agenttesla | a12c65ad23f195521f525ed905373f22fe0853c1e1fcfb317056d81051e6e532

Analysis

max time kernel
101s
max time network
122s
platform
windows10_x64
resource
win10v20201028
submitted
25-01-2021 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Size

2.2MB
MD5

5ff5bbb9fd1f1d3a586ad9bea10a9773
SHA1

1426737ae0a2039a85e9683aad4e1fc6b2d5a27b
SHA256

a12c65ad23f195521f525ed905373f22fe0853c1e1fcfb317056d81051e6e532
SHA512

aa21b5424ff194d35552e25a64a96d29c50229bc2281964a62c82069f38e956592d4099e99e682c859d9ab36165c80bf63b26dac11e9c7d1ca1ec63c84a547fe

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.newviking.com.my
Port:
587
Username:
[email protected]
Password:
{&SgX:^(7m

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe\""	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4208-75-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4208-76-0x000000000043763E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Drops startup file 2 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator Rights = "C:\\Users\\Admin\\AppData\\Roaming\\Administrator Rights\\Administrator Rights.exe"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	pid	process	target process
PID 580 set thread context of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 set thread context of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4292 2488 WerFault.exe RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2224 timeout.exe

pid	pid_target	process	target process
4292	2488	WerFault.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
2224	timeout.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
3260	powershell.exe
3288	powershell.exe
1392	powershell.exe
2892	powershell.exe
3260	powershell.exe
3288	powershell.exe
1392	powershell.exe
2892	powershell.exe
1392	powershell.exe
3260	powershell.exe
3288	powershell.exe
2892	powershell.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
4208	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
4208	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid process

4208 RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
4208	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exepowershell.exepowershell.exepowershell.exepowershell.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	pid	process
Token: SeDebugPrivilege	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4208	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.execmd.exe

description	pid	process	target process
PID 580 wrote to memory of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 580 wrote to memory of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 580 wrote to memory of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 580 wrote to memory of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 580 wrote to memory of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 580 wrote to memory of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 580 wrote to memory of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 580 wrote to memory of 2488	580	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 wrote to memory of 3260	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 3260	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 3260	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 3288	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 3288	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 3288	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 2892	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 2892	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 2892	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 1392	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 1392	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 1392	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 2488 wrote to memory of 2576	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 2488 wrote to memory of 2576	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 2488 wrote to memory of 2576	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 2576 wrote to memory of 2224	2576	cmd.exe	timeout.exe
PID 2576 wrote to memory of 2224	2576	cmd.exe	timeout.exe
PID 2576 wrote to memory of 2224	2576	cmd.exe	timeout.exe
PID 2488 wrote to memory of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 wrote to memory of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 wrote to memory of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 wrote to memory of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 wrote to memory of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 wrote to memory of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 wrote to memory of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 2488 wrote to memory of 4208	2488	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:2224

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 2252
3⤵
- Program crash
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe.log
MD5
4d710ca9c563bbb76bb29b87d5d64282

SHA1
2b1271f68a5d18e1c1bb08800a9cc9464e8a81ad

SHA256
6c7ac5cff014a13315b8813524bbd14471f1ab7aac691be94d4d4f28e4cd2de4

SHA512
873c9ee04e4f8d23f8cf90ffea89a362e8eda43c0cfc6bb47442f93e0add8794c004081350cfbd7cfaed6d101582287b26a00951d4019dfb466f21514e5d90d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d8df4ce7fe789d3c8b5a9c7b633076b4

SHA1
f67b93bd98426cfdc0931b77009c1272f01ea600

SHA256
d0ab3fee3200d63a4dc4742f4027d19d80f2c3515a912ee841b0a956de0d2325

SHA512
9fe24094b522ab48967f8fb6091f29b0c9b40be995cc9ec5ae1d10b3b9885e8ceef73562ec73ad876854928fad3e614680d9c50109b18aae80d5c1cf8b63b046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e810aa377f3bd2819edd68d4c3c8d924

SHA1
9bb3cc5f73677f1ceec2d81376a02a5f930e0de1

SHA256
3c9dd878eeddd76dfea79f3e50dffce95909537382087e1ddda73f539844e7db

SHA512
1b4cc7cff3d7d37bc5cb2f9d9e24dddc09a56b2d7cecc22d25d57a1a5010ed7fb4103c400c960e332adc79cc40a8c0ceb10b72df880992c56b011d352f87f1fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d1e28b58986ebe382b8f59ef5470e4bd

