Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    01-10-2021 07:22

General

  • Target

    fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe

  • Size

    358KB

  • MD5

    d952cb0acf14545d0e6da5509db9088d

  • SHA1

    9e4c5b31c821cc46f8eba61d65442f0bdbe67b98

  • SHA256

    fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98

  • SHA512

    e66869cc859af82d4ad9db0c877d949905e3f28876e1022f434083e6f26492e3edac72624ce3143ca85446f4bce7ed208e41f846c5bcb13af7343047c7df8ebc

Malware Config

Extracted

Family

xpertrat

Version

3.0.10

Botnet

Test

C2

kapasky-antivirus.firewall-gateway.net:4000

Mutex

L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0

Signatures

  • UAC bypass 3 TTPs
  • Windows security bypass 2 TTPs
  • XpertRAT

    XpertRAT is a remote access trojan with various capabilities.

  • XpertRAT Core Payload 37 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Program crash 37 IoCs
  • Suspicious use of SetThreadContext 38 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2588
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2168
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2280
    • C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
      C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
      2⤵
      • Windows security modification
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4104
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
        3⤵
          PID:4180
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 24
            4⤵
            • Program crash
            PID:4236
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
          3⤵
            PID:4780
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 24
              4⤵
              • Program crash
              PID:4876
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
            3⤵
              PID:1076
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 24
                4⤵
                • Program crash
                PID:384
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
              3⤵
                PID:4552
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 24
                  4⤵
                  • Program crash
                  PID:4580
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                3⤵
                  PID:4800
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 24
                    4⤵
                    • Program crash
                    PID:4832
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                  3⤵
                    PID:2728
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 24
                      4⤵
                      • Program crash
                      PID:3908
                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                    C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                    3⤵
                      PID:3780
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 24
                        4⤵
                        • Program crash
                        PID:3568
                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                      C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                      3⤵
                        PID:2652
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 24
                          4⤵
                          • Program crash
                          PID:3820
                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                        C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                        3⤵
                          PID:4996
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 24
                            4⤵
                            • Program crash
                            PID:5036
                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                          C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                          3⤵
                            PID:5028
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 24
                              4⤵
                              • Program crash
                              PID:5060
                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                            C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                            3⤵
                              PID:5080
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 24
                                4⤵
                                • Program crash
                                PID:5100
                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                              C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                              3⤵
                                PID:5104
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 24
                                  4⤵
                                  • Program crash
                                  PID:1324
                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                3⤵
                                  PID:4112
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 24
                                    4⤵
                                    • Program crash
                                    PID:4148
                                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                  C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                  3⤵
                                    PID:912
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 24
                                      4⤵
                                      • Program crash
                                      PID:992
                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                    C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                    3⤵
                                      PID:4828
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 24
                                        4⤵
                                        • Program crash
                                        PID:4276
                                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                      C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                      3⤵
                                        PID:4380
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 24
                                          4⤵
                                          • Program crash
                                          PID:612
                                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                        C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                        3⤵
                                          PID:4296
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 24
                                            4⤵
                                            • Program crash
                                            PID:4328
                                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                          C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                          3⤵
                                            PID:4332
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 24
                                              4⤵
                                              • Program crash
                                              PID:4340
                                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                            C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                            3⤵
                                              PID:4384
                                              • C:\Windows\SysWOW64\WerFault.exe
                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 24
                                                4⤵
                                                • Program crash
                                                PID:4412
                                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                              C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                              3⤵
                                                PID:4436
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 24
                                                  4⤵
                                                  • Program crash
                                                  PID:2632
                                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                3⤵
                                                  PID:3420
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 24
                                                    4⤵
