xpertrat | 862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83

Analysis

max time kernel
38s
max time network
142s
platform
windows10_x64
resource
win10v20210408
submitted
06-09-2021 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXCEL.exe
Size

911KB
MD5

eefa3dd3a36a5decba3c42072ef0798e
SHA1

a51f4f499fc618b9dc36e079258ed3c087e2bae5
SHA256

862bf290697cfbd5cb41966b550e8b163aac94d6e07461c6e4353ea6fad62e83
SHA512

6e28230749c2938279e32d4c2631ea6193f28c2a5d5cd38f4176dc8e5e70a986db866e770ff32e4eaad3233b8e336f66877e1e2c70c9ef5ec2f3912f9df7d6a2

Score

10^/10

xpertrat test evasion persistence rat trojan

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
XpertRAT
XpertRAT is a remote access trojan with various capabilities.
rat xpertrat

XpertRAT Core Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4956-716-0x0000000000401364-mapping.dmp	xpertrat

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/1276-730-0x0000000000411654-mapping.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/720-734-0x0000000000442F04-mapping.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1276-730-0x0000000000411654-mapping.dmp	Nirsoft
behavioral2/memory/720-734-0x0000000000442F04-mapping.dmp	Nirsoft
behavioral2/memory/1108-743-0x000000000040C2A8-mapping.dmp	Nirsoft

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

5036 notepad.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" EXCEL.exe

pid	process
5036	notepad.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	EXCEL.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe"	iexplore.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4852 4832 WerFault.exe iexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe

pid	pid_target	process	target process
4852	4832	WerFault.exe	iexplore.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

EXCEL.exeEXCEL.exeiexplore.exe

description	pid	process	target process
PID 1032 set thread context of 4700	1032	EXCEL.exe	EXCEL.exe
PID 4700 set thread context of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 set thread context of 4956	4700	EXCEL.exe	iexplore.exe
PID 4956 set thread context of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 set thread context of 1276	4956	iexplore.exe	iexplore.exe
PID 4956 set thread context of 720	4956	iexplore.exe	iexplore.exe
PID 4956 set thread context of 3064	4956	iexplore.exe	iexplore.exe
PID 4956 set thread context of 1108	4956	iexplore.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeEXCEL.exeEXCEL.exeiexplore.exeiexplore.exe

pid	process
3548	powershell.exe
3548	powershell.exe
424	powershell.exe
424	powershell.exe
3548	powershell.exe
424	powershell.exe
2256	powershell.exe
2256	powershell.exe
2256	powershell.exe
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
4392	powershell.exe
4392	powershell.exe
4392	powershell.exe
1032	EXCEL.exe
1032	EXCEL.exe
1032	EXCEL.exe
1032	EXCEL.exe
1032	EXCEL.exe
1032	EXCEL.exe
4700	EXCEL.exe
4700	EXCEL.exe
4700	EXCEL.exe
4700	EXCEL.exe
2116	iexplore.exe
2116	iexplore.exe
720	iexplore.exe
720	iexplore.exe
4700	EXCEL.exe
4700	EXCEL.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	3548	powershell.exe
Token: SeSecurityPrivilege	3548	powershell.exe
Token: SeTakeOwnershipPrivilege	3548	powershell.exe
Token: SeLoadDriverPrivilege	3548	powershell.exe
Token: SeSystemProfilePrivilege	3548	powershell.exe
Token: SeSystemtimePrivilege	3548	powershell.exe
Token: SeProfSingleProcessPrivilege	3548	powershell.exe
Token: SeIncBasePriorityPrivilege	3548	powershell.exe
Token: SeCreatePagefilePrivilege	3548	powershell.exe
Token: SeBackupPrivilege	3548	powershell.exe
Token: SeRestorePrivilege	3548	powershell.exe
Token: SeShutdownPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeSystemEnvironmentPrivilege	3548	powershell.exe
Token: SeRemoteShutdownPrivilege	3548	powershell.exe
Token: SeUndockPrivilege	3548	powershell.exe
Token: SeManageVolumePrivilege	3548	powershell.exe
Token: 33	3548	powershell.exe
Token: 34	3548	powershell.exe
Token: 35	3548	powershell.exe
Token: 36	3548	powershell.exe
Token: SeIncreaseQuotaPrivilege	424	powershell.exe
Token: SeSecurityPrivilege	424	powershell.exe
Token: SeTakeOwnershipPrivilege	424	powershell.exe
Token: SeLoadDriverPrivilege	424	powershell.exe
Token: SeSystemProfilePrivilege	424	powershell.exe
Token: SeSystemtimePrivilege	424	powershell.exe
Token: SeProfSingleProcessPrivilege	424	powershell.exe
Token: SeIncBasePriorityPrivilege	424	powershell.exe
Token: SeCreatePagefilePrivilege	424	powershell.exe
Token: SeBackupPrivilege	424	powershell.exe
Token: SeRestorePrivilege	424	powershell.exe
Token: SeShutdownPrivilege	424	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeSystemEnvironmentPrivilege	424	powershell.exe
Token: SeRemoteShutdownPrivilege	424	powershell.exe
Token: SeUndockPrivilege	424	powershell.exe
Token: SeManageVolumePrivilege	424	powershell.exe
Token: 33	424	powershell.exe
Token: 34	424	powershell.exe
Token: 35	424	powershell.exe
Token: 36	424	powershell.exe
Token: SeIncreaseQuotaPrivilege	424	powershell.exe
Token: SeSecurityPrivilege	424	powershell.exe
Token: SeTakeOwnershipPrivilege	424	powershell.exe
Token: SeLoadDriverPrivilege	424	powershell.exe
Token: SeSystemProfilePrivilege	424	powershell.exe
Token: SeSystemtimePrivilege	424	powershell.exe
Token: SeProfSingleProcessPrivilege	424	powershell.exe
Token: SeIncBasePriorityPrivilege	424	powershell.exe
Token: SeCreatePagefilePrivilege	424	powershell.exe
Token: SeBackupPrivilege	424	powershell.exe
Token: SeRestorePrivilege	424	powershell.exe
Token: SeShutdownPrivilege	424	powershell.exe
Token: SeDebugPrivilege	424	powershell.exe
Token: SeSystemEnvironmentPrivilege	424	powershell.exe
Token: SeRemoteShutdownPrivilege	424	powershell.exe
Token: SeUndockPrivilege	424	powershell.exe
Token: SeManageVolumePrivilege	424	powershell.exe
Token: 33	424	powershell.exe
Token: 34	424	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

