Malware Analysis Report

2024-10-19 07:37

Sample ID 210925-hxnp7aafbj
Target d761f42a4df1938b43282d88e12c741a.exe
SHA256 515fbf67c103e796658acaf24ae3762943a56ebf14337ab46bf9e140f61da0f4
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

515fbf67c103e796658acaf24ae3762943a56ebf14337ab46bf9e140f61da0f4

Threat Level: Known bad

The file d761f42a4df1938b43282d88e12c741a.exe was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

Windows security bypass

UAC bypass

XpertRAT Core Payload

XpertRAT

Adds policy Run key to start application

Windows security modification

Deletes itself

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-25 07:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-25 07:07

Reported

2021-09-25 07:09

Platform

win7-en-20210920

Max time kernel

139s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1540 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 store2.gofile.io udp
FR 31.14.69.10:443 store2.gofile.io tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/1540-53-0x0000000001380000-0x0000000001381000-memory.dmp

memory/1540-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

memory/1784-56-0x0000000000000000-mapping.dmp

memory/1784-58-0x0000000002320000-0x0000000002F6A000-memory.dmp

memory/1784-59-0x0000000002320000-0x0000000002F6A000-memory.dmp

memory/1784-60-0x0000000002320000-0x0000000002F6A000-memory.dmp

memory/1884-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1884-64-0x00000000023E0000-0x000000000302A000-memory.dmp

memory/1428-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1820-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1820-72-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/1820-73-0x00000000022E1000-0x00000000022E2000-memory.dmp

memory/1820-74-0x00000000022E2000-0x00000000022E4000-memory.dmp

memory/1324-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/564-79-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/564-83-0x0000000001CA1000-0x0000000001CA2000-memory.dmp

memory/564-82-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

memory/564-84-0x0000000001CA2000-0x0000000001CA4000-memory.dmp

memory/1612-85-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1148-88-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1148-92-0x0000000002600000-0x000000000324A000-memory.dmp

memory/1148-93-0x0000000002600000-0x000000000324A000-memory.dmp

memory/268-94-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/624-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1952-101-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1548-104-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1312-108-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1604-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1604-117-0x0000000002332000-0x0000000002334000-memory.dmp

memory/1604-116-0x0000000002331000-0x0000000002332000-memory.dmp

memory/1604-115-0x0000000002330000-0x0000000002331000-memory.dmp

memory/888-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1880-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1676-125-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1676-129-0x0000000001E81000-0x0000000001E82000-memory.dmp

memory/1676-128-0x0000000001E80000-0x0000000001E81000-memory.dmp

memory/1676-130-0x0000000001E82000-0x0000000001E84000-memory.dmp

memory/1072-131-0x0000000000000000-mapping.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1072-136-0x0000000002411000-0x0000000002412000-memory.dmp

memory/1072-135-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1072-137-0x0000000002412000-0x0000000002414000-memory.dmp

memory/1608-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

memory/1608-142-0x00000000023A1000-0x00000000023A2000-memory.dmp

memory/1608-141-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/1608-143-0x00000000023A2000-0x00000000023A4000-memory.dmp

memory/948-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 03b059770f5b8e08d17b9eae02a54a2f
SHA1 954219ef262cc781e8de5407f0591721ebc92719
SHA256 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475
SHA512 ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1540-148-0x0000000005A80000-0x0000000005A81000-memory.dmp

memory/1540-149-0x0000000000F20000-0x0000000000F66000-memory.dmp

memory/1540-150-0x0000000001340000-0x0000000001370000-memory.dmp

memory/1652-152-0x00000000004010B8-mapping.dmp

memory/1652-151-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1508-156-0x0000000000401364-mapping.dmp

memory/2028-157-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2028-158-0x0000000000401364-mapping.dmp

