Malware Analysis Report

2024-10-19 07:37

Sample ID 210930-h2x5esghfj
Target cb12b24b0f69225693168e9c35761a1b.exe
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

Threat Level: Known bad

The file cb12b24b0f69225693168e9c35761a1b.exe was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

Windows security bypass

UAC bypass

XpertRAT

XpertRAT Core Payload

Adds policy Run key to start application

Windows security modification

Deletes itself

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 07:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 07:14

Reported

2021-09-30 07:17

Platform

win7-en-20210920

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 1356 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 612 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1324 wrote to memory of 816 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1324 wrote to memory of 816 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1324 wrote to memory of 816 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1324 wrote to memory of 816 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1324 wrote to memory of 816 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

"C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/1356-54-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/1356-56-0x0000000076A81000-0x0000000076A83000-memory.dmp

memory/1692-57-0x0000000000000000-mapping.dmp

memory/1692-60-0x0000000000210000-0x0000000000211000-memory.dmp

memory/1356-59-0x0000000004860000-0x0000000004861000-memory.dmp

memory/1692-62-0x0000000000212000-0x0000000000214000-memory.dmp

memory/1692-61-0x0000000000211000-0x0000000000212000-memory.dmp

memory/648-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 4fff3b4920cec843637588f8be815a94
SHA1 a8ec480d629b22a433d20124d545525fa0146bd3
SHA256 b028c3a6e0e7fb25c53f3ac7e3e257ecb0aa3b840f46585d14d7f242d398d4c4
SHA512 0c0845fae3b6b96e0ceda29a7d96f38b2cabd6ffb8555194a93d93cf46e2660e197aaa37bc4b0c5ff6aa53920c277f1ef1a065afbb77b14b7935a09245f5ce71

memory/648-67-0x0000000001F11000-0x0000000001F12000-memory.dmp

memory/648-66-0x0000000001F10000-0x0000000001F11000-memory.dmp

memory/648-68-0x0000000001F12000-0x0000000001F14000-memory.dmp

memory/1356-69-0x00000000021A0000-0x00000000021EF000-memory.dmp

memory/1356-70-0x0000000001F90000-0x0000000001FC0000-memory.dmp

memory/612-71-0x0000000000400000-0x000000000042C000-memory.dmp

memory/612-72-0x00000000004010B8-mapping.dmp

memory/1324-75-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1324-76-0x0000000000401364-mapping.dmp

memory/1324-77-0x0000000000290000-0x00000000003E3000-memory.dmp

memory/816-80-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-30 07:14

Reported

2021-09-30 07:17

Platform

win10-en-20210920

Max time kernel

153s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2160 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2160 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe
PID 2688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2688 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1744 wrote to memory of 504 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1744 wrote to memory of 504 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1744 wrote to memory of 504 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1744 wrote to memory of 504 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

"C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\cb12b24b0f69225693168e9c35761a1b.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 twitch.com udp
NL 52.109.88.35:443 tcp
US 52.182.143.208:443 tcp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/2160-115-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/2160-117-0x0000000005710000-0x0000000005711000-memory.dmp

memory/3020-118-0x0000000000000000-mapping.dmp

memory/3020-121-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/3020-122-0x00000000075B0000-0x00000000075B1000-memory.dmp

memory/3020-123-0x0000000007490000-0x0000000007491000-memory.dmp

memory/3020-124-0x0000000007C90000-0x0000000007C91000-memory.dmp

memory/3020-125-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/3020-126-0x0000000004B72000-0x0000000004B73000-memory.dmp

memory/3020-127-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

memory/3020-128-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

memory/3020-129-0x0000000007D50000-0x0000000007D51000-memory.dmp

memory/3020-130-0x00000000087A0000-0x00000000087A1000-memory.dmp

memory/3020-131-0x0000000008640000-0x0000000008641000-memory.dmp

memory/3020-139-0x00000000093E0000-0x0000000009413000-memory.dmp

memory/3020-146-0x00000000093C0000-0x00000000093C1000-memory.dmp

memory/3020-151-0x0000000009750000-0x0000000009751000-memory.dmp

memory/3020-152-0x0000000009910000-0x0000000009911000-memory.dmp

memory/3020-155-0x000000007FB40000-0x000000007FB41000-memory.dmp

memory/3020-156-0x0000000004B73000-0x0000000004B74000-memory.dmp

memory/3020-381-0x000000000B070000-0x000000000B071000-memory.dmp

memory/3020-382-0x000000000AA30000-0x000000000AA31000-memory.dmp

memory/3020-393-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

memory/3020-469-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/3020-552-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/3020-570-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/3020-613-0x0000000004B76000-0x0000000004B78000-memory.dmp

memory/3892-677-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1712dab0a1bf4e9e3ff666b9c431550d
SHA1 34d1dec8fa95f62c72cb3f92a22c13ad9eece10f
SHA256 7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97
SHA512 6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1ce89b036d04eb1f0b975003d078e6ce
SHA1 55b7173835682adeaa37c4691d027b1687473632
SHA256 bd90ffe349735104d521d5aff8b0da6b1c90c480e354122b5d33df22b25fe8b1
SHA512 cbbb2d61e58dcb0888466b6f9c913af92438c35db4a5b079d9d841459f22c3b9166bbe46424e705f314be0c3583a8485980044dc89d323e3db7106d92c7f0482

memory/3892-691-0x0000000006C02000-0x0000000006C03000-memory.dmp

memory/3892-689-0x0000000006C00000-0x0000000006C01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 1c33ff599b382b705675229c91fc2f99
SHA1 c20086746c14c5d57be9a3df47bd75fa77abe7e0
SHA256 d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a
SHA512 5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

memory/2160-701-0x00000000011F0000-0x000000000123F000-memory.dmp

memory/2160-702-0x0000000003060000-0x0000000003090000-memory.dmp

memory/2688-704-0x00000000004010B8-mapping.dmp

memory/2688-703-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1744-707-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1744-708-0x0000000000401364-mapping.dmp

memory/1744-711-0x0000000003610000-0x0000000003763000-memory.dmp

memory/1744-712-0x0000000003611000-0x000000000370D000-memory.dmp

memory/504-715-0x0000000000000000-mapping.dmp

memory/2688-717-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3892-716-0x0000000006C03000-0x0000000006C04000-memory.dmp