Malware Analysis Report

2025-08-10 19:54

Sample ID 250703-gnaljat1bs
Target 84841ca4ae117d3cd871f5db0cd89967d2f8d7b170dd02c777a5e5011b1b3c4e
SHA256 84841ca4ae117d3cd871f5db0cd89967d2f8d7b170dd02c777a5e5011b1b3c4e
Tags
vipkeylogger collection discovery execution keylogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84841ca4ae117d3cd871f5db0cd89967d2f8d7b170dd02c777a5e5011b1b3c4e

Threat Level: Known bad

The file 84841ca4ae117d3cd871f5db0cd89967d2f8d7b170dd02c777a5e5011b1b3c4e was found to be: Known bad.

Malicious Activity Summary

vipkeylogger collection discovery execution keylogger spyware stealer

Vipkeylogger family

VIPKeylogger

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:56

Reported

2025-07-03 05:59

Platform

win10v2004-20250610-en

Max time kernel

128s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A checkip.dyndns.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3720 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\schtasks.exe
PID 3720 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\schtasks.exe
PID 3720 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\schtasks.exe
PID 3720 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 3720 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 3720 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 3720 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 3720 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 3720 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 3720 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 3720 wrote to memory of 6064 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe

"C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dolguW.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dolguW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83C6.tmp"

C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe

"C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.80.1:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/3720-0-0x0000000000340000-0x000000000041E000-memory.dmp

memory/3720-1-0x0000000005450000-0x00000000059F4000-memory.dmp

memory/3720-2-0x0000000004EA0000-0x0000000004F32000-memory.dmp

memory/3720-3-0x0000000005100000-0x0000000005110000-memory.dmp

memory/3720-4-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

memory/3720-5-0x0000000005110000-0x00000000051AC000-memory.dmp

memory/3720-6-0x00000000050F0000-0x0000000005100000-memory.dmp

memory/3720-7-0x0000000005100000-0x0000000005110000-memory.dmp

memory/3720-8-0x0000000006130000-0x00000000061BE000-memory.dmp

memory/784-14-0x0000000002DF0000-0x0000000002E00000-memory.dmp

memory/784-13-0x0000000002D60000-0x0000000002D96000-memory.dmp

memory/784-15-0x0000000002DF0000-0x0000000002E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp83C6.tmp

MD5 aacbb6667a2b0f67c1023bc4886f64d2
SHA1 e00410b85010bac2027893d3a1430d73c5aff998
SHA256 7960066328fb08c0307836a26b082eb26a03228a149eb260ec493e0e69538551
SHA512 ebac566b916f0eeffc204e1e4f88b8eb0f1578af5546bf07d6db0cc830b3e463289242151921984d95c8edc15266bb63a3d4cfaae75fb161bbb7b273df0f2927

memory/784-17-0x0000000005780000-0x0000000005DA8000-memory.dmp

memory/6064-18-0x0000000000400000-0x0000000000448000-memory.dmp

memory/784-20-0x00000000056D0000-0x00000000056F2000-memory.dmp

memory/784-21-0x0000000005DB0000-0x0000000005E16000-memory.dmp

memory/784-22-0x0000000005F20000-0x0000000005F86000-memory.dmp

memory/6064-23-0x00000000056A0000-0x00000000056B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qyvjrs3.ire.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/784-29-0x0000000006050000-0x00000000063A4000-memory.dmp

memory/784-34-0x0000000006690000-0x00000000066AE000-memory.dmp

memory/784-35-0x00000000066C0000-0x000000000670C000-memory.dmp

memory/784-36-0x0000000007630000-0x0000000007662000-memory.dmp

memory/784-37-0x0000000070490000-0x00000000704DC000-memory.dmp

memory/784-47-0x0000000006C40000-0x0000000006C5E000-memory.dmp

memory/784-48-0x0000000007870000-0x0000000007913000-memory.dmp

memory/784-49-0x0000000007FF0000-0x000000000866A000-memory.dmp

memory/784-50-0x00000000079B0000-0x00000000079CA000-memory.dmp

memory/784-51-0x0000000007A20000-0x0000000007A2A000-memory.dmp

memory/784-52-0x0000000007C30000-0x0000000007CC6000-memory.dmp

memory/784-53-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

memory/784-54-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

memory/784-55-0x0000000007BF0000-0x0000000007C04000-memory.dmp

memory/784-56-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

memory/784-57-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

memory/6064-60-0x00000000056A0000-0x00000000056B0000-memory.dmp

memory/6064-61-0x0000000006D30000-0x0000000006EF2000-memory.dmp

memory/6064-62-0x0000000006BB0000-0x0000000006C00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:56