EXCEL.exeiexplore.exe

pid process

4700 EXCEL.exe
4956 iexplore.exe

pid	process
4700	EXCEL.exe
4956	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.exeEXCEL.exeiexplore.exe

description	pid	process	target process
PID 1032 wrote to memory of 3548	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 3548	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 3548	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 424	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 424	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 424	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 2256	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 2256	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 2256	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 3788	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 3788	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 3788	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 4532	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 4532	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 4532	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 4392	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 4392	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 4392	1032	EXCEL.exe	powershell.exe
PID 1032 wrote to memory of 4692	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4692	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4692	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4700	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4700	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4700	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4700	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4700	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4700	1032	EXCEL.exe	EXCEL.exe
PID 1032 wrote to memory of 4700	1032	EXCEL.exe	EXCEL.exe
PID 4700 wrote to memory of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4832	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4956	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4956	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4956	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4956	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4956	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4956	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4956	4700	EXCEL.exe	iexplore.exe
PID 4700 wrote to memory of 4956	4700	EXCEL.exe	iexplore.exe
PID 4956 wrote to memory of 5036	4956	iexplore.exe	notepad.exe
PID 4956 wrote to memory of 5036	4956	iexplore.exe	notepad.exe
PID 4956 wrote to memory of 5036	4956	iexplore.exe	notepad.exe
PID 4956 wrote to memory of 5036	4956	iexplore.exe	notepad.exe
PID 4956 wrote to memory of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 2116	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 1276	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 1276	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 1276	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 1276	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 1276	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 1276	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 1276	4956	iexplore.exe	iexplore.exe
PID 4956 wrote to memory of 1276	4956	iexplore.exe	iexplore.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

EXCEL.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" EXCEL.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXCEL.exe

C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
"C:\Users\Admin\AppData\Local\Temp\EXCEL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName youtube.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:424
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName facebook.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName outlook.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName bing.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
  C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
  C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
  2⤵
  - Windows security modification
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4700
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
    3⤵
    PID:4832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 92
      4⤵
      Program crash
      PID:4852
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\EXCEL.exe
    3⤵
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      Deletes itself
      PID:5036
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ljxvzuvwv0.txt"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2116
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ljxvzuvwv1.txt"
      4⤵
      PID:1276
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ljxvzuvwv2.txt"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:720
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ljxvzuvwv3.txt"
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ljxvzuvwv4.txt"
      4⤵
      PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
e71a0a7e48b10bde0a9c54387762f33e

SHA1
fed75947f1163b00096e24a46e67d9c21e7eeebd

SHA256
83d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de

SHA512
394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0f130357f532401c1cd5e8d38cc9708f

SHA1
0b0ae24e88affedbd139d08a03a20d49801b50f6

SHA256
056c8df36d8abd06aa9c506e0e9329708e774132862a185f250acfb95a98fa69

SHA512
f6923dc793f1776738bc642b47cdb9b2998184b9f2e1ddeac6ee373b303848b157a0336d19aa12c86a7392612196b59a2725ff6574cbbc9714597b4e6857455a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0f130357f532401c1cd5e8d38cc9708f

SHA1
0b0ae24e88affedbd139d08a03a20d49801b50f6

SHA256
056c8df36d8abd06aa9c506e0e9329708e774132862a185f250acfb95a98fa69

SHA512
f6923dc793f1776738bc642b47cdb9b2998184b9f2e1ddeac6ee373b303848b157a0336d19aa12c86a7392612196b59a2725ff6574cbbc9714597b4e6857455a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
347ac96d0592d83d91877315bd0bd301

