Analysis Overview
SHA256
515fbf67c103e796658acaf24ae3762943a56ebf14337ab46bf9e140f61da0f4
Threat Level: Known bad
The file d761f42a4df1938b43282d88e12c741a.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
UAC bypass
XpertRAT Core Payload
XpertRAT
Adds policy Run key to start application
Windows security modification
Deletes itself
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-25 07:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-25 07:07
Reported
2021-09-25 07:09
Platform
win7-en-20210920
Max time kernel
139s
Max time network
133s
Command Line
Signatures
UAC bypass
Windows security bypass
XpertRAT
XpertRAT Core Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" | C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1540 set thread context of 1652 | N/A | C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe | C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe |
| PID 1652 set thread context of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| PID 1652 set thread context of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
C:\Windows\SysWOW64\notepad.exe
notepad.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | store2.gofile.io | udp |
| FR | 31.14.69.10:443 | store2.gofile.io | tcp |
| US | 8.8.8.8:53 | kapasky-antivirus.firewall-gateway.net | udp |
| FR | 146.59.132.186:4000 | kapasky-antivirus.firewall-gateway.net | tcp |
| FR | 146.59.132.186:4000 | kapasky-antivirus.firewall-gateway.net | tcp |
| FR | 146.59.132.186:4000 | kapasky-antivirus.firewall-gateway.net | tcp |
| US | 8.8.8.8:53 | kapasky-antivirus.firewall-gateway.net | udp |
| FR | 146.59.132.186:4000 | kapasky-antivirus.firewall-gateway.net | tcp |
| FR | 146.59.132.186:4000 | kapasky-antivirus.firewall-gateway.net | tcp |
Files
memory/1540-53-0x0000000001380000-0x0000000001381000-memory.dmp
memory/1540-55-0x0000000075A71000-0x0000000075A73000-memory.dmp
memory/1784-56-0x0000000000000000-mapping.dmp
memory/1784-58-0x0000000002320000-0x0000000002F6A000-memory.dmp
memory/1784-59-0x0000000002320000-0x0000000002F6A000-memory.dmp
memory/1784-60-0x0000000002320000-0x0000000002F6A000-memory.dmp
memory/1884-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1884-64-0x00000000023E0000-0x000000000302A000-memory.dmp
memory/1428-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1820-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1820-72-0x00000000022E0000-0x00000000022E1000-memory.dmp
memory/1820-73-0x00000000022E1000-0x00000000022E2000-memory.dmp
memory/1820-74-0x00000000022E2000-0x00000000022E4000-memory.dmp
memory/1324-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/564-79-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/564-83-0x0000000001CA1000-0x0000000001CA2000-memory.dmp
memory/564-82-0x0000000001CA0000-0x0000000001CA1000-memory.dmp
memory/564-84-0x0000000001CA2000-0x0000000001CA4000-memory.dmp
memory/1612-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1148-88-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1148-92-0x0000000002600000-0x000000000324A000-memory.dmp
memory/1148-93-0x0000000002600000-0x000000000324A000-memory.dmp
