Malware Analysis Report

2025-08-10 12:34

Sample ID 240403-pea5psch9w
Target PURCHASE ORDER.r15.rar
SHA256 bcb63c80b4b0c627f4a89aa24845e3e9ff0442f23a30ce0d1be48eba2a5d3a36
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcb63c80b4b0c627f4a89aa24845e3e9ff0442f23a30ce0d1be48eba2a5d3a36

Threat Level: Known bad

The file PURCHASE ORDER.r15.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 12:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 12:14

Reported

2024-04-03 12:16

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2020 set thread context of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2020 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe

"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hnBSXmzhPbTy.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hnBSXmzhPbTy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/2020-0-0x0000000000880000-0x0000000000934000-memory.dmp

memory/2020-1-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2020-2-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2020-3-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2020-4-0x0000000000560000-0x000000000056C000-memory.dmp

memory/2020-5-0x0000000005C70000-0x0000000005CF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp731D.tmp

MD5 31e028e369cdc503dec078c67c4ed302
SHA1 faafba3ca4fab6d4eee5f5c3a52367eb87affeb4
SHA256 ba0b2c7b4d03636dcc10412b774f21f433fab5b212bbae1f4c2bcefe83eb3958
SHA512 c07a5eca019afa96a845fe7aeb6ab45c601d7d7f144d654af05fd7cafcf6c128726ee54db0ae64599a7636fc3fc98d21f94508b6caf9d2a94c976e4afe0efee1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2T2EYICJZQCMV8GVB02H.temp

MD5 f3a71436eec922c023313e74b1b1fa5e
SHA1 e2274ba54e9c072e46d823cc980560582057a9cb
SHA256 e54d92516e96b95becd0464883ae1d2af9270d039d37982aace2a9cd841cd75f
SHA512 60b17dc6d2631373cbee75ede4d15a9f2eb0398749a51cb9356f3cdbcdeddaf2b11e6c84a3dd9750ea8186291a0c24e1aa3b43be3b3c264738f627488c90fe33

memory/2720-18-0x000000006F970000-0x000000006FF1B000-memory.dmp

memory/2552-19-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3024-21-0x000000006F970000-0x000000006FF1B000-memory.dmp

memory/3024-22-0x000000006F970000-0x000000006FF1B000-memory.dmp

memory/2720-24-0x000000006F970000-0x000000006FF1B000-memory.dmp

memory/3024-27-0x0000000002300000-0x0000000002340000-memory.dmp

memory/2552-28-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2552-30-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3024-29-0x0000000002300000-0x0000000002340000-memory.dmp

memory/2720-25-0x00000000027E0000-0x0000000002820000-memory.dmp

memory/2552-23-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3024-31-0x000000006F970000-0x000000006FF1B000-memory.dmp

memory/2720-32-0x000000006F970000-0x000000006FF1B000-memory.dmp

memory/2020-33-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2020-34-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2552-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2552-37-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2552-39-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2020-41-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2552-42-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2552-43-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2552-44-0x0000000074AE0000-0x00000000751CE000-memory.dmp

memory/2552-45-0x0000000004910000-0x0000000004950000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 12:14

Reported

2024-04-03 12:16

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1048 set thread context of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\SysWOW64\schtasks.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe

"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hnBSXmzhPbTy.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hnBSXmzhPbTy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp737A.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 218.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/1048-1-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/1048-0-0x0000000000B40000-0x0000000000BF4000-memory.dmp

memory/1048-2-0x0000000005C70000-0x0000000006214000-memory.dmp

memory/1048-3-0x00000000055D0000-0x0000000005662000-memory.dmp

memory/1048-4-0x0000000005820000-0x0000000005830000-memory.dmp

memory/1048-5-0x0000000005680000-0x000000000568A000-memory.dmp

memory/1048-6-0x0000000005810000-0x0000000005820000-memory.dmp

memory/1048-7-0x0000000005870000-0x000000000587C000-memory.dmp

memory/1048-8-0x0000000006AE0000-0x0000000006B62000-memory.dmp

memory/1048-9-0x000000000A610000-0x000000000A6AC000-memory.dmp

memory/2192-14-0x0000000002600000-0x0000000002636000-memory.dmp

memory/2192-15-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/2192-17-0x0000000005270000-0x0000000005898000-memory.dmp

memory/2192-16-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/2192-18-0x0000000004C30000-0x0000000004C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp737A.tmp

