Malware Analysis Report

2024-10-19 09:23

Sample ID 240612-cj62qaydmf
Target 7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0
SHA256 7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0

Threat Level: Known bad

The file 7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Checks computer location settings

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 02:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 02:07

Reported

2024-06-12 02:09

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 788 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\schtasks.exe
PID 788 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\schtasks.exe
PID 788 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\schtasks.exe
PID 788 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\schtasks.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 788 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe

"C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qpzpDEsx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qpzpDEsx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55FC.tmp"

C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe

"C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe"

Network

N/A

Files

memory/788-0-0x000000007479E000-0x000000007479F000-memory.dmp

memory/788-1-0x00000000011D0000-0x0000000001292000-memory.dmp

memory/788-2-0x0000000074790000-0x0000000074E7E000-memory.dmp

memory/788-3-0x00000000010D0000-0x00000000010F2000-memory.dmp

memory/788-4-0x00000000004D0000-0x00000000004E0000-memory.dmp

memory/788-5-0x0000000005DB0000-0x0000000005E32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp55FC.tmp

MD5 9a0b38c515f75b378cf01eaf0e277b66
SHA1 0e3dd7ee395a95703beb445943fadfe459ab4050
SHA256 16d02fae2393634578b1762902c656cd5bd99eb1293f12a86688b123da740e40
SHA512 ffa2fa3a3729bd68f0a45ea03fe5b3e99a90b58a91832838482a718218e9b983d0e448adb7027dade633e78cbc0bff4541e3980aea1c32d54809e5839b519027

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 332146a00633fc6fcab225570a4da16f
SHA1 3a816900e6c58432ce5cf5f95db1fb838d38547e
SHA256 8ac7bb3a34c7fc7e8955a72d8a1a14020b7fa6684949de39dba293101cef5675
SHA512 38e8d4a084f3041887b05d5447bfa0f0ceba8c58809d353ab18e83a491b95063b7da26a117f81f4b3ae1639c74210928d19ba1d4ed97da93d6fa0e6d58293e47

memory/2664-18-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2664-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2664-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2664-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2664-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2664-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2664-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2664-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/788-30-0x0000000074790000-0x0000000074E7E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 02:07

Reported

2024-06-12 02:09

Platform

win10v2004-20240611-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2376 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 2376 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 2376 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 2376 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 2376 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 2376 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 2376 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe
PID 2376 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe

"C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1304,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qpzpDEsx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qpzpDEsx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp904.tmp"

C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe

"C:\Users\Admin\AppData\Local\Temp\7efd88b728d661a7ea183093cb30e3e6614b8bbd38567177c89e13ba578eb0e0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 mail.commtechtrading.com udp
US 173.236.63.6:587 mail.commtechtrading.com tcp
US 8.8.8.8:53 6.63.236.173.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2376-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

memory/2376-1-0x0000000000970000-0x0000000000A32000-memory.dmp

memory/2376-2-0x00000000059B0000-0x0000000005F54000-memory.dmp

memory/2376-3-0x00000000054A0000-0x0000000005532000-memory.dmp

memory/2376-4-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/2376-5-0x0000000005440000-0x000000000544A000-memory.dmp

memory/2376-6-0x0000000008040000-0x0000000008062000-memory.dmp

memory/2376-7-0x0000000004E50000-0x0000000004E60000-memory.dmp

memory/2376-8-0x0000000006920000-0x00000000069A2000-memory.dmp

memory/2376-9-0x000000000D8A0000-0x000000000D93C000-memory.dmp

memory/1700-14-0x0000000000C70000-0x0000000000CA6000-memory.dmp

memory/1700-15-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/1700-16-0x0000000004D50000-0x0000000005378000-memory.dmp

memory/1700-17-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/1700-19-0x0000000074C50000-0x0000000075400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp904.tmp

MD5 2ba2fd3bf6fb1857b4f62055d667a591
SHA1 5613a404e3ada97ec5dc5abdaa84890f793f51bb
SHA256 4b2ae66ce50da3cd7cab8f88d6de911bf8e6952e8e0d280132fe21ef46c66e4f
SHA512 67d5916d00290fca6afd400b33ac8e1e14aab00262cbce5824941065bfc41d4f86f5bf46cf0bcf73d91019f0cd391290a87694e8eeb5dc43c6d5a80135ddee56

memory/1544-20-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/1544-21-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/4528-22-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1700-23-0x0000000004C40000-0x0000000004C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wt5qlyy3.asc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1700-36-0x0000000004CE0000-0x0000000004D46000-memory.dmp

memory/1700-41-0x0000000005480000-0x00000000054E6000-memory.dmp

memory/2376-25-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/1544-46-0x00000000058E0000-0x0000000005C34000-memory.dmp

memory/1700-47-0x00000000059E0000-0x00000000059FE000-memory.dmp

memory/1700-48-0x0000000005FC0000-0x000000000600C000-memory.dmp

memory/1700-64-0x0000000006C20000-0x0000000006CC3000-memory.dmp

memory/1544-61-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/1700-60-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/1700-50-0x0000000070FC0000-0x000000007100C000-memory.dmp

memory/1700-49-0x00000000069E0000-0x0000000006A12000-memory.dmp

memory/1700-73-0x0000000006D30000-0x0000000006D4A000-memory.dmp

memory/1700-72-0x0000000007370000-0x00000000079EA000-memory.dmp

memory/1544-74-0x0000000007100000-0x000000000710A000-memory.dmp

memory/1700-75-0x0000000006FB0000-0x0000000007046000-memory.dmp

memory/1544-76-0x0000000007290000-0x00000000072A1000-memory.dmp

memory/1700-77-0x0000000006F60000-0x0000000006F6E000-memory.dmp

memory/1700-78-0x0000000006F70000-0x0000000006F84000-memory.dmp

memory/1700-79-0x0000000007070000-0x000000000708A000-memory.dmp

memory/1700-80-0x0000000007050000-0x0000000007058000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2f0ad3fcf1ce2a25641ec2fb96c1cf71
SHA1 ca6c83bbe9083ec297a0024913c469b9f527c810
SHA256 346188f0869e01a52d9dd5a720a211a724ce5b8db8d0c97eb691360aa6bb7083
SHA512 19ab1d6900cff1a3c182a043eb74fe6d64d1020bbedb3bb7d83e09ae4bac62a23a0f248eb6f5bcb265d7c5a3fe375e3411695590044344f2ec9e59114b65f3bd

memory/1544-84-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/1700-85-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/4528-86-0x0000000006340000-0x0000000006390000-memory.dmp