memory/268-94-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/624-97-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1952-101-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1548-104-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1312-108-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1604-111-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1604-117-0x0000000002332000-0x0000000002334000-memory.dmp
memory/1604-116-0x0000000002331000-0x0000000002332000-memory.dmp
memory/1604-115-0x0000000002330000-0x0000000002331000-memory.dmp
memory/888-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1880-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1676-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1676-129-0x0000000001E81000-0x0000000001E82000-memory.dmp
memory/1676-128-0x0000000001E80000-0x0000000001E81000-memory.dmp
memory/1676-130-0x0000000001E82000-0x0000000001E84000-memory.dmp
memory/1072-131-0x0000000000000000-mapping.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1072-136-0x0000000002411000-0x0000000002412000-memory.dmp
memory/1072-135-0x0000000002410000-0x0000000002411000-memory.dmp
memory/1072-137-0x0000000002412000-0x0000000002414000-memory.dmp
memory/1608-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
memory/1608-142-0x00000000023A1000-0x00000000023A2000-memory.dmp
memory/1608-141-0x00000000023A0000-0x00000000023A1000-memory.dmp
memory/1608-143-0x00000000023A2000-0x00000000023A4000-memory.dmp
memory/948-144-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 03b059770f5b8e08d17b9eae02a54a2f |
| SHA1 | 954219ef262cc781e8de5407f0591721ebc92719 |
| SHA256 | 13b755a1302a790b67cd152d83873568cd64da99b2da6bba9a5d97ae00637475 |
| SHA512 | ae2b9e214c088a299df372e548ba67f7ccfbd97d0b22ff8ff8fe8da2bf0e73697bd831cc05f5ee08390e31ef6ba3c266526d4d466328d9d41660ee26df462b0f |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1540-148-0x0000000005A80000-0x0000000005A81000-memory.dmp
memory/1540-149-0x0000000000F20000-0x0000000000F66000-memory.dmp
memory/1540-150-0x0000000001340000-0x0000000001370000-memory.dmp
memory/1652-152-0x00000000004010B8-mapping.dmp
memory/1652-151-0x0000000000400000-0x000000000042C000-memory.dmp
memory/1508-156-0x0000000000401364-mapping.dmp
memory/2028-157-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2028-158-0x0000000000401364-mapping.dmp
memory/2028-159-0x0000000000600000-0x0000000000753000-memory.dmp
memory/1936-162-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-25 07:07
Reported
2021-09-25 07:09
Platform
win10-en-20210920
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe
"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.224.57:443 | tcp | |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
| US | 8.8.8.8:53 | internetbeacon.msedge.net | udp |
Files
memory/3556-115-0x0000000000500000-0x0000000000501000-memory.dmp
memory/4164-117-0x0000000000000000-mapping.dmp
memory/4164-120-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
memory/4164-121-0x0000000007B90000-0x0000000007B91000-memory.dmp
memory/4164-122-0x0000000007A50000-0x0000000007A51000-memory.dmp
memory/4164-123-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
memory/4164-124-0x0000000008410000-0x0000000008411000-memory.dmp
memory/4164-125-0x0000000008480000-0x0000000008481000-memory.dmp
memory/4164-126-0x0000000007550000-0x0000000007551000-memory.dmp
memory/4164-127-0x0000000007552000-0x0000000007553000-memory.dmp
memory/4164-128-0x0000000008210000-0x0000000008211000-memory.dmp