                                                    • Program crash
                                                    PID:2072
                                                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                  C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                  3⤵
                                                    PID:2624
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 24
                                                      4⤵
                                                      • Program crash
                                                      PID:2168
                                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                    C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                    3⤵
                                                      PID:2188
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 24
                                                        4⤵
                                                        • Program crash
                                                        PID:4464
                                                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                      C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                      3⤵
                                                        PID:3992
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 24
                                                          4⤵
                                                          • Program crash
                                                          PID:4488
                                                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                        C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                        3⤵
                                                          PID:4508
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 24
                                                            4⤵
                                                            • Program crash
                                                            PID:4520
                                                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                          C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                          3⤵
                                                            PID:1896
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 24
                                                              4⤵
                                                              • Program crash
                                                              PID:4548
                                                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                            C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                            3⤵
                                                              PID:4224
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 24
                                                                4⤵
                                                                • Program crash
                                                                PID:2220
                                                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                              C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                              3⤵
                                                                PID:2304
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 24
                                                                  4⤵
                                                                  • Program crash
                                                                  PID:1376
                                                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                3⤵
                                                                  PID:1592
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 24
                                                                    4⤵
                                                                    • Program crash
                                                                    PID:1948
                                                                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                  3⤵
                                                                    PID:2132
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 24
                                                                      4⤵
                                                                      • Program crash
                                                                      PID:1336
                                                                  • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                    3⤵
                                                                      PID:4244
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4244 -s 24
                                                                        4⤵
                                                                        • Program crash
                                                                        PID:4372
                                                                    • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                      3⤵
                                                                        PID:4656
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 24
                                                                          4⤵
                                                                          • Program crash
                                                                          PID:4644
                                                                      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                        3⤵
                                                                          PID:4704
                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 24
                                                                            4⤵
                                                                            • Program crash
                                                                            PID:4720
                                                                        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                          3⤵
                                                                            PID:4724
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 24
                                                                              4⤵
                                                                              • Program crash
                                                                              PID:4736
                                                                          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                            3⤵
                                                                              PID:4760
                                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 24
                                                                                4⤵
                                                                                • Program crash
                                                                                PID:4592
                                                                            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                              3⤵
                                                                                PID:4804
                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 24
                                                                                  4⤵
                                                                                  • Program crash
                                                                                  PID:4856
                                                                              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
                                                                                3⤵
                                                                                  PID:4840
                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 24
                                                                                    4⤵
                                                                                    • Program crash
                                                                                    PID:3216

