Malware Analysis Report

2024-10-19 07:37

Sample ID 211007-lzje2acbg8
Target 3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa
SHA256 3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa
Tags
xpertrat test evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa

Threat Level: Known bad

The file 3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa was found to be: Known bad.

Malicious Activity Summary

xpertrat test evasion rat trojan

XpertRAT

UAC bypass

Windows security bypass

XpertRAT Core Payload

Windows security modification

Program crash

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of UnmapMainImage

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-10-07 09:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-10-07 09:58

Reported

2021-10-07 10:00

Platform

win10-en-20210920

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe"

Signatures

UAC bypass

evasion trojan

Windows security bypass

evasion trojan

XpertRAT

rat xpertrat

XpertRAT Core Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1576 set thread context of 3312 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 3312 set thread context of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 1500 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 3820 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2164 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2700 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 3256 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2340 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2360 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 3776 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 900 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2472 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2688 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2212 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 1800 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 4072 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2248 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 1296 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2720 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 3368 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 3888 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 1428 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 2676 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 3556 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 3428 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 1236 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 1804 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 set thread context of 432 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 1576 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe
PID 3312 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 3312 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

"C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 24

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Users\Admin\AppData\Local\Temp\3e77ec2e0bbc394a1841bfb8f9b004f93fcbc35b401580abd01c92c41b6635aa.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 24

Network

Country Destination Domain Proto
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp

Files

memory/1576-115-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2420-117-0x0000000000000000-mapping.dmp

memory/2420-120-0x0000000004910000-0x0000000004911000-memory.dmp

memory/2420-121-0x0000000007450000-0x0000000007451000-memory.dmp

memory/2420-122-0x0000000007270000-0x0000000007271000-memory.dmp

memory/2420-123-0x0000000007A80000-0x0000000007A81000-memory.dmp

memory/2420-124-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

memory/2420-125-0x0000000007E40000-0x0000000007E41000-memory.dmp

memory/2420-126-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/2420-127-0x0000000004A22000-0x0000000004A23000-memory.dmp

memory/2420-128-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

memory/2420-129-0x00000000085C0000-0x00000000085C1000-memory.dmp

memory/2420-130-0x0000000008480000-0x0000000008481000-memory.dmp

memory/2420-138-0x00000000091B0000-0x00000000091E3000-memory.dmp

memory/2420-145-0x0000000009190000-0x0000000009191000-memory.dmp

memory/2420-150-0x0000000009520000-0x0000000009521000-memory.dmp

memory/2420-151-0x00000000096F0000-0x00000000096F1000-memory.dmp

memory/2420-220-0x000000007EF90000-0x000000007EF91000-memory.dmp

memory/2420-221-0x0000000004A23000-0x0000000004A24000-memory.dmp

memory/2420-380-0x000000000AEA0000-0x000000000AEA1000-memory.dmp

memory/2420-381-0x00000000097F0000-0x00000000097F1000-memory.dmp

memory/2420-392-0x0000000008460000-0x0000000008461000-memory.dmp

memory/2420-468-0x0000000009130000-0x0000000009131000-memory.dmp

memory/2420-551-0x000000000AB20000-0x000000000AB21000-memory.dmp

memory/2420-569-0x0000000008530000-0x0000000008531000-memory.dmp

memory/2420-612-0x0000000004A26000-0x0000000004A28000-memory.dmp

memory/1124-676-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1712dab0a1bf4e9e3ff666b9c431550d
SHA1 34d1dec8fa95f62c72cb3f92a22c13ad9eece10f
SHA256 7184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97
SHA512 6ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5889af6ab57831d6774cf82ddc7c2364
SHA1 fd252932673d10a7ac6c0b0750250697bd507f79
SHA256 445d4ab7e578a1b437c697ecfb7a93bc1887d2cfff3c0de62e04c8ccb5b04a5c
SHA512 f1e18143b3e5c4d5d03f6d69d77fa4337305271e845a24820ae54c61066787b061b7e782ecbd3878f4933fec793cffe10e325a3b0aa8371e5812764104826852