memory/4164-129-0x0000000008BC0000-0x0000000008BC1000-memory.dmp
memory/4164-130-0x0000000008AE0000-0x0000000008AE1000-memory.dmp
memory/4164-138-0x00000000098B0000-0x00000000098E3000-memory.dmp
memory/4164-145-0x0000000009890000-0x0000000009891000-memory.dmp
memory/4164-150-0x0000000009C20000-0x0000000009C21000-memory.dmp
memory/4164-151-0x0000000009DD0000-0x0000000009DD1000-memory.dmp
memory/4164-220-0x000000007EBF0000-0x000000007EBF1000-memory.dmp
memory/4164-221-0x0000000007553000-0x0000000007554000-memory.dmp
memory/4164-380-0x000000000B580000-0x000000000B581000-memory.dmp
memory/4164-381-0x000000000AF00000-0x000000000AF01000-memory.dmp
memory/4164-392-0x0000000009840000-0x0000000009841000-memory.dmp
memory/4164-468-0x000000000B1C0000-0x000000000B1C1000-memory.dmp
memory/4164-551-0x000000000B1F0000-0x000000000B1F1000-memory.dmp
memory/4164-569-0x000000000B1B0000-0x000000000B1B1000-memory.dmp
memory/4164-612-0x0000000007556000-0x0000000007558000-memory.dmp
memory/1588-676-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1712dab0a1bf4e9e3ff666b9c431550d |
| SHA1 | 34d1dec8fa95f62c72cb3f92a22c13ad9eece10f |
| SHA256 | 7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97 |
| SHA512 | 6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ff93134890bde08128013c82d129d474 |
| SHA1 | ce01da8bec31b430ab8ea6a88758c4396c30dba0 |
| SHA256 | a92c48f0454e6d6516e66497d74620865553d393a7b125e0c4c137f55665cc49 |
| SHA512 | 00d800357e12756b7481adb33a682d8aaafcc2fe1505d31e83c22f3ddbeb878ee02a3f69b85f728655c4cf605c60a3a3c49ee5f0317b7789f78d80a8131ee300 |
memory/1588-689-0x0000000006AB0000-0x0000000006AB1000-memory.dmp
memory/1588-690-0x0000000006AB2000-0x0000000006AB3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 1c33ff599b382b705675229c91fc2f99 |
| SHA1 | c20086746c14c5d57be9a3df47bd75fa77abe7e0 |
| SHA256 | d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a |
| SHA512 | 5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c |
memory/1588-750-0x0000000006AB3000-0x0000000006AB4000-memory.dmp
memory/1588-753-0x0000000006AB4000-0x0000000006AB6000-memory.dmp
memory/1588-1049-0x0000000006AB6000-0x0000000006AB7000-memory.dmp
memory/3400-1153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28fd92ee77dca337d61b47cbd757d60c |
| SHA1 | be5f44612ddab3ca36fa31fe2b065886f509f31b |
| SHA256 | 56b08d2c7ea27f95f2c5379eff3c1dad7feed6174a0a2be4fb6f5f1cba02177d |
| SHA512 | df49842f9d545413fda96e3355966e1c64bc10d5031e41402725f121ba9474c1250ac0c839239dec3fd52126ad0eee230a2b2056710ea380a4d076474e429767 |
memory/3400-1165-0x0000000004E90000-0x0000000004E91000-memory.dmp
memory/3400-1166-0x0000000004E92000-0x0000000004E93000-memory.dmp
memory/3400-1185-0x0000000004E93000-0x0000000004E94000-memory.dmp
memory/3400-1187-0x0000000004E94000-0x0000000004E96000-memory.dmp
memory/3400-1530-0x0000000004E96000-0x0000000004E97000-memory.dmp
memory/4308-1628-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d72777286401dbed67fd1c2703fac947 |
| SHA1 | d1c600a1dd8b349e2404d4dad0a0002f3e442ebb |
| SHA256 | 4e2b0b4f436144965973c054ea207db8cb4f42d42ff6bce1fc7d0bf49b8fcad3 |
| SHA512 | f95fddb6273bfa8b8f5fc8484cea4c20109277f2c52d92d0c5917a6a863208d5c570c640aaeff0b316eef145ebff5e8c94bd4621c01ea484d4e6c624b6e8d01c |
memory/4308-1641-0x0000000007060000-0x0000000007061000-memory.dmp
