Malware Analysis Report

2024-11-30 07:50

Sample ID 240603-gwf4aafd54
Target shipping documents.rar
SHA256 abc1ab2d94c3bf032086a2428825c22ba00b3654c6c6aae9bcc36d9c6050a535
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abc1ab2d94c3bf032086a2428825c22ba00b3654c6c6aae9bcc36d9c6050a535

Threat Level: Known bad

The file shipping documents.rar was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:09

Reported

2024-06-03 06:11

Platform

win7-20240220-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3056 set thread context of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shipping documents.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mUsYIbZfsGwZQG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mUsYIbZfsGwZQG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/3056-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

memory/3056-1-0x0000000000CF0000-0x0000000000DA4000-memory.dmp

memory/3056-2-0x0000000074BD0000-0x00000000752BE000-memory.dmp

memory/3056-3-0x00000000005A0000-0x00000000005B8000-memory.dmp

memory/3056-4-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/3056-5-0x0000000005DB0000-0x0000000005E34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmp

MD5 a9b98686c3d26abc783a84d6eb08ec67
SHA1 d362af2eb03305a83e3e71e341d2dac9051e3722
SHA256 ed138de685801d1e319bfc6375d3b5a05d59d4fbcfb2833a25cf123779f9b026
SHA512 99576781600fd47d9ff2d88594f30dec068d1c6ad3f11343355b2719165eef4f551e01137be9a4af5d2751494714856a13a2d99a313b692ddc3c797ca6b42f3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M5OQWXMYU3KCEWOP394E.temp

MD5 f28a6f2c0403833bbf801c076d9462a9
SHA1 efcf8c2f5a9907fd979299fbe2e97dd58e53d904
SHA256 febbdcbbf89137c092bb86fce7d175dd386387ff819cce6ebfcbf4df841d6a03
SHA512 85b22b562cbd46d9441ed83d17df68dd6083b4f1ee0097cdd6549f6082aa992668a6f420758168473ff607e3ca0252c8f83fdb3a1ea98421822e0cc05c93d7f1

memory/2544-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2544-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2544-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2544-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2544-22-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2544-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2544-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2544-18-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3056-30-0x0000000074BD0000-0x00000000752BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:09

Reported

2024-06-03 06:11

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\shipping documents.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3380 set thread context of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3380 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3380 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3380 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3380 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3380 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3380 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3380 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3380 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\shipping documents.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\shipping documents.exe

"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mUsYIbZfsGwZQG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mUsYIbZfsGwZQG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7908.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3380-0-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

memory/3380-1-0x0000000000920000-0x00000000009D4000-memory.dmp

memory/3380-2-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/3380-3-0x00000000053D0000-0x0000000005462000-memory.dmp

memory/3380-4-0x0000000005380000-0x000000000538A000-memory.dmp

memory/3380-5-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/3380-6-0x0000000007E90000-0x0000000007EA8000-memory.dmp

memory/3380-7-0x0000000006530000-0x0000000006540000-memory.dmp

memory/3380-8-0x0000000006800000-0x0000000006884000-memory.dmp

memory/3380-9-0x000000000A580000-0x000000000A61C000-memory.dmp

memory/3380-14-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

memory/1880-15-0x00000000022B0000-0x00000000022E6000-memory.dmp

memory/1880-16-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/1880-17-0x0000000004D00000-0x0000000005328000-memory.dmp

memory/1880-18-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/3380-19-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/1880-29-0x0000000005510000-0x0000000005576000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7908.tmp

MD5 b0063827db3379299c71fb567f4edad0
SHA1 f428becc15795b2a252496bc5e548f62d24530b9
SHA256 ef670ed8eb659bb1219eaff49bafcb7949ad5e66cd1b209b91eda3db6d62a30e
SHA512 e79d942eaa5f32e92b1fd2017521b4305ead940feda8b1e1e8f50540c3502a253e39fa5ac27abad9ad1a20524ca788b02f7427a4d55baddb8c0350411464652f

memory/1880-27-0x00000000054A0000-0x0000000005506000-memory.dmp

memory/1880-31-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/1936-36-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/1936-30-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/996-46-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1880-26-0x0000000074FC0000-0x0000000075770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcp54rvl.jed.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1880-22-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

memory/3380-48-0x0000000074FC0000-0x0000000075770000-memory.dmp

memory/1880-49-0x0000000005B80000-0x0000000005B9E000-memory.dmp

memory/1880-50-0x00000000060F0000-0x000000000613C000-memory.dmp

memory/1936-53-0x00000000717B0000-0x00000000717FC000-memory.dmp

memory/1880-52-0x00000000717B0000-0x00000000717FC000-memory.dmp

memory/1880-51-0x0000000006D80000-0x0000000006DB2000-memory.dmp

memory/1936-71-0x0000000006E10000-0x0000000006E2E000-memory.dmp

memory/1936-73-0x0000000006E60000-0x0000000006F03000-memory.dmp

memory/1880-75-0x00000000074F0000-0x0000000007B6A000-memory.dmp

memory/1880-76-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

memory/1880-77-0x0000000006F10000-0x0000000006F1A000-memory.dmp

memory/1880-78-0x0000000007120000-0x00000000071B6000-memory.dmp

memory/1880-79-0x00000000070A0000-0x00000000070B1000-memory.dmp

memory/996-80-0x0000000005950000-0x00000000059A0000-memory.dmp

memory/1936-81-0x00000000071A0000-0x00000000071AE000-memory.dmp

memory/1880-82-0x00000000070E0000-0x00000000070F4000-memory.dmp

memory/1936-83-0x00000000072B0000-0x00000000072CA000-memory.dmp

memory/1880-84-0x00000000071C0000-0x00000000071C8000-memory.dmp

memory/1936-87-0x0000000074FC0000-0x0000000075770000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bc4b32e0d86ce4eb20497eac36ac7bf
SHA1 d36b8b5ebc1f942a4640af9c8b83f7138235b927
SHA256 743085b7d80fb50d74fe754f0e627562024c0a5513da5f8834803f6804968d53
SHA512 36d2c018bd09bbf24609f1216e21e6b3eb88c904439fe33190b071e7d88283c0c40134156b4d9091deac28fba92e22561508d6b121de3e82aa69340808802b95

memory/1880-91-0x0000000074FC0000-0x0000000075770000-memory.dmp