memory/1124-690-0x0000000001090000-0x0000000001091000-memory.dmp

memory/1124-691-0x0000000001092000-0x0000000001093000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 1c33ff599b382b705675229c91fc2f99
SHA1 c20086746c14c5d57be9a3df47bd75fa77abe7e0
SHA256 d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a
SHA512 5b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c

memory/1124-803-0x0000000001093000-0x0000000001094000-memory.dmp

memory/1124-805-0x0000000001094000-0x0000000001096000-memory.dmp

memory/1124-1038-0x0000000001096000-0x0000000001097000-memory.dmp

memory/3852-1152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 174998e1d4c4765e4e6855f33ad0ec21
SHA1 f64f74a0be86a9122f0ef0c6697f06f72e23b3b4
SHA256 0f3c5c286ddc1779fde2d29af58209a18cc163815ebaf8e2ce347c06a8af836e
SHA512 7bcb948ac7eebaadbb6bb34728bc8c0b7155cfac6f72adff8a77ba7353afeaf970ef0669354aeec64ef5893309b92947b26005d92a59edddb8f6443e751be534

memory/3852-1165-0x0000000007390000-0x0000000007391000-memory.dmp

memory/3852-1166-0x0000000007392000-0x0000000007393000-memory.dmp

memory/3852-1246-0x0000000007393000-0x0000000007394000-memory.dmp

memory/3852-1247-0x0000000007394000-0x0000000007396000-memory.dmp

memory/3852-1529-0x0000000007396000-0x0000000007397000-memory.dmp

memory/3312-1630-0x00000000004010B8-mapping.dmp

memory/3312-1633-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1576-1632-0x0000000005070000-0x0000000005071000-memory.dmp

memory/2656-1636-0x0000000000401364-mapping.dmp

memory/2712-1638-0x0000000000401364-mapping.dmp

memory/2276-1640-0x0000000000401364-mapping.dmp

memory/4068-1642-0x0000000000401364-mapping.dmp

memory/3364-1644-0x0000000000401364-mapping.dmp

memory/2812-1646-0x0000000000401364-mapping.dmp

memory/1792-1648-0x0000000000401364-mapping.dmp

memory/1500-1650-0x0000000000401364-mapping.dmp

memory/3820-1652-0x0000000000401364-mapping.dmp

memory/2164-1654-0x0000000000401364-mapping.dmp

memory/2700-1656-0x0000000000401364-mapping.dmp

memory/3256-1658-0x0000000000401364-mapping.dmp

memory/2340-1660-0x0000000000401364-mapping.dmp

memory/2364-1662-0x0000000000401364-mapping.dmp

memory/2360-1664-0x0000000000401364-mapping.dmp

memory/3776-1666-0x0000000000401364-mapping.dmp

memory/900-1668-0x0000000000401364-mapping.dmp

memory/2472-1670-0x0000000000401364-mapping.dmp

memory/2688-1672-0x0000000000401364-mapping.dmp

memory/2212-1674-0x0000000000401364-mapping.dmp

memory/1800-1676-0x0000000000401364-mapping.dmp

memory/4072-1678-0x0000000000401364-mapping.dmp

memory/2248-1680-0x0000000000401364-mapping.dmp

memory/1296-1682-0x0000000000401364-mapping.dmp

memory/2720-1684-0x0000000000401364-mapping.dmp

memory/3368-1686-0x0000000000401364-mapping.dmp

memory/3888-1688-0x0000000000401364-mapping.dmp

memory/1428-1690-0x0000000000401364-mapping.dmp

memory/2676-1692-0x0000000000401364-mapping.dmp

memory/3556-1694-0x0000000000401364-mapping.dmp

memory/3428-1696-0x0000000000401364-mapping.dmp

memory/1236-1698-0x0000000000401364-mapping.dmp

memory/1804-1700-0x0000000000401364-mapping.dmp

memory/432-1702-0x0000000000401364-mapping.dmp