memory/4308-1642-0x0000000007062000-0x0000000007063000-memory.dmp
memory/4308-1718-0x0000000007064000-0x0000000007066000-memory.dmp
memory/4308-1717-0x0000000007063000-0x0000000007064000-memory.dmp
memory/4308-2039-0x0000000007066000-0x0000000007067000-memory.dmp
memory/2724-2103-0x0000000000000000-mapping.dmp
memory/2724-2112-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/2724-2113-0x0000000004AD2000-0x0000000004AD3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 752eecff888403570489a78d8680750f |
| SHA1 | 3ad9a67522bd87de3b0fa2d2c767594c11a91635 |
| SHA256 | 278c708a48e2b12e3b04ed1e20f4cfeaeafd6d68150fd7bd1692eb8283bf9314 |
| SHA512 | d9245b4127d5f7f3b6e2cb9335ae33dc30bb77bb8d4b5c804a303a137c7bc04eda9a39adcc2765d233eee570e42f6b031073346f654b3fc32c82879ef22dfdce |
memory/2724-2123-0x0000000004AD3000-0x0000000004AD4000-memory.dmp
memory/2724-2124-0x0000000004AD4000-0x0000000004AD6000-memory.dmp
memory/2724-2463-0x0000000004AD6000-0x0000000004AD7000-memory.dmp
memory/5080-2578-0x0000000000000000-mapping.dmp
memory/3924-2579-0x0000000000000000-mapping.dmp
memory/3924-2588-0x00000000072A0000-0x00000000072A1000-memory.dmp
memory/3924-2589-0x00000000072A2000-0x00000000072A3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4f819c7e7c31107adc4cb7379c0060c |
| SHA1 | 7d831a76ea481122047049f0c7625ce6124ae4f3 |
| SHA256 | dfd9a2f1807b9e766c2bc8758a4d331fe6a6a1a38ae6e929b2a4dd3611fdb5d8 |
| SHA512 | 7e85a95c4a5fef2c2e5afbc871e16d5f3432488ce26acd766c07f413207eb7fdd0897069cf3ec036b272013074193eb76818681794e08f93883cf0dbb86474ac |
memory/3924-2596-0x00000000072A3000-0x00000000072A4000-memory.dmp
memory/3924-2598-0x00000000072A4000-0x00000000072A6000-memory.dmp
memory/3924-2990-0x00000000072A6000-0x00000000072A7000-memory.dmp
memory/1380-3054-0x0000000000000000-mapping.dmp
memory/1380-3062-0x00000000066B0000-0x00000000066B1000-memory.dmp
memory/1380-3063-0x00000000066B2000-0x00000000066B3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | daa605ec5e31c5516917527c513b4076 |
| SHA1 | ec15b4043775afd611aca17e7979b9b9a4d7b276 |
| SHA256 | 93dbf87ca1ec9483e929250228f7ddd3a299cff22ab68940dd97cebd17966d6c |
| SHA512 | 8fa456db2fc695f40fb3c7f9d69ed87d71b5aa2690c806fde353641d4fb7678dccad45063aca3f9e07477f526d536295b24fd447afde76c934a7a856dd339c32 |
memory/1380-3074-0x00000000066B3000-0x00000000066B4000-memory.dmp
memory/1380-3075-0x00000000066B4000-0x00000000066B6000-memory.dmp
memory/1380-3465-0x00000000066B6000-0x00000000066B7000-memory.dmp
memory/4592-3529-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dadfadaf1dd2aede6f0f1c56a4f16ceb |
| SHA1 | b0e918bd8c36655a0f9b3455ef6015b72d8e4e1a |
| SHA256 | c164717e238058227f0423aaef4f55979a6634889e7e30f522c01cbc30352cda |
| SHA512 | 75895927b6eab70e774c06febf453ab106c2277f27c4e6bff7ff5a82a9cb73465d0d1a844de789d5776b30fd641a23cff111ec65305a03bb83018afb6adba53d |
memory/4592-3541-0x0000000006E30000-0x0000000006E31000-memory.dmp
memory/4592-3542-0x0000000006E32000-0x0000000006E33000-memory.dmp
memory/4592-3601-0x0000000006E33000-0x0000000006E34000-memory.dmp
memory/4592-3603-0x0000000006E34000-0x0000000006E36000-memory.dmp
memory/4592-3928-0x0000000006E36000-0x0000000006E37000-memory.dmp
memory/4560-4004-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c9889b2e49b62ef4a8f7b16c530943de |
| SHA1 | f780ca625ef74b2370f2026d61d2af14d51e1eaf |
