Malware Analysis Report

2025-08-05 16:17

Sample ID 240521-cbjlfseg5y
Target 503ac480dd48ab2147487f06e2394b759631512866aa0284d03d1c69c4861264
SHA256 503ac480dd48ab2147487f06e2394b759631512866aa0284d03d1c69c4861264
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

503ac480dd48ab2147487f06e2394b759631512866aa0284d03d1c69c4861264

Threat Level: Known bad

The file 503ac480dd48ab2147487f06e2394b759631512866aa0284d03d1c69c4861264 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads user/profile data of local email clients

Checks computer location settings

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 01:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 01:54

Reported

2024-05-21 01:56

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2244 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe

"C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WduTJk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WduTJk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD0D6.tmp"

C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe

"C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp

Files

memory/2244-0-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2244-1-0x0000000001300000-0x00000000013BA000-memory.dmp

memory/2244-2-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2244-3-0x0000000000620000-0x0000000000642000-memory.dmp

memory/2244-4-0x0000000000330000-0x000000000033C000-memory.dmp

memory/2244-5-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/2244-6-0x0000000000560000-0x00000000005E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD0D6.tmp

MD5 c6c0b69b170556b6430b3f44114ece3d
SHA1 c1a5cdbbcd94bd3cb4ecec2b7c127ff94f06e004
SHA256 3feac31ca894fe039d6b2a4ff644c63c628baf8ce63203260388328b2f827a16
SHA512 d8424101be5cfb5b9065b8e826b5066825c198ee30c52003c3769fc030e3098146bae7516d9b9a1ec6dbd32be2ad8dd15c64521898b71edd83befec19bfcff4e

memory/2844-17-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2844-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2844-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2844-26-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2844-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2844-23-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2844-21-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2844-19-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2244-29-0x0000000074230000-0x000000007491E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 01:54

Reported

2024-05-21 01:56

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2488 set thread context of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2488 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Windows\SysWOW64\schtasks.exe
PID 2488 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2488 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2488 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2488 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2488 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2488 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2488 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe
PID 2488 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe

"C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WduTJk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WduTJk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B1E.tmp"

C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe

"C:\Users\Admin\AppData\Local\Temp\PO 76063675443-June Order list.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 smtp.yandex.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 8.8.8.8:53 158.21.88.77.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2488-0-0x000000007454E000-0x000000007454F000-memory.dmp

memory/2488-1-0x0000000000F80000-0x000000000103A000-memory.dmp

memory/2488-2-0x0000000006010000-0x00000000065B4000-memory.dmp

memory/2488-3-0x0000000005A60000-0x0000000005AF2000-memory.dmp

memory/2488-5-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/2488-4-0x0000000005A40000-0x0000000005A4A000-memory.dmp

memory/2488-6-0x0000000005E50000-0x0000000005E72000-memory.dmp

memory/2488-7-0x0000000005E70000-0x0000000005E7C000-memory.dmp

memory/2488-8-0x00000000032B0000-0x00000000032C0000-memory.dmp

memory/2488-9-0x0000000006F80000-0x0000000007002000-memory.dmp

memory/2488-10-0x000000000BA40000-0x000000000BADC000-memory.dmp

memory/3088-15-0x0000000002BE0000-0x0000000002C16000-memory.dmp

memory/3088-16-0x0000000005840000-0x0000000005E68000-memory.dmp

memory/3088-17-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3088-18-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3088-19-0x0000000074540000-0x0000000074CF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6B1E.tmp

MD5 6a8d665f54a0108d18eddad7719223a8
SHA1 b47e354ded22990a0de3dea63b290b400be3dbb9
SHA256 4258c461aef34e144ef7983af29a37c3070ca32fb965402685606e0e6fb674e4
SHA512 a47a0b47206d09c57f4a70d6d1a3016a2be4787bd507369eb4dec7b0782e57e5c12b73f112ddabe07e3eb959c62b5317a0b809ecf4393c5b37e626e7f9c2af27

memory/3088-24-0x0000000005E70000-0x0000000005ED6000-memory.dmp

memory/3088-23-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/3088-26-0x0000000005EE0000-0x0000000006234000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kydwja3p.cbh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3648-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4976-25-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4976-38-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4976-22-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/2488-48-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3088-21-0x0000000005630000-0x0000000005652000-memory.dmp

memory/3088-50-0x0000000006580000-0x00000000065CC000-memory.dmp

memory/3088-49-0x00000000064F0000-0x000000000650E000-memory.dmp

memory/4976-52-0x0000000074DA0000-0x0000000074DEC000-memory.dmp

memory/3088-53-0x0000000074DA0000-0x0000000074DEC000-memory.dmp

memory/4976-73-0x00000000070C0000-0x0000000007163000-memory.dmp

memory/4976-65-0x0000000006E90000-0x0000000006EAE000-memory.dmp

memory/4976-51-0x0000000006E50000-0x0000000006E82000-memory.dmp

memory/4976-74-0x0000000007830000-0x0000000007EAA000-memory.dmp

memory/4976-75-0x00000000071F0000-0x000000000720A000-memory.dmp

memory/4976-76-0x0000000007260000-0x000000000726A000-memory.dmp

memory/4976-77-0x0000000007470000-0x0000000007506000-memory.dmp

memory/3088-78-0x0000000007A10000-0x0000000007A21000-memory.dmp

memory/4976-79-0x0000000007420000-0x000000000742E000-memory.dmp

memory/3088-81-0x0000000007B50000-0x0000000007B6A000-memory.dmp

memory/3088-82-0x0000000007B30000-0x0000000007B38000-memory.dmp

memory/3088-80-0x0000000007A50000-0x0000000007A64000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b43f668ba66e884d0a19c86160db6245
SHA1 0b657740e4f95ae0857750452fb30c0113deb334
SHA256 e62c25b579a310345a17e791cd783d0202dc25ee8c304832786eb53b48b93af6
SHA512 0f7788e41503eda826f1112e2b76b868e1716bc89f7bda821b6481eb8f7b6a8303146a7ea49dcbbacd644d8e13e2c1f2f35f9acc6a21f11a0606aece54c6e5e7

memory/4976-90-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3088-89-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3648-91-0x0000000006D40000-0x0000000006D90000-memory.dmp