Malware Analysis Report

2024-12-07 14:16

Sample ID 241115-bkg9bazlek
Target e493e598a17764043a1dc1600cb225aa2200db8f010473878f31934392f1d805
SHA256 e493e598a17764043a1dc1600cb225aa2200db8f010473878f31934392f1d805
Tags
agenttesla discovery execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e493e598a17764043a1dc1600cb225aa2200db8f010473878f31934392f1d805

Threat Level: Known bad

The file e493e598a17764043a1dc1600cb225aa2200db8f010473878f31934392f1d805 was found to be: Known bad.

Malicious Activity Summary

agenttesla discovery execution keylogger spyware stealer trojan

Agenttesla family

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of local email clients

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-15 01:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-15 01:12

Reported

2024-11-15 01:14

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2096 set thread context of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\schtasks.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2096 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DZZQqzJzq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DZZQqzJzq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp473D.tmp"

C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zqamcx.com udp
GB 78.110.166.82:587 zqamcx.com tcp

Files

memory/2096-0-0x000000007458E000-0x000000007458F000-memory.dmp

memory/2096-1-0x0000000000A00000-0x0000000000AC4000-memory.dmp

memory/2096-2-0x0000000074580000-0x0000000074C6E000-memory.dmp

memory/2096-3-0x0000000000510000-0x0000000000522000-memory.dmp

memory/2096-4-0x0000000074580000-0x0000000074C6E000-memory.dmp

memory/2096-5-0x0000000005DA0000-0x0000000005E28000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 a08a7174b6be4ce286d3caff6010b304
SHA1 bfe51a2818b06a9126b0870725cf3b569da02308
SHA256 14a309d35319c23d24ad191e9b479ec7b4f7c1065f2d4633bebed84d4835612a
SHA512 2a3ece418472e957de15ce9370637b94b3af6960ff89eca0df46f69f5bbbb808f4a67e4da7d735f37b6e7dc96e34134e521da57c3b42283ef3846b566800e4d2

C:\Users\Admin\AppData\Local\Temp\tmp473D.tmp

MD5 8a0aef5fc0a384393e3f00e71454a907
SHA1 b925f161f9964b7c85d4e8951031a60e4c024df9
SHA256 c0b3009dbb03693fb0e24a09fbe20ee7ec76f5960175b39ba1389035ee27aaf2
SHA512 0db7f7d5c5e6511e35613e29270e9e007b9c5c9fac431eb9290519aa8bf6e00241b2c57214f470a4b0a5655d3f772587518c7eaf7b4ed2ed9c0b12c95cbe0446

memory/2652-18-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2652-29-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2652-28-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2652-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2652-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2652-24-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2652-22-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2652-20-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2096-30-0x0000000074580000-0x0000000074C6E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-15 01:12

Reported

2024-11-15 01:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2156 set thread context of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
PID 2156 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

Processes

C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DZZQqzJzq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DZZQqzJzq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF339.tmp"

C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe

"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 zqamcx.com udp
GB 78.110.166.82:587 zqamcx.com tcp
US 8.8.8.8:53 82.166.110.78.in-addr.arpa udp
GB 78.110.166.82:587 zqamcx.com tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2156-0-0x000000007445E000-0x000000007445F000-memory.dmp

memory/2156-1-0x0000000000790000-0x0000000000854000-memory.dmp

memory/2156-2-0x0000000005650000-0x0000000005BF4000-memory.dmp

memory/2156-3-0x0000000005140000-0x00000000051D2000-memory.dmp

memory/2156-4-0x0000000005280000-0x000000000531C000-memory.dmp

memory/2156-5-0x0000000005120000-0x000000000512A000-memory.dmp

memory/2156-6-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2156-7-0x0000000005430000-0x0000000005442000-memory.dmp

memory/2156-8-0x000000007445E000-0x000000007445F000-memory.dmp

memory/2156-9-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/2156-10-0x00000000084D0000-0x0000000008558000-memory.dmp

memory/1940-15-0x0000000005340000-0x0000000005376000-memory.dmp

memory/1940-16-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/1940-17-0x0000000005B50000-0x0000000006178000-memory.dmp

memory/1940-18-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4388-19-0x0000000074450000-0x0000000074C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF339.tmp

MD5 2c878c6763cdac2da5471fc7889dbde4
SHA1 5412132d10241e73f8985be6b74b21fe8caa78da
SHA256 04e27a2ff43b767781316d77568345ea0836562034376278f19d862a5ffc8203
SHA512 579d39db3143c4ea17a2447bfd992e110091592f8faec32bd0082a9bb85e5b44c7730a2391082857abdda6b7d47a3a0c1627a82b511b257c0f81686faf40fce6

memory/1940-23-0x00000000061F0000-0x0000000006256000-memory.dmp

memory/1940-22-0x0000000005A60000-0x0000000005AC6000-memory.dmp

memory/1940-25-0x0000000006360000-0x00000000066B4000-memory.dmp

memory/1940-26-0x0000000074450000-0x0000000074C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tituqmtg.3ma.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4388-38-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4852-27-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2156-39-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4388-24-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/1940-21-0x0000000005940000-0x0000000005962000-memory.dmp

memory/4388-49-0x0000000006540000-0x000000000655E000-memory.dmp

memory/4388-50-0x00000000067C0000-0x000000000680C000-memory.dmp

memory/1940-51-0x0000000007AC0000-0x0000000007AF2000-memory.dmp

memory/4388-55-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/1940-63-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

memory/1940-52-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/4388-73-0x0000000007540000-0x00000000075E3000-memory.dmp

memory/4388-74-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/4388-75-0x0000000007890000-0x00000000078AA000-memory.dmp

memory/4388-76-0x0000000007900000-0x000000000790A000-memory.dmp

memory/1940-77-0x0000000007EA0000-0x0000000007F36000-memory.dmp

memory/1940-78-0x0000000007E20000-0x0000000007E31000-memory.dmp

memory/1940-79-0x0000000007E50000-0x0000000007E5E000-memory.dmp

memory/4852-80-0x0000000005CF0000-0x0000000005D40000-memory.dmp

memory/1940-81-0x0000000007E60000-0x0000000007E74000-memory.dmp

memory/1940-82-0x0000000007F60000-0x0000000007F7A000-memory.dmp

memory/1940-83-0x0000000007F40000-0x0000000007F48000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 72a6c5ca118421ad17e5bc2ed5ac2860
SHA1 7588cf921d10b7b2cc4348eea37055c2c374ed84
SHA256 a97b04361972ee1a0ab4d6bc310c3cf1a90dc681aa14f02a20d9ec1eabc6906d
SHA512 6b476228e017b4aca37527a2f520087ea417db6ce8da3c7d22d9abb6d11a33b2ead72b879e8483a365c0659e681792474b2ba30eeaa067b057b10b0084c03e34

memory/1940-89-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/4388-90-0x0000000074450000-0x0000000074C00000-memory.dmp