Reported

2025-07-03 05:59

Platform

win11-20250619-en

Max time kernel

124s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A
Key opened \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A
Key opened \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A
N/A reallyfreegeoip.org N/A N/A
N/A reallyfreegeoip.org N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 608 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\schtasks.exe
PID 608 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\schtasks.exe
PID 608 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Windows\SysWOW64\schtasks.exe
PID 608 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 608 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 608 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 608 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 608 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 608 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 608 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe
PID 608 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe

"C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dolguW.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dolguW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD968.tmp"

C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe

"C:\Users\Admin\AppData\Local\Temp\kindly quote your best price for the listed goods..exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 104.21.32.1:443 reallyfreegeoip.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 52.111.227.13:443 tcp

Files

memory/608-0-0x00000000007E0000-0x00000000008BE000-memory.dmp

memory/608-1-0x0000000005900000-0x0000000005EA6000-memory.dmp

memory/608-2-0x0000000005350000-0x00000000053E2000-memory.dmp

memory/608-3-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/608-4-0x00000000054F0000-0x00000000054FA000-memory.dmp

memory/608-5-0x00000000055D0000-0x000000000566C000-memory.dmp

memory/608-6-0x0000000006ED0000-0x0000000006EE0000-memory.dmp

memory/608-7-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/608-8-0x00000000066E0000-0x000000000676E000-memory.dmp

memory/2380-14-0x0000000002C80000-0x0000000002C90000-memory.dmp

memory/2380-13-0x0000000002C20000-0x0000000002C56000-memory.dmp

memory/2380-15-0x0000000002C80000-0x0000000002C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD968.tmp

MD5 3c5d9dd693d3bde2771097d6fe1e4897
SHA1 e537a0d02dc03f7f6282382e844a9f99c2474f15
SHA256 6fb3caa500d4e269aa31c01d5a585a29de17bc6ebe9da8845504ce00862bf204
SHA512 fdd9b6a7468605d17214c5357956dcbf73b4f3d090653cf00a14113e1bb1fc555647175086d23762db2443ffc00f91a13741a3e7ad449636e32908d358421573

memory/2380-19-0x0000000005870000-0x0000000005E9A000-memory.dmp

memory/2404-17-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5aupaspy.bmm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2380-21-0x0000000005630000-0x0000000005696000-memory.dmp

memory/2380-22-0x0000000005710000-0x0000000005776000-memory.dmp

memory/2380-20-0x0000000005590000-0x00000000055B2000-memory.dmp

memory/2380-31-0x0000000006070000-0x00000000063C7000-memory.dmp

memory/2380-32-0x0000000006450000-0x000000000646E000-memory.dmp

memory/2380-33-0x0000000006470000-0x00000000064BC000-memory.dmp

memory/2380-34-0x0000000007400000-0x0000000007434000-memory.dmp

memory/2380-35-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/2380-44-0x0000000006A30000-0x0000000006A4E000-memory.dmp

memory/2380-45-0x0000000007450000-0x00000000074F4000-memory.dmp

memory/2380-46-0x0000000007DD0000-0x000000000844A000-memory.dmp

memory/2380-47-0x0000000007780000-0x000000000779A000-memory.dmp

memory/2380-48-0x00000000077F0000-0x00000000077FA000-memory.dmp

memory/2380-49-0x0000000007A20000-0x0000000007AB6000-memory.dmp

memory/2380-50-0x0000000007990000-0x00000000079A1000-memory.dmp

memory/2380-51-0x00000000079C0000-0x00000000079CE000-memory.dmp

memory/2380-52-0x00000000079D0000-0x00000000079E5000-memory.dmp

memory/2380-53-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

memory/2380-54-0x0000000007AC0000-0x0000000007AC8000-memory.dmp

memory/2404-57-0x0000000006D20000-0x0000000006EE2000-memory.dmp

memory/2404-58-0x0000000006BC0000-0x0000000006C10000-memory.dmp