                                                                            Network

                                                                            MITRE ATT&CK Enterprise v6

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                                                              MD5

                                                                              a4022a7d2b113226b000be0705680813

                                                                              SHA1

                                                                              599e22d03201704127a045ca53ffb78f9ea3b6c3

                                                                              SHA256

                                                                              2557a14e476d55330043af2858dbf1377e24dba3fa9aedc369d5feefefb7f9a7

                                                                              SHA512

                                                                              40ef88632a4ad38a7d21c640a7f0c8cd7c76b8451f55dd758c15baa5a90f4f0938de409426570c4405362fd2d90fadd96d23d190e09692b5fbe2c87ebc8d3c60

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              MD5

                                                                              c2d06c11dd1f1a8b1dedc1a311ca8cdc

                                                                              SHA1

                                                                              75c07243f9cb80a9c7aed2865f9c5192cc920e7e

                                                                              SHA256

                                                                              91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

                                                                              SHA512

                                                                              db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              MD5

                                                                              c2d06c11dd1f1a8b1dedc1a311ca8cdc

                                                                              SHA1

                                                                              75c07243f9cb80a9c7aed2865f9c5192cc920e7e

                                                                              SHA256

                                                                              91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

                                                                              SHA512

                                                                              db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                              MD5

                                                                              c2d06c11dd1f1a8b1dedc1a311ca8cdc

                                                                              SHA1

                                                                              75c07243f9cb80a9c7aed2865f9c5192cc920e7e

                                                                              SHA256

                                                                              91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

                                                                              SHA512

                                                                              db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              MD5

                                                                              6859e824175cd5510a400d8d21726895

                                                                              SHA1

                                                                              fc5ed8a2d35f06baa5b415cd211637de4dc44ba5

                                                                              SHA256

                                                                              873821c156ba798515416aac6678de597a7c31f3e4fbec45a1c1787c46b9b603

                                                                              SHA512

                                                                              cc49a385ee7e439c7510487bcda2f2144a1ad731a8493aca6ad9b245b2b052475fa084d6b032d8b76f66fbbe5df5c7534b8b638f7ea64bd58bbc21e0e96eee35

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              MD5

                                                                              50eb7475b505935d5d7ad2720e602873

                                                                              SHA1

                                                                              65bee1d9d07d2a74ce088985724228297870ba9a

                                                                              SHA256

                                                                              68b61ac8c2aaa26c79c1d3b310f61c3111c723cdd478129bef5cfb2d3f0277ef

                                                                              SHA512

                                                                              4569d6295e4864635067851333eac3dbcb437eb87d9b15b37b84021e0e27c102696c96daff9f36e82937e22491afb6133692328bada85fcb6bae74e921bd302e

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              MD5

                                                                              4758bfe3f091a42feba6fab1df869683

                                                                              SHA1

                                                                              3bba689b4a526a823d191363e57fd97a5784fcb7

                                                                              SHA256

                                                                              4894bef3088b5d79570154208e404a066e416d1e7c5d589a7aa42b3b990212f6

                                                                              SHA512

                                                                              168678865ac373db8b8605e2ec48c7cc3a36dabd7cafb937a773214d3a6359f5bf9661322d304890469de9f59fd3ccf428f5dc942b0053a627b5cc96a13e2184

                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                              MD5

                                                                              3ce02f412b5d325335369fc0f44e0efa

                                                                              SHA1

                                                                              cba5b00763cd1c3a1e4c2c8a736f5e7c6f17b575

                                                                              SHA256

                                                                              602bd6bc1b8f901073129068d5956193dd1848cb062a1e5319fd5438e8e46f12

                                                                              SHA512

                                                                              0deb1029f8584776ff96931c70a551e9b8b23116cecb7a62f1d5c7ed132a1d354f78f75b039e3a4fd04d3febabcc8513df083b32563c235b9cbbff7956678a48

                                                                            • memory/808-119-0x0000000005160000-0x0000000005161000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/808-118-0x0000000005190000-0x0000000005191000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/808-114-0x00000000008F0000-0x00000000008F1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/808-117-0x0000000005220000-0x0000000005221000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/808-116-0x0000000005680000-0x0000000005681000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/912-1280-0x0000000000401364-mapping.dmp

                                                                            • memory/1076-1076-0x0000000000401364-mapping.dmp

                                                                            • memory/1204-132-0x00000000087D0000-0x00000000087D1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-124-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-138-0x0000000009330000-0x0000000009331000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-139-0x0000000009250000-0x0000000009251000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-140-0x00000000092C0000-0x00000000092C1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-120-0x0000000000000000-mapping.dmp

                                                                            • memory/1204-123-0x0000000006E50000-0x0000000006E51000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-133-0x00000000085A0000-0x00000000085A1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-154-0x0000000006E53000-0x0000000006E54000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-162-0x000000000A6D0000-0x000000000A6D1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-125-0x0000000007490000-0x0000000007491000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-126-0x0000000007B00000-0x0000000007B01000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-127-0x0000000007BA0000-0x0000000007BA1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-128-0x0000000006E52000-0x0000000006E53000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-129-0x0000000007E60000-0x0000000007E61000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-130-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1204-131-0x0000000007E30000-0x0000000007E31000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/1592-1310-0x0000000000401364-mapping.dmp

                                                                            • memory/1896-1304-0x0000000000401364-mapping.dmp

                                                                            • memory/2132-1312-0x0000000000401364-mapping.dmp

                                                                            • memory/2168-260-0x0000000000000000-mapping.dmp

                                                                            • memory/2168-269-0x0000000004480000-0x0000000004481000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2168-271-0x0000000004482000-0x0000000004483000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2168-347-0x0000000004483000-0x0000000004484000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2188-1298-0x0000000000401364-mapping.dmp