SHA1
6724aa09388f89a727ed7f7761a4fca0368ec679

SHA256
8a8f0a40fa6b3e5efacc9bc992baf570d4b27de323148487caa77fbc468cc15d

SHA512
ab3ff601c83fec79cf1a0f0a2b2a58b48a282bf5c1baa1adda6d0df1ceaf618dc1faaf1afe990c88aea43cb8b71fcbdb28a10fba38e9ac67adf09a0043278922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
321848b0c119ff21e8c500732e9b3599

SHA1
8fcd2fbd0cbb7ea5ba2ed359e10f7027e999511b

SHA256
eb5cc7eeb3953ad2e6fb9853fad579b6573a1f5198a099be74bc31206ea639fa

SHA512
1d7e0952b5830287c5265a63f9b64c1e756b5379b32697cb13ca1aa593a2fd7bbb1a6c779a8e8e696013d63f093b4bb88f4a9f48211a178aacd21daf11891b4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
bb32447cae9c2c01ac3d10f608780106

SHA1
00d3624b8e0f6a7330215d8877a49c5b20283ae2

SHA256
36db91d7f4a871b659704f806ba1e54f1b055375cf7063d48133d0b232ef6271

SHA512
28eb69a00767f7757923788783416979d2ca0fcde9586f5d665015d9061d37ea54b8e9b22cfd917f52f037354a1b16214a0cfc9d9cbec14589080325adbda529

Download Submit
C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ljxvzuvwv2.txt

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
C:\Users\Admin\AppData\Roaming\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\ljxvzuvwv4.txt

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/424-163-0x00000000088A0000-0x00000000088A1000-memory.dmp

Filesize
4KB

Download
memory/424-146-0x0000000001112000-0x0000000001113000-memory.dmp

Filesize
4KB

Download
memory/424-166-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/424-145-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/424-199-0x0000000001113000-0x0000000001114000-memory.dmp

Filesize
4KB

Download
memory/424-133-0x0000000000000000-mapping.dmp

Download
memory/720-734-0x0000000000442F04-mapping.dmp

Download
memory/1032-114-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1032-119-0x00000000051D0000-0x00000000056CE000-memory.dmp

Filesize
5.0MB

Download
memory/1032-118-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1032-117-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1032-116-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1108-743-0x000000000040C2A8-mapping.dmp

Download
memory/1276-730-0x0000000000411654-mapping.dmp

Download
memory/2116-726-0x0000000000423BC0-mapping.dmp

Download
memory/2256-254-0x00000000073F3000-0x00000000073F4000-memory.dmp

Filesize
4KB

Download
memory/2256-152-0x0000000000000000-mapping.dmp

Download
memory/2256-173-0x00000000073F0000-0x00000000073F1000-memory.dmp

Filesize
4KB

Download
memory/2256-174-0x00000000073F2000-0x00000000073F3000-memory.dmp

Filesize
4KB

Download
memory/3064-739-0x0000000000413750-mapping.dmp

Download
memory/3548-131-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/3548-129-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/3548-120-0x0000000000000000-mapping.dmp

Download
memory/3548-123-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3548-124-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/3548-125-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/3548-126-0x0000000000E62000-0x0000000000E63000-memory.dmp

Filesize
4KB

Download
memory/3548-127-0x0000000006B80000-0x0000000006B81000-memory.dmp

Filesize
4KB

Download
memory/3548-128-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/3548-200-0x0000000000E63000-0x0000000000E64000-memory.dmp

Filesize
4KB

Download
memory/3548-130-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/3548-132-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/3548-196-0x0000000009D60000-0x0000000009D61000-memory.dmp

Filesize
4KB

Download
memory/3548-138-0x0000000007C40000-0x0000000007C41000-memory.dmp

Filesize
4KB

Download
memory/3548-161-0x0000000008C40000-0x0000000008C41000-memory.dmp

Filesize
4KB

Download
memory/3788-182-0x0000000000000000-mapping.dmp

Download
memory/3788-201-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/3788-204-0x00000000072B2000-0x00000000072B3000-memory.dmp

Filesize
4KB

Download
memory/3788-309-0x00000000072B3000-0x00000000072B4000-memory.dmp

Filesize
4KB

Download
memory/4392-489-0x0000000006EA2000-0x0000000006EA3000-memory.dmp

Filesize
4KB

Download
memory/4392-594-0x0000000006EA3000-0x0000000006EA4000-memory.dmp

Filesize
4KB

Download
memory/4392-488-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/4392-475-0x0000000000000000-mapping.dmp

Download
memory/4532-313-0x00000000011D2000-0x00000000011D3000-memory.dmp

Filesize
4KB

Download
memory/4532-293-0x0000000000000000-mapping.dmp

Download
memory/4532-311-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/4532-397-0x00000000011D3000-0x00000000011D4000-memory.dmp

Filesize
4KB

Download
memory/4700-673-0x00000000004010B8-mapping.dmp

Download
memory/4700-696-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4832-695-0x0000000000401364-mapping.dmp

Download
memory/4956-716-0x0000000000401364-mapping.dmp

Download
memory/5036-724-0x0000000000000000-mapping.dmp

Download