agenttesla | a12c65ad23f195521f525ed905373f22fe0853c1e1fcfb317056d81051e6e532

Analysis

max time kernel
102s
max time network
107s
platform
windows10_x64
resource
win10v20201028
submitted
25-01-2021 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Size

2.2MB
MD5

5ff5bbb9fd1f1d3a586ad9bea10a9773
SHA1

1426737ae0a2039a85e9683aad4e1fc6b2d5a27b
SHA256

a12c65ad23f195521f525ed905373f22fe0853c1e1fcfb317056d81051e6e532
SHA512

aa21b5424ff194d35552e25a64a96d29c50229bc2281964a62c82069f38e956592d4099e99e682c859d9ab36165c80bf63b26dac11e9c7d1ca1ec63c84a547fe

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.newviking.com.my
Port:
587
Username:
[email protected]
Password:
{&SgX:^(7m

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe\""	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4620-75-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4620-76-0x000000000043763E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Drops startup file 2 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator Rights = "C:\\Users\\Admin\\AppData\\Roaming\\Administrator Rights\\Administrator Rights.exe"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	pid	process	target process
PID 4768 set thread context of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 set thread context of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

212 3808 WerFault.exe RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4548 timeout.exe

pid	pid_target	process	target process
212	3808	WerFault.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
4548	timeout.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
856	powershell.exe
1076	powershell.exe
4352	powershell.exe
508	powershell.exe
508	powershell.exe
4352	powershell.exe
1076	powershell.exe
856	powershell.exe
1076	powershell.exe
4352	powershell.exe
508	powershell.exe
856	powershell.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
4620	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
4620	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid process

4620 RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
4620	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exepowershell.exepowershell.exepowershell.exepowershell.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	pid	process
Token: SeDebugPrivilege	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	4620	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 4768 wrote to memory of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 4768 wrote to memory of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 4768 wrote to memory of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 4768 wrote to memory of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 4768 wrote to memory of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 4768 wrote to memory of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 4768 wrote to memory of 3808	4768	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 wrote to memory of 4352	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 4352	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 4352	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 508	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 508	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 508	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 856	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 856	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 856	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 1076	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 1076	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 1076	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 3808 wrote to memory of 4080	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 3808 wrote to memory of 4080	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 3808 wrote to memory of 4080	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 4080 wrote to memory of 4548	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4548	4080	cmd.exe	timeout.exe
PID 4080 wrote to memory of 4548	4080	cmd.exe	timeout.exe
PID 3808 wrote to memory of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 wrote to memory of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 wrote to memory of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 wrote to memory of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 wrote to memory of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 wrote to memory of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 wrote to memory of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 3808 wrote to memory of 4620	3808	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:4548

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 2332
3⤵
- Program crash
PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe.log
MD5
4d710ca9c563bbb76bb29b87d5d64282

SHA1
2b1271f68a5d18e1c1bb08800a9cc9464e8a81ad

SHA256
6c7ac5cff014a13315b8813524bbd14471f1ab7aac691be94d4d4f28e4cd2de4

SHA512
873c9ee04e4f8d23f8cf90ffea89a362e8eda43c0cfc6bb47442f93e0add8794c004081350cfbd7cfaed6d101582287b26a00951d4019dfb466f21514e5d90d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
97a7ef630686f0aa0b27bf7ce355ba75

SHA1
2dbe466244cef00831dbc17b05c4e2c6160c9e67

SHA256
24c9cddc2b959691e19b72cb1e03b74c2931c2323f493b6d4c236867a8960a19

SHA512
7f2bf0d4b26a2b592a62e5fd18748498b828b64086bf35be0d600f19ac744e9c595d270bbf8a892fd3be71a06ea86889e805d9db876f16156c3d718179c10d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5df252c52b3ee9298dc4fb3a3d74b30b

SHA1
2e4bb12b266612e12449d1136933ebdfdc1f3d5f

SHA256
eb606362694eee9d3c7f006bfbb33be4657293cf988bba541a13ad4f24ba8c87

SHA512
b2dd0eb87a322f9af5b54ac9368c77ac2512de2744d12b2836e3277fce1a60f687c120934c744c8e32c17052e7acba7ca2bb72df1fb7c8a9385a80d9ed013f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ae93db7d91c28fecedd04baf419f801e

