Malware Analysis Report

2024-10-19 07:37

Sample ID 210930-wt6y9aadep
Target c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
SHA256 c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535
Tags
xpertrat test evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535

Threat Level: Known bad

The file c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535 was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion persistence rat trojan

Windows security bypass

XpertRAT

UAC bypass

XpertRAT Core Payload

Adds policy Run key to start application

Deletes itself

Windows security modification

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-30 18:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-30 18:13

Reported

2021-09-30 18:16

Platform

win10v20210408

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3728 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3728 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
PID 3728 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
PID 3728 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
PID 3728 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
PID 3728 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
PID 3728 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
PID 3728 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe
PID 1360 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1360 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1720 wrote to memory of 1524 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1720 wrote to memory of 1524 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1720 wrote to memory of 1524 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe
PID 1720 wrote to memory of 1524 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe

"C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5

C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe

C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\c830683f700f311fe3d533d849cf045b1cbed5ff76debaa6c3dd8f71c0daa535.exe

C:\Windows\SysWOW64\notepad.exe

notepad.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 twitch.com udp
US 8.8.8.8:53 kapasky-antivirus.firewall-gateway.net udp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp
FR 91.121.250.249:4000 kapasky-antivirus.firewall-gateway.net tcp

Files

memory/3728-114-0x0000000000430000-0x0000000000431000-memory.dmp

memory/3104-116-0x0000000000000000-mapping.dmp

memory/3104-119-0x0000000006D20000-0x0000000006D21000-memory.dmp

memory/3104-120-0x0000000007480000-0x0000000007481000-memory.dmp

memory/3104-122-0x0000000006E40000-0x0000000006E41000-memory.dmp

memory/3728-121-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/3104-123-0x0000000006E42000-0x0000000006E43000-memory.dmp

memory/3104-124-0x0000000007440000-0x0000000007441000-memory.dmp

memory/3104-125-0x0000000007E00000-0x0000000007E01000-memory.dmp

memory/3104-126-0x0000000007E70000-0x0000000007E71000-memory.dmp

memory/3104-127-0x0000000007F60000-0x0000000007F61000-memory.dmp

memory/3104-128-0x0000000007EE0000-0x0000000007EE1000-memory.dmp

memory/3104-129-0x00000000083B0000-0x00000000083B1000-memory.dmp

memory/3104-130-0x00000000085A0000-0x00000000085A1000-memory.dmp

memory/3104-138-0x00000000095B0000-0x00000000095E3000-memory.dmp

memory/3104-139-0x000000007F220000-0x000000007F221000-memory.dmp

memory/3104-146-0x0000000009570000-0x0000000009571000-memory.dmp

memory/3104-151-0x00000000096E0000-0x00000000096E1000-memory.dmp

memory/3104-152-0x0000000006E43000-0x0000000006E44000-memory.dmp

memory/3104-153-0x0000000009900000-0x0000000009901000-memory.dmp

memory/3104-381-0x000000000B200000-0x000000000B201000-memory.dmp

memory/3104-382-0x000000000AB80000-0x000000000AB81000-memory.dmp

memory/3104-393-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/3104-469-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/3104-552-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/3104-570-0x0000000006E46000-0x0000000006E48000-memory.dmp

memory/3104-571-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1628-677-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1712dab0a1bf4e9e3ff666b9c431550d
SHA1 34d1dec8fa95f62c72cb3f92a22c13ad9eece10f
SHA256 7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97
SHA512 6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d84bdc9aebbc477f64263748d591608
SHA1 eb65b304ce5ceaea4876d828b082017d6d28d9cb
SHA256 459e930dfd5cbc1b9e57f20d2ff1dfdf2d31bc25d9998c0ac550eabaf7ea40e8
SHA512 e84cc9c73143897b18cae93eb918a7df6c2f133d972e5d302d1b4f65700e8568d0416abfb19c58b19932f40eba141b4e4fc1aa46d7a2c95b9283314a35c8913d

memory/1628-690-0x0000000004430000-0x0000000004431000-memory.dmp

memory/1628-691-0x0000000004432000-0x0000000004433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 1c33ff599b382b705675229c91fc2f99
SHA1 c20086746c14c5d57be9a3df47bd75fa77abe7e0
SHA256 d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a
SHA512 5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

memory/3728-701-0x0000000000C60000-0x0000000000CAF000-memory.dmp

memory/1628-702-0x0000000004433000-0x0000000004434000-memory.dmp

memory/3728-703-0x0000000004C30000-0x0000000004C60000-memory.dmp

memory/1360-705-0x00000000004010B8-mapping.dmp

memory/1360-704-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1720-708-0x0000000000400000-0x0000000000443000-memory.dmp

memory/1720-709-0x0000000000401364-mapping.dmp

memory/1720-712-0x0000000003100000-0x0000000003253000-memory.dmp

memory/1720-713-0x0000000003101000-0x00000000031FD000-memory.dmp

memory/1360-715-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1524-717-0x0000000000000000-mapping.dmp