                                                                            • memory/2280-687-0x00000000067E3000-0x00000000067E4000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2280-587-0x00000000067E0000-0x00000000067E1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2280-688-0x00000000067E4000-0x00000000067E6000-memory.dmp

                                                                              Filesize

                                                                              8KB

                                                                            • memory/2280-533-0x0000000000000000-mapping.dmp

                                                                            • memory/2280-589-0x00000000067E2000-0x00000000067E3000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2304-1308-0x0000000000401364-mapping.dmp

                                                                            • memory/2588-152-0x0000000006AE2000-0x0000000006AE3000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2588-150-0x0000000006AE0000-0x0000000006AE1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2588-207-0x0000000006AE3000-0x0000000006AE4000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2588-142-0x0000000000000000-mapping.dmp

                                                                            • memory/2624-1296-0x0000000000401364-mapping.dmp

                                                                            • memory/2652-1268-0x0000000000401364-mapping.dmp

                                                                            • memory/2728-1264-0x0000000000401364-mapping.dmp

                                                                            • memory/3420-1294-0x0000000000401364-mapping.dmp

                                                                            • memory/3496-409-0x00000000074B0000-0x00000000074B1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/3496-370-0x0000000000000000-mapping.dmp

                                                                            • memory/3496-493-0x00000000074B3000-0x00000000074B4000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/3496-414-0x00000000074B2000-0x00000000074B3000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/3780-1266-0x0000000000401364-mapping.dmp

                                                                            • memory/3992-1300-0x0000000000401364-mapping.dmp

                                                                            • memory/4104-907-0x0000000000400000-0x000000000042C000-memory.dmp

                                                                              Filesize

                                                                              176KB

                                                                            • memory/4104-870-0x00000000004010B8-mapping.dmp

                                                                            • memory/4112-1278-0x0000000000401364-mapping.dmp

                                                                            • memory/4180-874-0x0000000000401364-mapping.dmp

                                                                            • memory/4224-1306-0x0000000000401364-mapping.dmp

                                                                            • memory/4244-1314-0x0000000000401364-mapping.dmp

                                                                            • memory/4296-1286-0x0000000000401364-mapping.dmp

                                                                            • memory/4332-1288-0x0000000000401364-mapping.dmp

                                                                            • memory/4380-1284-0x0000000000401364-mapping.dmp

                                                                            • memory/4384-1290-0x0000000000401364-mapping.dmp

                                                                            • memory/4436-1292-0x0000000000401364-mapping.dmp

                                                                            • memory/4508-1302-0x0000000000401364-mapping.dmp

                                                                            • memory/4552-1160-0x0000000000401364-mapping.dmp

                                                                            • memory/4656-1316-0x0000000000401364-mapping.dmp

                                                                            • memory/4704-1318-0x0000000000401364-mapping.dmp

                                                                            • memory/4724-1320-0x0000000000401364-mapping.dmp

                                                                            • memory/4760-1322-0x0000000000401364-mapping.dmp

                                                                            • memory/4780-991-0x0000000000401364-mapping.dmp

                                                                            • memory/4800-1225-0x0000000000401364-mapping.dmp

                                                                            • memory/4804-1324-0x0000000000401364-mapping.dmp

                                                                            • memory/4828-1282-0x0000000000401364-mapping.dmp

                                                                            • memory/4840-1326-0x0000000000401364-mapping.dmp

                                                                            • memory/4996-1270-0x0000000000401364-mapping.dmp

                                                                            • memory/5028-1272-0x0000000000401364-mapping.dmp

                                                                            • memory/5080-1274-0x0000000000401364-mapping.dmp

                                                                            • memory/5104-1276-0x0000000000401364-mapping.dmp