MD5 15e8ca30a865737068bbd53615cfb6cf
SHA1 09bf9567ef5ae22888c8d074ba4fc06d97962daf
SHA256 7ddd143c0b9e84158e24e2c806a73adfb374cd5cf4b163bce569f0b41f836f6b
SHA512 b42e3fb7828b82f2034237619656e7217a7e915efffa71d0b022df287badbe887dcd83be8ba1302c1d8d225792cb5eba2a13e97c7c46a5f02e33cd2366d5baf8

memory/2192-20-0x0000000005140000-0x0000000005162000-memory.dmp

memory/3256-21-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3256-23-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/3256-24-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/2192-25-0x00000000051E0000-0x0000000005246000-memory.dmp

memory/1048-36-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/2808-38-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/2192-37-0x0000000005A10000-0x0000000005A76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fuwswr0p.jeo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2808-22-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2808-39-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/2192-40-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/2192-50-0x0000000005F00000-0x0000000005F1E000-memory.dmp

memory/2192-51-0x0000000005F40000-0x0000000005F8C000-memory.dmp

memory/2192-52-0x00000000064D0000-0x0000000006502000-memory.dmp

memory/2192-53-0x000000007EE50000-0x000000007EE60000-memory.dmp

memory/2192-54-0x00000000711A0000-0x00000000711EC000-memory.dmp

memory/3256-66-0x00000000711A0000-0x00000000711EC000-memory.dmp

memory/3256-65-0x000000007F5A0000-0x000000007F5B0000-memory.dmp

memory/3256-77-0x00000000027F0000-0x0000000002800000-memory.dmp

memory/2192-67-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/2192-64-0x00000000064B0000-0x00000000064CE000-memory.dmp

memory/2192-78-0x0000000006ED0000-0x0000000006F73000-memory.dmp

memory/3256-79-0x0000000007880000-0x0000000007EFA000-memory.dmp

memory/2192-80-0x00000000072C0000-0x00000000072DA000-memory.dmp

memory/2192-81-0x0000000007330000-0x000000000733A000-memory.dmp

memory/3256-82-0x00000000074C0000-0x0000000007556000-memory.dmp

memory/3256-83-0x0000000007440000-0x0000000007451000-memory.dmp

memory/2808-84-0x00000000066A0000-0x00000000066F0000-memory.dmp

memory/3256-85-0x0000000007470000-0x000000000747E000-memory.dmp

memory/3256-86-0x0000000007480000-0x0000000007494000-memory.dmp

memory/2192-87-0x0000000007600000-0x000000000761A000-memory.dmp

memory/3256-88-0x0000000007560000-0x0000000007568000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ead4c4e9561daf5ff6f7b32249dcd6a
SHA1 c4b788149891cdcb8257bb49280415954aebce6b
SHA256 9d8805c7b8d43b41a818595716f12c837771d82f48adf53956492af2e6bfe1a5
SHA512 8de5eeb3764f7cfa86078dda20eab49f5dc54e94b09208574407b62a1d56d7933ac9dc1d90c6c9addb4c07fd6f54b388d5fd79f8e4421facc4fd1953c2431ffb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ba246bd2d86f16b8e701e797989d424b
SHA1 048769be2e48bd66ddedbfcf9d40addb6168fc16
SHA256 37c38ce312bc65167a7a6208217dedc66559bd6dd149472fd7001a8e9db310ad
SHA512 473fedc38e188d36b1f2f3db119a5c6c1e8676a24392a64b60198ab38c6725a909b8564892608760cc2dfc6a1b4f72cf4370740f97dcb0722d3fd4e0faa57bec

memory/2192-94-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/3256-95-0x0000000074E80000-0x0000000075630000-memory.dmp

memory/2808-96-0x0000000074E80000-0x0000000075630000-memory.dmp