memory/2028-159-0x0000000000600000-0x0000000000753000-memory.dmp

memory/1936-162-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-25 07:07

Reported

2021-09-25 07:09

Platform

win10-en-20210920

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp

Files

memory/3556-115-0x0000000000500000-0x0000000000501000-memory.dmp

memory/4164-117-0x0000000000000000-mapping.dmp

memory/4164-120-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

memory/4164-121-0x0000000007B90000-0x0000000007B91000-memory.dmp

memory/4164-122-0x0000000007A50000-0x0000000007A51000-memory.dmp

memory/4164-123-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

memory/4164-124-0x0000000008410000-0x0000000008411000-memory.dmp

memory/4164-125-0x0000000008480000-0x0000000008481000-memory.dmp

memory/4164-126-0x0000000007550000-0x0000000007551000-memory.dmp

memory/4164-127-0x0000000007552000-0x0000000007553000-memory.dmp

memory/4164-128-0x0000000008210000-0x0000000008211000-memory.dmp

memory/4164-129-0x0000000008BC0000-0x0000000008BC1000-memory.dmp

memory/4164-130-0x0000000008AE0000-0x0000000008AE1000-memory.dmp

memory/4164-138-0x00000000098B0000-0x00000000098E3000-memory.dmp

memory/4164-145-0x0000000009890000-0x0000000009891000-memory.dmp

memory/4164-150-0x0000000009C20000-0x0000000009C21000-memory.dmp

memory/4164-151-0x0000000009DD0000-0x0000000009DD1000-memory.dmp

memory/4164-220-0x000000007EBF0000-0x000000007EBF1000-memory.dmp

memory/4164-221-0x0000000007553000-0x0000000007554000-memory.dmp

memory/4164-380-0x000000000B580000-0x000000000B581000-memory.dmp

memory/4164-381-0x000000000AF00000-0x000000000AF01000-memory.dmp

memory/4164-392-0x0000000009840000-0x0000000009841000-memory.dmp

memory/4164-468-0x000000000B1C0000-0x000000000B1C1000-memory.dmp

memory/4164-551-0x000000000B1F0000-0x000000000B1F1000-memory.dmp

memory/4164-569-0x000000000B1B0000-0x000000000B1B1000-memory.dmp

memory/4164-612-0x0000000007556000-0x0000000007558000-memory.dmp

memory/1588-676-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1712dab0a1bf4e9e3ff666b9c431550d
SHA1 34d1dec8fa95f62c72cb3f92a22c13ad9eece10f
SHA256 7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97
SHA512 6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ff93134890bde08128013c82d129d474
SHA1 ce01da8bec31b430ab8ea6a88758c4396c30dba0
SHA256 a92c48f0454e6d6516e66497d74620865553d393a7b125e0c4c137f55665cc49
SHA512 00d800357e12756b7481adb33a682d8aaafcc2fe1505d31e83c22f3ddbeb878ee02a3f69b85f728655c4cf605c60a3a3c49ee5f0317b7789f78d80a8131ee300

memory/1588-689-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

memory/1588-690-0x0000000006AB2000-0x0000000006AB3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 1c33ff599b382b705675229c91fc2f99
SHA1 c20086746c14c5d57be9a3df47bd75fa77abe7e0
SHA256 d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a
SHA512 5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

memory/1588-750-0x0000000006AB3000-0x0000000006AB4000-memory.dmp

memory/1588-753-0x0000000006AB4000-0x0000000006AB6000-memory.dmp

memory/1588-1049-0x0000000006AB6000-0x0000000006AB7000-memory.dmp

memory/3400-1153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28fd92ee77dca337d61b47cbd757d60c
SHA1 be5f44612ddab3ca36fa31fe2b065886f509f31b
SHA256 56b08d2c7ea27f95f2c5379eff3c1dad7feed6174a0a2be4fb6f5f1cba02177d
SHA512 df49842f9d545413fda96e3355966e1c64bc10d5031e41402725f121ba9474c1250ac0c839239dec3fd52126ad0eee230a2b2056710ea380a4d076474e429767

memory/3400-1165-0x0000000004E90000-0x0000000004E91000-memory.dmp

memory/3400-1166-0x0000000004E92000-0x0000000004E93000-memory.dmp

memory/3400-1185-0x0000000004E93000-0x0000000004E94000-memory.dmp

memory/3400-1187-0x0000000004E94000-0x0000000004E96000-memory.dmp

memory/3400-1530-0x0000000004E96000-0x0000000004E97000-memory.dmp

memory/4308-1628-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d72777286401dbed67fd1c2703fac947
SHA1 d1c600a1dd8b349e2404d4dad0a0002f3e442ebb
SHA256 4e2b0b4f436144965973c054ea207db8cb4f42d42ff6bce1fc7d0bf49b8fcad3
SHA512 f95fddb6273bfa8b8f5fc8484cea4c20109277f2c52d92d0c5917a6a863208d5c570c640aaeff0b316eef145ebff5e8c94bd4621c01ea484d4e6c624b6e8d01c

