Malware Analysis Report

2024-10-23 21:59

Sample ID 240612-b9c1wsybme
Target e172f5cd5700b349657590bde58183700a464e7fa150183378c6ba654dfba52e
SHA256 e172f5cd5700b349657590bde58183700a464e7fa150183378c6ba654dfba52e
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e172f5cd5700b349657590bde58183700a464e7fa150183378c6ba654dfba52e

Threat Level: Known bad

The file e172f5cd5700b349657590bde58183700a464e7fa150183378c6ba654dfba52e was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 01:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 01:50

Reported

2024-06-12 01:52

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2056 set thread context of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\schtasks.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2056 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe

"C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zJoXBQrXUF.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zJoXBQrXUF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/2056-0-0x000000007454E000-0x000000007454F000-memory.dmp

memory/2056-1-0x0000000001120000-0x00000000011E2000-memory.dmp

memory/2056-2-0x0000000074540000-0x0000000074C2E000-memory.dmp

memory/2056-3-0x0000000000920000-0x0000000000942000-memory.dmp

memory/2056-4-0x0000000000950000-0x0000000000960000-memory.dmp

memory/2056-5-0x0000000004DD0000-0x0000000004E54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp73B9.tmp

MD5 2f294a218606ed1d00eb79e6af31f72d
SHA1 a1f5a1e79267650b5329d99a559c55acc5e5f428
SHA256 59e571b72ee3ade260ba7238a35006bfae0952a6ad13d67829f6a2e632da9976
SHA512 df1448eb747de7b8e533cb232a1e622d565532ffdb9357b15583e25ad37db6ab15139be047fd8a5b65683ca70902518835376b5396557527e9446e124fab413f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 3ef0df04c6b58abd9c4dca0ad8b64274
SHA1 6bc27706bc4f41b19ea91ce401a57941f18dc02e
SHA256 96a00d12e24d35dd224bdc9039a4a437462ab010037760c6b826d5fa17889e5f
SHA512 5979a0526fbe89aff9d7642b5d54ad645dd1421e25fc78a96c94af069e7892c6e204b1d03aa01731734f59bb3ca8c367143e98f5996c4b2accc188072397a0a2

memory/2696-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2696-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2696-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2696-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2696-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2696-17-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2696-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2696-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2056-30-0x0000000074540000-0x0000000074C2E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 01:50

Reported

2024-06-12 01:52

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4524 set thread context of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4524 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4524 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\schtasks.exe
PID 4524 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\schtasks.exe
PID 4524 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\SysWOW64\schtasks.exe
PID 4524 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4524 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe

"C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\HSBCswift.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zJoXBQrXUF.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zJoXBQrXUF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp

Files

memory/4524-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/4524-1-0x0000000000B20000-0x0000000000BE2000-memory.dmp

memory/4524-2-0x0000000005C80000-0x0000000006224000-memory.dmp

memory/4524-3-0x00000000055C0000-0x0000000005652000-memory.dmp

memory/4524-5-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/4524-4-0x0000000005680000-0x000000000568A000-memory.dmp

memory/4524-6-0x00000000058C0000-0x00000000058E2000-memory.dmp

memory/4524-7-0x0000000002E90000-0x0000000002EA0000-memory.dmp

memory/4524-8-0x000000000AB20000-0x000000000ABA4000-memory.dmp

memory/4524-9-0x000000000DC40000-0x000000000DCDC000-memory.dmp

memory/4524-15-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

memory/2372-14-0x0000000002320000-0x0000000002356000-memory.dmp

memory/2372-17-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/2372-16-0x0000000004FE0000-0x0000000005608000-memory.dmp

memory/2372-18-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/2372-19-0x0000000004DA0000-0x0000000004DC2000-memory.dmp

memory/2372-20-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/2372-21-0x0000000004F40000-0x0000000004FA6000-memory.dmp

memory/2372-27-0x0000000005610000-0x0000000005676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8A3E.tmp

MD5 d2b34c19bb5c8a6124b481287f1d2529
SHA1 0f00a62e47f963abdb6d365bc49ebc49504f895d
SHA256 c2762bada11a0cbbb247500ab8813f72ee69d6af856cacf6d0be9bd019fa2d96
SHA512 68b9135956604e486e2fbd142c67ea37cbe3a410294cba21d8ccb66fc2c8ea0a17c67d67cd484cff241941345c80b1d550d1685df2856fa144262ddbb7f37b8f

memory/5068-28-0x0000000074B10000-0x00000000752C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_munqzhxl.uif.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5068-44-0x0000000006390000-0x00000000066E4000-memory.dmp

memory/5068-46-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/4524-45-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/5068-43-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/5068-47-0x0000000006860000-0x000000000687E000-memory.dmp

memory/5068-48-0x0000000006DF0000-0x0000000006E3C000-memory.dmp

memory/728-49-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4524-51-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/2372-53-0x000000006FFD0000-0x000000007001C000-memory.dmp

memory/2372-63-0x0000000006BF0000-0x0000000006C0E000-memory.dmp

memory/2372-52-0x0000000006C30000-0x0000000006C62000-memory.dmp

memory/2372-64-0x0000000006E70000-0x0000000006F13000-memory.dmp

memory/5068-67-0x000000006FFD0000-0x000000007001C000-memory.dmp

memory/2372-66-0x0000000006F80000-0x0000000006F9A000-memory.dmp

memory/2372-65-0x00000000075C0000-0x0000000007C3A000-memory.dmp

memory/2372-77-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

memory/2372-78-0x0000000007200000-0x0000000007296000-memory.dmp

memory/2372-79-0x0000000007180000-0x0000000007191000-memory.dmp

memory/2372-80-0x00000000071B0000-0x00000000071BE000-memory.dmp

memory/2372-81-0x00000000071C0000-0x00000000071D4000-memory.dmp

memory/2372-82-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/2372-83-0x00000000072A0000-0x00000000072A8000-memory.dmp

memory/2372-85-0x0000000074B10000-0x00000000752C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd9e9b6f964971ca343de6b57293c345
SHA1 fc6aee0ab8fa81460769fe56595433754d360fc2
SHA256 96a1fae69e818d9122cb8ecdd7e5b70e1cfe23810d76c4728bfd9a9780a98e1a
SHA512 a9a988f753654e6931303125ebd53b167694700736c92121322fbb14d6c82f1f117f818f2baf8e2dddd85754947df4e3c0b040315ef4211fcbc23d20f805d722

memory/5068-89-0x0000000074B10000-0x00000000752C0000-memory.dmp

memory/728-90-0x0000000005FF0000-0x0000000006040000-memory.dmp