Malware Analysis Report

2024-10-19 07:37

Sample ID 210925-jycjzsage9
Target d761f42a4df1938b43282d88e12c741a.exe
SHA256 515fbf67c103e796658acaf24ae3762943a56ebf14337ab46bf9e140f61da0f4
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

515fbf67c103e796658acaf24ae3762943a56ebf14337ab46bf9e140f61da0f4

Threat Level: Known bad

The file d761f42a4df1938b43282d88e12c741a.exe was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

XpertRAT

Windows security bypass

UAC bypass

XpertRAT Core Payload

Adds policy Run key to start application

Windows security modification

Deletes itself

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-25 08:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-25 08:04

Reported

2021-09-25 08:06

Platform

win7-en-20210920

Max time kernel

137s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1544 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 store2.gofile.io udp
FR 31.14.69.10:443 store2.gofile.io tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 146.59.132.186:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/1544-53-0x0000000000010000-0x0000000000011000-memory.dmp

memory/1544-55-0x0000000074B91000-0x0000000074B93000-memory.dmp

memory/1268-56-0x0000000000000000-mapping.dmp

memory/1268-60-0x0000000001C82000-0x0000000001C84000-memory.dmp

memory/1268-59-0x0000000001C81000-0x0000000001C82000-memory.dmp

memory/1268-58-0x0000000001C80000-0x0000000001C81000-memory.dmp

memory/968-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/968-65-0x00000000022D1000-0x00000000022D2000-memory.dmp

memory/968-64-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/968-66-0x00000000022D2000-0x00000000022D4000-memory.dmp

memory/884-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/884-71-0x00000000024B0000-0x00000000030FA000-memory.dmp

memory/672-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1928-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1928-79-0x0000000002381000-0x0000000002382000-memory.dmp

memory/1928-78-0x0000000002380000-0x0000000002381000-memory.dmp

memory/1928-80-0x0000000002382000-0x0000000002384000-memory.dmp

memory/1824-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1316-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1716-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1716-90-0x0000000002230000-0x0000000002231000-memory.dmp

memory/1716-92-0x0000000002232000-0x0000000002234000-memory.dmp

memory/1716-91-0x0000000002231000-0x0000000002232000-memory.dmp

memory/1512-93-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1108-96-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1516-99-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1516-102-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/1516-104-0x00000000025D2000-0x00000000025D4000-memory.dmp

memory/1516-103-0x00000000025D1000-0x00000000025D2000-memory.dmp

memory/1604-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/976-108-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1572-111-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1572-114-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/1572-115-0x00000000023D1000-0x00000000023D2000-memory.dmp

memory/1572-116-0x00000000023D2000-0x00000000023D4000-memory.dmp

memory/752-117-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/720-120-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/720-123-0x0000000002360000-0x0000000002FAA000-memory.dmp

memory/812-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/812-128-0x00000000003C1000-0x00000000003C2000-memory.dmp

memory/812-127-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/812-129-0x00000000003C2000-0x00000000003C4000-memory.dmp

memory/1868-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1868-133-0x0000000002660000-0x0000000002661000-memory.dmp

memory/1868-134-0x0000000002661000-0x0000000002662000-memory.dmp

memory/1868-135-0x0000000002662000-0x0000000002664000-memory.dmp

memory/1084-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1084-140-0x0000000002191000-0x0000000002192000-memory.dmp

memory/1084-141-0x0000000002192000-0x0000000002194000-memory.dmp

memory/1084-139-0x0000000002190000-0x0000000002191000-memory.dmp

memory/1904-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 11b9a069409c4e3866d160005ea7f23c
SHA1 1e6ee8c61175ac9a943ff5da9fa938429b0ac709
SHA256 f1a5dab5eaf5cd5373a0397dfafb55efc239b04c0a8fad5269193c184c21ba49
SHA512 60a76ef808e6cae45d6483a43047fed5b7b6b37abc9aa7848a4a7cbdf10b93de7a0f032b8db9a721aa1fafd3c5ef37639828b45471b53c1348e65a02f6e74b66

memory/1544-145-0x0000000004410000-0x0000000004411000-memory.dmp

memory/1544-146-0x0000000002160000-0x00000000021A6000-memory.dmp

memory/1544-147-0x00000000020A0000-0x00000000020D0000-memory.dmp

memory/1540-149-0x00000000004010B8-mapping.dmp

memory/1540-148-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1696-153-0x0000000000401364-mapping.dmp

memory/1152-154-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1152-155-0x0000000000401364-mapping.dmp

memory/1152-156-0x0000000000730000-0x0000000000883000-memory.dmp

memory/1624-159-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-25 08:04

Reported

2021-09-25 08:06

Platform

win10v20210408

Max time kernel

153s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4016 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe

