE000-0x00000000743AF000-memory.dmp
memory/2732-1-0x0000000001190000-0x0000000001198000-memory.dmp
memory/2732-2-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/2732-3-0x00000000743AE000-0x00000000743AF000-memory.dmp
memory/2732-4-0x00000000743A0000-0x0000000074A8E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:38
Reported
2024-06-04 01:40
Platform
win10v2004-20240508-en
Max time kernel
135s
Max time network
108s
Command Line
Signatures
AgentTesla
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Soumsvzff = "C:\\Users\\Admin\\AppData\\Roaming\\Soumsvzff.exe" | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3236 set thread context of 804 | N/A | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe
"C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAzADcAYgA4AGYANAAyADQANAA1ADkAZAA3ADkAZQBiADUAOAAwAGQAMgAwAGIAZgA5AGUAMAA5AGQAOQAwAGYAMgBhADYAOABkADMANwBmADIAMwAwADMAOQA4ADIAYwA4ADgAMQAzADEANgA1AGUAYgBmADEAMgBkAGIAYQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAMQAzADcAYgA4AGYANAAyADQANAA1ADkAZAA3ADkAZQBiADUAOAAwAGQAMgAwAGIAZgA5AGUAMAA5AGQAOQAwAGYAMgBhADYAOABkADMANwBmADIAMwAwADMAOQA4ADIAYwA4ADgAMQAzADEANgA1AGUAYgBmADEAMgBkAGIAYQAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAUwBvAHUAbQBzAHYAegBmAGYALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAFMAbwB1AG0AcwB2AHoAZgBmAC4AZQB4AGUA
C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe
"C:\Users\Admin\AppData\Local\Temp\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nriinvestmentservices.com | udp |
| US | 209.90.232.242:443 | nriinvestmentservices.com | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.232.90.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.ba-theatre.com | udp |
| GB | 83.170.121.166:587 | mail.ba-theatre.com | tcp |
| US | 8.8.8.8:53 | 166.121.170.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3236-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/3236-1-0x0000000000330000-0x0000000000338000-memory.dmp
memory/3236-2-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/3236-3-0x0000000007230000-0x0000000007460000-memory.dmp
memory/3236-4-0x0000000007A10000-0x0000000007FB4000-memory.dmp
memory/3236-5-0x0000000007600000-0x0000000007692000-memory.dmp
memory/3236-6-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-11-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-39-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-55-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-37-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-63-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-59-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-57-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-53-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-51-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-49-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-47-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-45-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-43-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-41-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-35-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-31-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-29-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-27-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-25-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-23-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-33-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-21-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-19-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-15-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-13-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-9-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-7-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-17-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-69-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-67-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-65-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-61-0x0000000007230000-0x000000000745B000-memory.dmp
memory/3236-4892-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/3236-4893-0x0000000005E20000-0x0000000005E8C000-memory.dmp
memory/3236-4894-0x0000000005B40000-0x0000000005B8C000-memory.dmp
memory/3236-4895-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/3236-4896-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/3236-4897-0x0000000000730000-0x0000000000784000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\137b8f424459d79eb580d20bf9e09d90f2a68d37f2303982c8813165ebf12dba.exe.log
| MD5 | f3eb81974dc5933681e933f07209ff5f |
| SHA1 | 7af8cae0f1d03e82daaf784df9886705685baac7 |
| SHA256 | e82069884dd428bd6a1c67fe00c5fa56f9c4d62b538b694694a699588f1f4ab2 |
| SHA512 | d9aa3871dffb76c8a73a7940fa03bbc9b65cf575cbd07f7c1fbf490cb0f3d670415eaef0bf79e34689f61ab3cdfbb104efdef004becc12e54b501f02f948aaff |
memory/1852-4907-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/3236-4905-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/804-4908-0x0000000005740000-0x00000000057A6000-memory.dmp
memory/1852-4904-0x0000000004C50000-0x0000000005278000-memory.dmp
memory/1852-4903-0x00000000025C0000-0x00000000025F6000-memory.dmp
memory/804-4902-0x0000000000400000-0x0000000000440000-memory.dmp
memory/804-4906-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/804-4909-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/1852-4916-0x00000000054C0000-0x0000000005526000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbtz23mh.c2t.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1852-4910-0x0000000005420000-0x0000000005442000-memory.dmp
memory/1852-4921-0x00000000056A0000-0x00000000059F4000-memory.dmp
memory/1852-4922-0x0000000005B80000-0x0000000005B9E000-memory.dmp
memory/1852-4923-0x0000000005BB0000-0x0000000005BFC000-memory.dmp
memory/1852-4924-0x0000000006150000-0x0000000006182000-memory.dmp
memory/1852-4925-0x0000000070D40000-0x0000000070D8C000-memory.dmp
memory/1852-4935-0x0000000006B40000-0x0000000006B5E000-memory.dmp
memory/1852-4936-0x0000000006B70000-0x0000000006C13000-memory.dmp
memory/1852-4937-0x00000000074E0000-0x0000000007B5A000-memory.dmp
memory/1852-4938-0x0000000006EA0000-0x0000000006EBA000-memory.dmp
memory/1852-4939-0x0000000006F10000-0x0000000006F1A000-memory.dmp
memory/1852-4940-0x0000000007120000-0x00000000071B6000-memory.dmp
memory/1852-4941-0x00000000070A0000-0x00000000070B1000-memory.dmp
memory/1852-4942-0x00000000070D0000-0x00000000070DE000-memory.dmp
memory/1852-4943-0x00000000070E0000-0x00000000070F4000-memory.dmp
memory/1852-4944-0x00000000071E0000-0x00000000071FA000-memory.dmp
memory/1852-4945-0x00000000071C0000-0x00000000071C8000-memory.dmp
memory/804-4946-0x0000000006560000-0x00000000065B0000-memory.dmp
memory/804-4947-0x0000000006650000-0x00000000066EC000-memory.dmp
memory/1852-4950-0x0000000074A10000-0x00000000751C0000-memory.dmp
memory/804-4951-0x0000000006940000-0x000000000694A000-memory.dmp
memory/804-4952-0x0000000074A10000-0x00000000751C0000-memory.dmp