memory/4308-1641-0x0000000007060000-0x0000000007061000-memory.dmp

memory/4308-1642-0x0000000007062000-0x0000000007063000-memory.dmp

memory/4308-1718-0x0000000007064000-0x0000000007066000-memory.dmp

memory/4308-1717-0x0000000007063000-0x0000000007064000-memory.dmp

memory/4308-2039-0x0000000007066000-0x0000000007067000-memory.dmp

memory/2724-2103-0x0000000000000000-mapping.dmp

memory/2724-2112-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/2724-2113-0x0000000004AD2000-0x0000000004AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 752eecff888403570489a78d8680750f
SHA1 3ad9a67522bd87de3b0fa2d2c767594c11a91635
SHA256 278c708a48e2b12e3b04ed1e20f4cfeaeafd6d68150fd7bd1692eb8283bf9314
SHA512 d9245b4127d5f7f3b6e2cb9335ae33dc30bb77bb8d4b5c804a303a137c7bc04eda9a39adcc2765d233eee570e42f6b031073346f654b3fc32c82879ef22dfdce

memory/2724-2123-0x0000000004AD3000-0x0000000004AD4000-memory.dmp

memory/2724-2124-0x0000000004AD4000-0x0000000004AD6000-memory.dmp

memory/2724-2463-0x0000000004AD6000-0x0000000004AD7000-memory.dmp

memory/5080-2578-0x0000000000000000-mapping.dmp

memory/3924-2579-0x0000000000000000-mapping.dmp

memory/3924-2588-0x00000000072A0000-0x00000000072A1000-memory.dmp

memory/3924-2589-0x00000000072A2000-0x00000000072A3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f4f819c7e7c31107adc4cb7379c0060c
SHA1 7d831a76ea481122047049f0c7625ce6124ae4f3
SHA256 dfd9a2f1807b9e766c2bc8758a4d331fe6a6a1a38ae6e929b2a4dd3611fdb5d8
SHA512 7e85a95c4a5fef2c2e5afbc871e16d5f3432488ce26acd766c07f413207eb7fdd0897069cf3ec036b272013074193eb76818681794e08f93883cf0dbb86474ac

memory/3924-2596-0x00000000072A3000-0x00000000072A4000-memory.dmp

memory/3924-2598-0x00000000072A4000-0x00000000072A6000-memory.dmp

memory/3924-2990-0x00000000072A6000-0x00000000072A7000-memory.dmp

memory/1380-3054-0x0000000000000000-mapping.dmp

memory/1380-3062-0x00000000066B0000-0x00000000066B1000-memory.dmp

memory/1380-3063-0x00000000066B2000-0x00000000066B3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 daa605ec5e31c5516917527c513b4076
SHA1 ec15b4043775afd611aca17e7979b9b9a4d7b276
SHA256 93dbf87ca1ec9483e929250228f7ddd3a299cff22ab68940dd97cebd17966d6c
SHA512 8fa456db2fc695f40fb3c7f9d69ed87d71b5aa2690c806fde353641d4fb7678dccad45063aca3f9e07477f526d536295b24fd447afde76c934a7a856dd339c32

memory/1380-3074-0x00000000066B3000-0x00000000066B4000-memory.dmp

memory/1380-3075-0x00000000066B4000-0x00000000066B6000-memory.dmp

memory/1380-3465-0x00000000066B6000-0x00000000066B7000-memory.dmp

memory/4592-3529-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dadfadaf1dd2aede6f0f1c56a4f16ceb
SHA1 b0e918bd8c36655a0f9b3455ef6015b72d8e4e1a
SHA256 c164717e238058227f0423aaef4f55979a6634889e7e30f522c01cbc30352cda
SHA512 75895927b6eab70e774c06febf453ab106c2277f27c4e6bff7ff5a82a9cb73465d0d1a844de789d5776b30fd641a23cff111ec65305a03bb83018afb6adba53d

memory/4592-3541-0x0000000006E30000-0x0000000006E31000-memory.dmp

memory/4592-3542-0x0000000006E32000-0x0000000006E33000-memory.dmp

memory/4592-3601-0x0000000006E33000-0x0000000006E34000-memory.dmp

memory/4592-3603-0x0000000006E34000-0x0000000006E36000-memory.dmp

memory/4592-3928-0x0000000006E36000-0x0000000006E37000-memory.dmp

memory/4560-4004-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c9889b2e49b62ef4a8f7b16c530943de
SHA1 f780ca625ef74b2370f2026d61d2af14d51e1eaf
SHA256 f57c9632e9aed5eec41588485d88e840b7096e2b4631fe137cf44ced5f20a325
SHA512 438fcfd63e072476bec8683e883446421145e3d5277f1518fd4269177cab13f0e779fcf065ac1613943abf4c7ffda2f5cd9520f0070fa70e5cf7b0e21bd7a2d3