| SHA256 | f57c9632e9aed5eec41588485d88e840b7096e2b4631fe137cf44ced5f20a325 |
| SHA512 | 438fcfd63e072476bec8683e883446421145e3d5277f1518fd4269177cab13f0e779fcf065ac1613943abf4c7ffda2f5cd9520f0070fa70e5cf7b0e21bd7a2d3 |
memory/4560-4018-0x0000000006E72000-0x0000000006E73000-memory.dmp
memory/4560-4016-0x0000000006E70000-0x0000000006E71000-memory.dmp
memory/4560-4102-0x0000000006E73000-0x0000000006E74000-memory.dmp
memory/4560-4103-0x0000000006E74000-0x0000000006E76000-memory.dmp
memory/4560-4415-0x0000000006E76000-0x0000000006E77000-memory.dmp
memory/584-4479-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bdd4e84c0bb9a2688c3e2275e26809fa |
| SHA1 | 3db02d673b2deede4f423860e80204a8e2f4e102 |
| SHA256 | 1692398e8865cb745eb192cb47120f03e48a76777dfe8e40497adf1c29508fc7 |
| SHA512 | 3449a4866cb9b6aaae818c2c328ca3f53e6f2f4f3e58911e4829770bfef025fd22fa54df6ee8b0e98f5f7248295351f40f785c1703bd4a660b9ab6da58d591b6 |
memory/584-4491-0x00000000068D0000-0x00000000068D1000-memory.dmp
memory/584-4492-0x00000000068D2000-0x00000000068D3000-memory.dmp
memory/584-4551-0x00000000068D3000-0x00000000068D4000-memory.dmp
memory/584-4554-0x00000000068D4000-0x00000000068D6000-memory.dmp
memory/584-4839-0x00000000068D6000-0x00000000068D7000-memory.dmp
memory/4992-4954-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49ed0b6cb1a815dfdc6d45188255e990 |
| SHA1 | 572c5e403980fc8633919bc9eb61c588f9bd23cd |
| SHA256 | 3e99f3824de5fd3bc17a00c436cf68add647f23124370c1ba16492173e1a3a4f |
| SHA512 | 665d726d36fd654ac239210f4f19fe93af7a56b8a64a897d5f9ef6537866f3b45f79bd90bfd6be361f9b448ce279f978475e3812a09e21ecb9b8c5259a0d6e82 |
memory/4992-4967-0x0000000007240000-0x0000000007241000-memory.dmp
memory/4992-4968-0x0000000007242000-0x0000000007243000-memory.dmp
memory/4992-5084-0x0000000007243000-0x0000000007244000-memory.dmp
memory/4992-5086-0x0000000007244000-0x0000000007246000-memory.dmp
memory/4992-5365-0x0000000007246000-0x0000000007247000-memory.dmp
memory/1136-5429-0x0000000000000000-mapping.dmp
memory/1136-5435-0x0000000006930000-0x0000000006931000-memory.dmp
memory/1136-5436-0x0000000006932000-0x0000000006933000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1eaf67adaf75ad4500008cc2ccba0a75 |
| SHA1 | 1e7399b592820f8c10b31cb6559c1a32ebdb4653 |
| SHA256 | 5c576893514dc9a1d072bef3f91dd12bcfd0ec55678833a5fd90570bd652136e |
| SHA512 | c92183dbf6f127c5d3332a5c52b73a12213a6d9fbdc334ffc4244b2042eef94f6bf1ff95dcb4033bf11db0e1dbdb477980871d5af230497537302c03f2f4f05c |
memory/1136-5599-0x0000000006933000-0x0000000006934000-memory.dmp
memory/1136-5600-0x0000000006934000-0x0000000006936000-memory.dmp
memory/1136-5840-0x0000000006936000-0x0000000006937000-memory.dmp
memory/4600-5904-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 430bb2adc8a192a7ca428ca035126130 |
| SHA1 | 54e5d51d2780971a33e79fc5716ad09e2f88755e |
| SHA256 | 0e14b878918b8c9a2abf383622adc7633baac1cc7330702611c6625ba98141b7 |
| SHA512 | 8ab53297a7c24817f9f0102ba7a70f02807206b051ce7ac507c5ea3c52f7ed7139072d44d056484268c6e0bb5ac3c45ae358688c80bb3b2809e5efb54dba8b3a |
memory/4600-5917-0x0000000004650000-0x0000000004651000-memory.dmp
memory/4600-5918-0x0000000004652000-0x0000000004653000-memory.dmp
memory/4600-5976-0x0000000004653000-0x0000000004654000-memory.dmp
memory/4600-5978-0x0000000004654000-0x0000000004656000-memory.dmp