SHA1
24d9cf397426b218394c10b8798a5885385f97b0

SHA256
fffafec0b796e5c0fd2b0312188dbe456a2537c03cb64ca539676bdcb5f48bd3

SHA512
a4bbf03145aa999b0799ccc6cbfab249bde9fca47d8d7bec1dd099da75350a2add101f9c846d2ec3613c268c2ab4747626a3fa2e81ef246fb9c02d8ea1de1912

Download Submit
memory/580-19-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/580-7-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/580-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/580-9-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/580-8-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/580-3-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/580-5-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/580-6-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1392-29-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1392-71-0x0000000008530000-0x0000000008531000-memory.dmp

Filesize
4KB

Download
memory/1392-23-0x0000000000000000-mapping.dmp

Download
memory/1392-50-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/1392-132-0x0000000004AA3000-0x0000000004AA4000-memory.dmp

Filesize
4KB

Download
memory/1392-128-0x00000000097D0000-0x00000000097D1000-memory.dmp

Filesize
4KB

Download
memory/1392-111-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/1392-53-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

Filesize
4KB

Download
memory/1392-110-0x000000007F530000-0x000000007F531000-memory.dmp

Filesize
4KB

Download
memory/1392-116-0x00000000095F0000-0x00000000095F1000-memory.dmp

Filesize
4KB

Download
memory/1392-65-0x0000000008230000-0x0000000008231000-memory.dmp

Filesize
4KB

Download
memory/1392-87-0x00000000092C0000-0x00000000092F3000-memory.dmp

Filesize
204KB

Download
memory/2224-62-0x0000000000000000-mapping.dmp

Download
memory/2488-11-0x000000001005266E-mapping.dmp

Download
memory/2488-38-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/2488-18-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2488-13-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/2488-10-0x0000000010000000-0x0000000010058000-memory.dmp

Filesize
352KB

Download
memory/2576-47-0x0000000000000000-mapping.dmp

Download
memory/2892-55-0x0000000007262000-0x0000000007263000-memory.dmp

Filesize
4KB

Download
memory/2892-123-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2892-22-0x0000000000000000-mapping.dmp

Download
memory/2892-46-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/2892-144-0x0000000009A70000-0x0000000009A71000-memory.dmp

Filesize
4KB

Download
memory/2892-135-0x0000000007263000-0x0000000007264000-memory.dmp

Filesize
4KB

Download
memory/2892-28-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3260-136-0x0000000009A20000-0x0000000009A21000-memory.dmp

Filesize
4KB

Download
memory/3260-27-0x0000000007910000-0x0000000007911000-memory.dmp

Filesize
4KB

Download
memory/3260-20-0x0000000000000000-mapping.dmp

Download
memory/3260-49-0x0000000008090000-0x0000000008091000-memory.dmp

Filesize
4KB

Download
memory/3260-24-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3260-40-0x0000000004CB2000-0x0000000004CB3000-memory.dmp

Filesize
4KB

Download
memory/3260-39-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/3260-115-0x000000007E750000-0x000000007E751000-memory.dmp

Filesize
4KB

Download
memory/3260-63-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/3260-133-0x0000000004CB3000-0x0000000004CB4000-memory.dmp

Filesize
4KB

Download
memory/3260-41-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/3260-25-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/3288-52-0x0000000006E42000-0x0000000006E43000-memory.dmp

Filesize
4KB

Download
memory/3288-26-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/3288-42-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/3288-119-0x000000007F390000-0x000000007F391000-memory.dmp

Filesize
4KB

Download
memory/3288-134-0x0000000006E43000-0x0000000006E44000-memory.dmp

Filesize
4KB

Download
memory/3288-36-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/3288-21-0x0000000000000000-mapping.dmp

Download
memory/4208-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4208-77-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/4208-82-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4208-76-0x000000000043763E-mapping.dmp

Download
memory/4208-156-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4208-160-0x0000000005111000-0x0000000005112000-memory.dmp

Filesize
4KB

Download
memory/4292-83-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download