memory/4560-4018-0x0000000006E72000-0x0000000006E73000-memory.dmp

memory/4560-4016-0x0000000006E70000-0x0000000006E71000-memory.dmp

memory/4560-4102-0x0000000006E73000-0x0000000006E74000-memory.dmp

memory/4560-4103-0x0000000006E74000-0x0000000006E76000-memory.dmp

memory/4560-4415-0x0000000006E76000-0x0000000006E77000-memory.dmp

memory/584-4479-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bdd4e84c0bb9a2688c3e2275e26809fa
SHA1 3db02d673b2deede4f423860e80204a8e2f4e102
SHA256 1692398e8865cb745eb192cb47120f03e48a76777dfe8e40497adf1c29508fc7
SHA512 3449a4866cb9b6aaae818c2c328ca3f53e6f2f4f3e58911e4829770bfef025fd22fa54df6ee8b0e98f5f7248295351f40f785c1703bd4a660b9ab6da58d591b6

memory/584-4491-0x00000000068D0000-0x00000000068D1000-memory.dmp

memory/584-4492-0x00000000068D2000-0x00000000068D3000-memory.dmp

memory/584-4551-0x00000000068D3000-0x00000000068D4000-memory.dmp

memory/584-4554-0x00000000068D4000-0x00000000068D6000-memory.dmp

memory/584-4839-0x00000000068D6000-0x00000000068D7000-memory.dmp

memory/4992-4954-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 49ed0b6cb1a815dfdc6d45188255e990
SHA1 572c5e403980fc8633919bc9eb61c588f9bd23cd
SHA256 3e99f3824de5fd3bc17a00c436cf68add647f23124370c1ba16492173e1a3a4f
SHA512 665d726d36fd654ac239210f4f19fe93af7a56b8a64a897d5f9ef6537866f3b45f79bd90bfd6be361f9b448ce279f978475e3812a09e21ecb9b8c5259a0d6e82

memory/4992-4967-0x0000000007240000-0x0000000007241000-memory.dmp

memory/4992-4968-0x0000000007242000-0x0000000007243000-memory.dmp

memory/4992-5084-0x0000000007243000-0x0000000007244000-memory.dmp

memory/4992-5086-0x0000000007244000-0x0000000007246000-memory.dmp

memory/4992-5365-0x0000000007246000-0x0000000007247000-memory.dmp

memory/1136-5429-0x0000000000000000-mapping.dmp

memory/1136-5435-0x0000000006930000-0x0000000006931000-memory.dmp

memory/1136-5436-0x0000000006932000-0x0000000006933000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1eaf67adaf75ad4500008cc2ccba0a75
SHA1 1e7399b592820f8c10b31cb6559c1a32ebdb4653
SHA256 5c576893514dc9a1d072bef3f91dd12bcfd0ec55678833a5fd90570bd652136e
SHA512 c92183dbf6f127c5d3332a5c52b73a12213a6d9fbdc334ffc4244b2042eef94f6bf1ff95dcb4033bf11db0e1dbdb477980871d5af230497537302c03f2f4f05c

memory/1136-5599-0x0000000006933000-0x0000000006934000-memory.dmp

memory/1136-5600-0x0000000006934000-0x0000000006936000-memory.dmp

memory/1136-5840-0x0000000006936000-0x0000000006937000-memory.dmp

memory/4600-5904-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 430bb2adc8a192a7ca428ca035126130
SHA1 54e5d51d2780971a33e79fc5716ad09e2f88755e
SHA256 0e14b878918b8c9a2abf383622adc7633baac1cc7330702611c6625ba98141b7
SHA512 8ab53297a7c24817f9f0102ba7a70f02807206b051ce7ac507c5ea3c52f7ed7139072d44d056484268c6e0bb5ac3c45ae358688c80bb3b2809e5efb54dba8b3a

memory/4600-5917-0x0000000004650000-0x0000000004651000-memory.dmp

memory/4600-5918-0x0000000004652000-0x0000000004653000-memory.dmp

memory/4600-5976-0x0000000004653000-0x0000000004654000-memory.dmp

memory/4600-5978-0x0000000004654000-0x0000000004656000-memory.dmp