Malware Analysis Report

2025-06-15 20:05

Sample ID 240515-mnm5hsdd4z
Target 9f9cd3b4b752dea99618ab863805176a70ae1cebf2c1923ca3d3823e5c7f0b35
SHA256 9f9cd3b4b752dea99618ab863805176a70ae1cebf2c1923ca3d3823e5c7f0b35
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f9cd3b4b752dea99618ab863805176a70ae1cebf2c1923ca3d3823e5c7f0b35

Threat Level: Known bad

The file 9f9cd3b4b752dea99618ab863805176a70ae1cebf2c1923ca3d3823e5c7f0b35 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 10:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 10:36

Reported

2024-05-15 10:39

Platform

win7-20240508-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BL&CO.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2032 set thread context of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2032 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BL&CO.exe

"C:\Users\Admin\AppData\Local\Temp\BL&CO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL&CO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClBZCJCLlsf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClBZCJCLlsf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5928.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/2032-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

memory/2032-1-0x0000000000150000-0x0000000000208000-memory.dmp

memory/2032-2-0x0000000074D30000-0x000000007541E000-memory.dmp

memory/2032-3-0x0000000000530000-0x0000000000550000-memory.dmp

memory/2032-4-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2032-5-0x0000000000420000-0x0000000000436000-memory.dmp

memory/2032-6-0x00000000052B0000-0x0000000005334000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5928.tmp

MD5 cc630b46d5e61ddc7d0a3b9278cea657
SHA1 cd8737bb888ed5f0428ef1507b76d62f37203b0a
SHA256 59cbc30640fd0da2b25032455eff4df69244de1517f7bdc63d1f7011b63a1cf1
SHA512 1b6a3b1f078cd323ab54bef98c9be2f63a5a960b1b926a4feee8c9ea9baa110c6aaff9ffa8772c56d63fb12694849ec0277cde7cb04858e4165dae1e7c0642c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6I1THCFS0RSEQQQB97LS.temp

MD5 13ddf8387321f2b868a64e13c990ed33
SHA1 4ff24f5342137b42adca933d430cb1e38c8646e3
SHA256 5d5eeef0f9bf3ebb0c42d0348fe91983e4cb7f5ca083e2916c8b59597f518436
SHA512 d573a6b559e6770ea9534be55806942c0386cc749de718a898476ef80b7168445ec1134c8cea48425453a9c9f3f250f8f0fc554c41875dbc398792ec4d5db209

memory/2520-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2520-25-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2520-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2520-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2520-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2520-30-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2520-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2520-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2032-31-0x0000000074D30000-0x000000007541E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 10:36

Reported

2024-05-15 10:39

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BL&CO.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BL&CO.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 448 set thread context of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\schtasks.exe
PID 448 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\schtasks.exe
PID 448 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\SysWOW64\schtasks.exe
PID 448 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 448 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BL&CO.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BL&CO.exe

"C:\Users\Admin\AppData\Local\Temp\BL&CO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL&CO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClBZCJCLlsf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClBZCJCLlsf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp925D.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
BE 2.17.107.128:443 www.bing.com tcp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 128.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 2.17.107.128:443 www.bing.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/448-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/448-1-0x0000000000D00000-0x0000000000DB8000-memory.dmp

memory/448-2-0x0000000005C70000-0x0000000006214000-memory.dmp

memory/448-3-0x00000000057A0000-0x0000000005832000-memory.dmp

memory/448-4-0x0000000005960000-0x000000000596A000-memory.dmp

memory/448-6-0x0000000005A80000-0x0000000005B1C000-memory.dmp

memory/448-5-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/448-7-0x00000000072C0000-0x00000000072E0000-memory.dmp

memory/448-8-0x0000000006A30000-0x0000000006A40000-memory.dmp

memory/448-9-0x0000000006A40000-0x0000000006A56000-memory.dmp

memory/448-10-0x0000000007300000-0x0000000007384000-memory.dmp

memory/4832-15-0x00000000027D0000-0x0000000002806000-memory.dmp

memory/4832-16-0x00000000051F0000-0x0000000005818000-memory.dmp

memory/4832-17-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2244-18-0x00000000746C0000-0x0000000074E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp925D.tmp

MD5 34feadd87496e6685689d39651c2f2b3
SHA1 318516e5afa4e883087e14dedf6db638e43824c6
SHA256 2fa9212e4b1339228e8485f3c09012db8dff0fe6f75a666e8e5d30d532257ddf
SHA512 e4441594c6ff2f6242978206d30831604a6a9770e3fdfc915189a187e438af4b8a2ea0d11d1661dad0e4588353e47bbbe5424dceca856ffe065235901d482219

memory/2244-20-0x0000000004B20000-0x0000000004B42000-memory.dmp

memory/2244-22-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/4832-23-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2244-21-0x0000000004C40000-0x0000000004CA6000-memory.dmp

memory/4832-24-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2244-35-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2244-30-0x0000000005510000-0x0000000005864000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypbcczxi.yta.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2244-45-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2220-47-0x0000000000400000-0x0000000000442000-memory.dmp

memory/448-46-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/448-49-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4832-50-0x00000000060B0000-0x00000000060CE000-memory.dmp

memory/4832-51-0x0000000006180000-0x00000000061CC000-memory.dmp

memory/4832-54-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2244-56-0x0000000070D60000-0x0000000070DAC000-memory.dmp

memory/2244-66-0x0000000006110000-0x000000000612E000-memory.dmp

memory/2244-55-0x00000000061C0000-0x00000000061F2000-memory.dmp

memory/2244-67-0x0000000006DC0000-0x0000000006E63000-memory.dmp

memory/2244-69-0x0000000007550000-0x0000000007BCA000-memory.dmp

memory/2244-70-0x0000000006F00000-0x0000000006F1A000-memory.dmp

memory/2244-71-0x0000000006F80000-0x0000000006F8A000-memory.dmp

memory/2244-72-0x0000000007180000-0x0000000007216000-memory.dmp

memory/2244-73-0x0000000007100000-0x0000000007111000-memory.dmp

memory/2220-74-0x00000000063B0000-0x0000000006400000-memory.dmp

memory/2244-75-0x0000000007130000-0x000000000713E000-memory.dmp

memory/2244-76-0x0000000007140000-0x0000000007154000-memory.dmp

memory/2244-77-0x0000000007240000-0x000000000725A000-memory.dmp

memory/2244-78-0x0000000007220000-0x0000000007228000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8c84fb26baf017985e64cad29e77750b
SHA1 120f54b03da53325077c1062030f4e2ca1c2e94c
SHA256 e9a2712f59cc6613177a3e95311cbe73fdc68f4f43366e25af1b804df6777be1
SHA512 8ed612c8cc2258dba973bd4fb5367de484971fc63d464a2f7b75a7ca23f6871391b9e1b289c8163d7d33edb8448ca79551d019c1419af8263cb46abc2795f0c0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

memory/2244-82-0x00000000746C0000-0x0000000074E70000-memory.dmp