"C:\Users\Admin\AppData\Local\Temp\d761f42a4df1938b43282d88e12c741a.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection

Network

Country Destination Domain Proto
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp
US 8.8.8.8:53 internetbeacon.msedge.net udp

Files

memory/4016-114-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/696-116-0x0000000000000000-mapping.dmp

memory/696-119-0x0000000004540000-0x0000000004541000-memory.dmp

memory/696-120-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

memory/696-121-0x00000000044F0000-0x00000000044F1000-memory.dmp

memory/696-122-0x00000000044F2000-0x00000000044F3000-memory.dmp

memory/696-123-0x0000000006E90000-0x0000000006E91000-memory.dmp

memory/696-124-0x0000000007690000-0x0000000007691000-memory.dmp

memory/696-125-0x0000000007700000-0x0000000007701000-memory.dmp

memory/696-126-0x0000000007950000-0x0000000007951000-memory.dmp

memory/696-127-0x00000000077D0000-0x00000000077D1000-memory.dmp

memory/696-128-0x00000000080E0000-0x00000000080E1000-memory.dmp

memory/696-129-0x0000000008050000-0x0000000008051000-memory.dmp

memory/696-137-0x0000000009010000-0x0000000009043000-memory.dmp

memory/696-139-0x000000007FAC0000-0x000000007FAC1000-memory.dmp

memory/696-145-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

memory/696-150-0x0000000009140000-0x0000000009141000-memory.dmp

memory/696-151-0x0000000009300000-0x0000000009301000-memory.dmp

memory/696-188-0x00000000044F3000-0x00000000044F4000-memory.dmp

memory/696-380-0x000000000AAA0000-0x000000000AAA1000-memory.dmp

memory/696-381-0x000000000A440000-0x000000000A441000-memory.dmp

memory/696-392-0x000000000A5D0000-0x000000000A5D1000-memory.dmp

memory/696-468-0x000000000A710000-0x000000000A711000-memory.dmp

memory/696-551-0x000000000A740000-0x000000000A741000-memory.dmp

memory/696-561-0x00000000044F6000-0x00000000044F8000-memory.dmp

memory/696-570-0x0000000006B90000-0x0000000006B91000-memory.dmp

memory/3788-676-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1712dab0a1bf4e9e3ff666b9c431550d
SHA1 34d1dec8fa95f62c72cb3f92a22c13ad9eece10f
SHA256 7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97
SHA512 6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ea0b1aa831d09c88272491c3d40ec6a
SHA1 a1ec61b60cad6ab25116487a862b7a426b835b9b
SHA256 7c8b25178f7ae826c82a32934fe6095b9db5e7dc4c76bb97b87e369797234653
SHA512 ac6aaae6ff52f338983a2c99f962db2ef72f94c7cd3a11dfc89f2f80e37eda6c6d6bad2fb5f88421ba326f76c3c26835d29787af72ad88bdc35d1cde29c3208e

memory/3788-690-0x0000000006F50000-0x0000000006F51000-memory.dmp

memory/3788-691-0x0000000006F52000-0x0000000006F53000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 1c33ff599b382b705675229c91fc2f99
SHA1 c20086746c14c5d57be9a3df47bd75fa77abe7e0
SHA256 d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a
SHA512 5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

memory/3788-721-0x0000000006F54000-0x0000000006F56000-memory.dmp

memory/3788-720-0x0000000006F53000-0x0000000006F54000-memory.dmp

memory/3788-1089-0x0000000006F56000-0x0000000006F57000-memory.dmp

memory/64-1153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f416a4a3a175fee1f30c3469c287f2c4
SHA1 78dced75cc5bee415c229600f79e6ac33bc9c4c6
SHA256 ce7a83bbb51578918a22dcb7cb335cae2466d791b9e9a1bf9fa22b305c16431d
SHA512 c4c21195a98831ed91aaff3ff82bc3456e3b5d7c503ebacbe7ad3091b0132f6785c83dc079c3144e8ac8848d21ea55c7180d76995ef0d1e0db5e6ea4879bc139