SHA1
df86c2dd27715839c1a2d4772588198056ae007e

SHA256
38327a7ea851149bdadeb46ce5fbf6e98726f9e8247030c6e76a3eb2249ecbd4

SHA512
7138904e941dd0024539e287c38d98f4cf437c4393508d64c37886b5604f2709f2ea37b5772a2f7a61afed1be1f3f05d540ed05395f1aa043e96c43be513b341

Download Submit
memory/212-82-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/508-112-0x000000007FD20000-0x000000007FD21000-memory.dmp

Filesize
4KB

Download
memory/508-39-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/508-63-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/508-40-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/508-28-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/508-47-0x00000000075B0000-0x00000000075B1000-memory.dmp

Filesize
4KB

Download
memory/508-25-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/508-134-0x0000000004A13000-0x0000000004A14000-memory.dmp

Filesize
4KB

Download
memory/508-21-0x0000000000000000-mapping.dmp

Download
memory/508-50-0x0000000007E00000-0x0000000007E01000-memory.dmp

Filesize
4KB

Download
memory/856-133-0x00000000042F3000-0x00000000042F4000-memory.dmp

Filesize
4KB

Download
memory/856-22-0x0000000000000000-mapping.dmp

Download
memory/856-86-0x0000000008AD0000-0x0000000008B03000-memory.dmp

Filesize
204KB

Download
memory/856-108-0x000000007EA40000-0x000000007EA41000-memory.dmp

Filesize
4KB

Download
memory/856-113-0x0000000008AB0000-0x0000000008AB1000-memory.dmp

Filesize
4KB

Download
memory/856-30-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/856-43-0x00000000042F2000-0x00000000042F3000-memory.dmp

Filesize
4KB

Download
memory/856-42-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/856-117-0x0000000008E30000-0x0000000008E31000-memory.dmp

Filesize
4KB

Download
memory/1076-23-0x0000000000000000-mapping.dmp

Download
memory/1076-66-0x00000000081F0000-0x00000000081F1000-memory.dmp

Filesize
4KB

Download
memory/1076-142-0x0000000009730000-0x0000000009731000-memory.dmp

Filesize
4KB

Download
memory/1076-136-0x0000000009750000-0x0000000009751000-memory.dmp

Filesize
4KB

Download
memory/1076-103-0x000000007E850000-0x000000007E851000-memory.dmp

Filesize
4KB

Download
memory/1076-32-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/1076-44-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/1076-135-0x0000000006DD3000-0x0000000006DD4000-memory.dmp

Filesize
4KB

Download
memory/1076-38-0x0000000006DD2000-0x0000000006DD3000-memory.dmp

Filesize
4KB

Download
memory/1076-71-0x0000000008510000-0x0000000008511000-memory.dmp

Filesize
4KB

Download
memory/3808-35-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/3808-11-0x000000001005266E-mapping.dmp

Download
memory/3808-13-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/3808-10-0x0000000010000000-0x0000000010058000-memory.dmp

Filesize
352KB

Download
memory/3808-18-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4080-54-0x0000000000000000-mapping.dmp

Download
memory/4352-132-0x0000000007143000-0x0000000007144000-memory.dmp

Filesize
4KB

Download
memory/4352-128-0x00000000099C0000-0x00000000099C1000-memory.dmp

Filesize
4KB

Download
memory/4352-20-0x0000000000000000-mapping.dmp

Download
memory/4352-36-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/4352-41-0x0000000007142000-0x0000000007143000-memory.dmp

Filesize
4KB

Download
memory/4352-45-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/4352-98-0x000000007F3F0000-0x000000007F3F1000-memory.dmp

Filesize
4KB

Download
memory/4352-26-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4352-24-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4548-62-0x0000000000000000-mapping.dmp

Download
memory/4620-76-0x000000000043763E-mapping.dmp

Download
memory/4620-94-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/4620-75-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4620-160-0x0000000005611000-0x0000000005612000-memory.dmp

Filesize
4KB

Download
memory/4620-156-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/4620-77-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4768-19-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/4768-2-0x00000000732D0000-0x00000000739BE000-memory.dmp

Filesize
6.9MB

Download
memory/4768-7-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4768-6-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4768-5-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4768-3-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/4768-8-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/4768-9-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download