memory/64-1166-0x0000000004CC2000-0x0000000004CC3000-memory.dmp

memory/64-1165-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

memory/64-1179-0x0000000004CC3000-0x0000000004CC4000-memory.dmp

memory/64-1181-0x0000000004CC4000-0x0000000004CC6000-memory.dmp

memory/64-1541-0x0000000004CC6000-0x0000000004CC7000-memory.dmp

memory/3100-1628-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63e36a30a24b26971c70864e365d17ad
SHA1 a546682bbef58810ab69f5d7c168353ce036e661
SHA256 7b977fefa35dff3f6ba74426f8e289be090d6281f3ce28c302c310d08211bd15
SHA512 492f66306abe1a72ebd18120bd40423c3f307af9f48416fe6ee24b9bebbf24d4f9dc94c8e12536ba32497e4ec24c7ced93ce246c580bbca9c2811234d26db180

memory/3100-1637-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

memory/3100-1639-0x0000000004BF2000-0x0000000004BF3000-memory.dmp

memory/3100-1700-0x0000000004BF3000-0x0000000004BF4000-memory.dmp

memory/3100-1701-0x0000000004BF4000-0x0000000004BF6000-memory.dmp

memory/3100-2039-0x0000000004BF6000-0x0000000004BF7000-memory.dmp

memory/2648-2103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 66a8ff4c5868101951396d7a89caa22d
SHA1 e52661edaa2ac490db3a9d1b3f0a35a4ae8455a1
SHA256 e2e3501596bf7002bd4403c3d29566c86dd033197e39d584b8cbb4faff4bc936
SHA512 05c1dabf1b7da97e82ab4eb12872b6136e87ef8396d4d5d3cd2fdb90fc7078f222c268c0884ffab0c645b5724091dd3a1a190e24185f03ffaedaee4d325ee9df

memory/2648-2113-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/2648-2114-0x0000000000F82000-0x0000000000F83000-memory.dmp

memory/2648-2123-0x0000000000F83000-0x0000000000F84000-memory.dmp

memory/2648-2124-0x0000000000F84000-0x0000000000F86000-memory.dmp

memory/2648-2475-0x0000000000F86000-0x0000000000F87000-memory.dmp

memory/968-2578-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0258474c12015644cc7354e7330a1756
SHA1 15723ccd1ae46332b40c97d323f85a03dac39ab7
SHA256 0ef716f1333dd3a66c7b2023a692942765ec289a4cf8736feb95c79e35a2d6b3
SHA512 84f8a264e3a7a22a64cf19776a8c202327d9e42665f5a31ba141f8959f0d282ecc79c8d120dcc5ddf6ddc136ac6369ce05ac7dc99c7e5f7f86f447edcec4505a

memory/968-2588-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

memory/968-2589-0x0000000006AE2000-0x0000000006AE3000-memory.dmp

memory/968-2598-0x0000000006AE3000-0x0000000006AE4000-memory.dmp

memory/968-2599-0x0000000006AE4000-0x0000000006AE6000-memory.dmp

memory/968-2938-0x0000000006AE6000-0x0000000006AE7000-memory.dmp

memory/4020-3053-0x0000000000000000-mapping.dmp

memory/4020-3058-0x00000000047A0000-0x00000000047A1000-memory.dmp

memory/4020-3059-0x00000000047A2000-0x00000000047A3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d953a751e99ff773c32e103add6bcb3
SHA1 2969afa288446ee98a2d1996907b6095187a7f3c
SHA256 a5a54a390eb83fc1786b8907fefa14befdce1dc0e6e88c0f1dc518731390a1c8
SHA512 d11ccc968de26a021caf73a63ba4e103aa34b862874d58965ef108887e026c0b39ac24bdbd0bc5b48fe01ab048378c11027ae2d9ddd06f863a36b913a195cf13

memory/4020-3125-0x00000000047A3000-0x00000000047A4000-memory.dmp

memory/4020-3126-0x00000000047A4000-0x00000000047A6000-memory.dmp

memory/4020-3413-0x00000000047A6000-0x00000000047A7000-memory.dmp

memory/756-3528-0x0000000000000000-mapping.dmp

memory/756-3537-0x0000000007062000-0x0000000007063000-memory.dmp

memory/756-3536-0x0000000007060000-0x0000000007061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee0229a774e0ab140b4dfae36702b8f3
SHA1 08b53e8b81ede20ef98a3e44e3697e13edd52466
SHA256 5c40ea00724771dd3458b3a4458d0bc90329b0a1f16384524eca02adb09c0160
SHA512 d055b2d81ef06b241e652a64a664c8bd1ef7986b750168010d4f86c37f7d4c250085ed9caee4a9514de52bc1bfabe20da4f31fd730c31a7062f03f7b75f471eb

memory/756-3652-0x0000000007063000-0x0000000007064000-memory.dmp

memory/756-3655-0x0000000007064000-0x0000000007066000-memory.dmp

memory/756-3889-0x0000000007066000-0x0000000007067000-memory.dmp

memory/2704-4003-0x0000000000000000-mapping.dmp

memory/2704-4008-0x0000000006AB0000-0x0000000006AB1000-memory.dmp

memory/2704-4009-0x0000000006AB2000-0x0000000006AB3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 454bdad24e6cd4e67c5eea2b69259afb
SHA1 2ce60298c00faf3e3b8463b016da7600960c11b0
SHA256 c19a76bbe2cad3d339aa54829b35739aba305cec5ee05de45e612ac603e4a8da
SHA512 91a44323ce3046f9f484fba97c3ba1329cac2c4787f7df0a411084108f1c5a40abe9448e42bb822d47c2617cff8fd682c8bdd6669a3ec33e02dd90cd21c3d313

memory/2704-4048-0x0000000006AB3000-0x0000000006AB4000-memory.dmp

memory/2704-4051-0x0000000006AB4000-0x0000000006AB6000-memory.dmp

memory/2704-4363-0x0000000006AB6000-0x0000000006AB7000-memory.dmp

memory/68-4478-0x0000000000000000-mapping.dmp

memory/68-4487-0x0000000007330000-0x0000000007331000-memory.dmp

memory/68-4488-0x0000000007332000-0x0000000007333000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b44d53601d9e72f1b28c1aa92cfbdb74
SHA1 4b0bf698c6e38ce37fdd6f9f64587a4c34685ba7
SHA256 1e9c7cbba4d83d93618f10ed802b6682ebc9d9e7dcd349f3f6616514c6f84fdd
SHA512 e87e4cac86231113fbda7de39694d7e8e42b8bc03eea6dc51a314b50d75296ff28e16a734242af373e46fefb401ab3ea754ad8e65eee654f33b3ebcf8ccb1939

memory/68-4495-0x0000000007333000-0x0000000007334000-memory.dmp

memory/68-4496-0x0000000007334000-0x0000000007336000-memory.dmp

memory/68-4843-0x0000000007336000-0x0000000007337000-memory.dmp

memory/1016-4953-0x0000000000000000-mapping.dmp

memory/1016-4959-0x0000000004830000-0x0000000004831000-memory.dmp

memory/1016-4960-0x0000000004832000-0x0000000004833000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 870dcdf541e7235a6bc8c4980ad0e129
SHA1 c0b7acbcd54b4ccfaa95798d75cce2a87ee7b625
SHA256 4c4a84bc6dd3de6f868b485e485f0fab11e77579f5059fe88f2faa18335b4aed
SHA512 a208662aab82bfc6e95f07a0dee623a5e09868541539fa90dff38cf053a6eeb511ad7e3d37e7a065675f3c469a82754b6eb577577854b1b09d98e9066e1bedf5

memory/1016-5078-0x0000000004833000-0x0000000004834000-memory.dmp

memory/1016-5080-0x0000000004834000-0x0000000004836000-memory.dmp

memory/1016-5326-0x0000000004836000-0x0000000004837000-memory.dmp

memory/3056-5428-0x0000000000000000-mapping.dmp

memory/3056-5434-0x0000000007660000-0x0000000007661000-memory.dmp

memory/3056-5435-0x0000000007662000-0x0000000007663000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be29b57b8ea3ecc10f09918c044f3b08
SHA1 f18d75a4e0708c1d4e139562fd4eda8f5aa5ebf3
SHA256 4538b87487952bbcb0e67ac6f631b73b8e93b31941787efb8b3f295b7895ae0c
SHA512 f61d48ac6a38d61c8696c9315c22d19576c1ac755f4539b9ca7bfb9c6e83c73c3fd72f7a09554c3a0ce09fa4f69504ebc5c6a45f9f3e9508cb01ce5533d66592

memory/3056-5525-0x0000000007663000-0x0000000007664000-memory.dmp

memory/3056-5527-0x0000000007664000-0x0000000007666000-memory.dmp

memory/3056-5788-0x0000000007666000-0x0000000007667000-memory.dmp