Malware Analysis Report

2024-08-06 19:34

Sample ID 220314-mntmasgcap
Target XFT-21062-22.exe
SHA256 23af733a95426c2ba12f205acbdc6516ab4a12579b5de3a66d45a688a37e1d95
Tags
redline billy discovery evasion infostealer persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23af733a95426c2ba12f205acbdc6516ab4a12579b5de3a66d45a688a37e1d95

Threat Level: Known bad

The file XFT-21062-22.exe was found to be: Known bad.

Malicious Activity Summary

redline billy discovery evasion infostealer persistence spyware stealer trojan

RedLine

Windows security bypass

RedLine Payload

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
Disabling Security Tools
T1089
Modify Registry
T1112
Credential Access
TA0006
Credentials in Files
T1081
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-03-14 10:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-14 10:37

Reported

2022-03-14 10:39

Platform

win7-20220311-en

Max time kernel

4294183s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security bypass

evasion trojan

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe = "0" C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\XjWI7nd1DG9qJRc39 = "C:\\Windows\\Cursors\\6zqC2hZrEtnwuWCRJ\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\XjWI7nd1DG9qJRc39 = "C:\\Windows\\Cursors\\6zqC2hZrEtnwuWCRJ\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1980 set thread context of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
File opened for modification C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 1980 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe" -Force

C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"

Network

Country Destination Domain Proto
NL 45.133.174.87:15028 45.133.174.87 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp

Files

memory/1980-54-0x00000000010A0000-0x0000000001176000-memory.dmp

memory/1980-55-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/1980-56-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/1980-57-0x0000000004E90000-0x0000000004F36000-memory.dmp

memory/1980-58-0x0000000004C95000-0x0000000004CA6000-memory.dmp

memory/1980-59-0x0000000000650000-0x0000000000684000-memory.dmp

memory/268-60-0x00000000767A1000-0x00000000767A3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 696f80d5a39aa2aa5bae6281d977ce0e
SHA1 6ed2780ff3b3b94c9823959581649dfe09d66a6a
SHA256 34313d60308c3c7f3160cfb4d8e9ed8207222e7c5946a6c6e0c5d2211f5622c7
SHA512 9266636fae24e81035bfedef930fd1d584c2ec1b1f3bb2d41dde441b9e125a64e7ade7276f15dff9a232aee69fb793e8f3f7f9e06fa9056afb814589de589ad5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 696f80d5a39aa2aa5bae6281d977ce0e
SHA1 6ed2780ff3b3b94c9823959581649dfe09d66a6a
SHA256 34313d60308c3c7f3160cfb4d8e9ed8207222e7c5946a6c6e0c5d2211f5622c7
SHA512 9266636fae24e81035bfedef930fd1d584c2ec1b1f3bb2d41dde441b9e125a64e7ade7276f15dff9a232aee69fb793e8f3f7f9e06fa9056afb814589de589ad5

memory/268-65-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

memory/2036-66-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1604-69-0x0000000002370000-0x0000000002FBA000-memory.dmp

memory/1604-71-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

memory/300-73-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

memory/2036-72-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1604-76-0x0000000002370000-0x0000000002FBA000-memory.dmp

memory/300-79-0x00000000023B0000-0x0000000002FFA000-memory.dmp

memory/268-80-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2036-78-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2036-84-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2036-82-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2036-75-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2036-68-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2036-85-0x00000000749E0000-0x00000000750CE000-memory.dmp

memory/268-86-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

memory/2036-87-0x0000000004D90000-0x0000000004D91000-memory.dmp

memory/268-89-0x0000000002441000-0x0000000002442000-memory.dmp

memory/300-88-0x00000000023B0000-0x0000000002FFA000-memory.dmp

memory/300-90-0x00000000023B0000-0x0000000002FFA000-memory.dmp

memory/268-91-0x0000000002442000-0x0000000002444000-memory.dmp

memory/1604-92-0x0000000002370000-0x0000000002FBA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-14 10:37

Reported

2022-03-14 10:39

Platform

win10v2004-20220310-en

Max time kernel

125s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"

Signatures

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security bypass

evasion trojan

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe = "0" C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe = "0" C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\XjWI7nd1DG9qJRc39 = "C:\\Windows\\Cursors\\6zqC2hZrEtnwuWCRJ\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XjWI7nd1DG9qJRc39 = "C:\\Windows\\Cursors\\6zqC2hZrEtnwuWCRJ\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1C1B0CC0-6A31-4E90-A2DB-9E914604E488}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{07489714-0400-4676-8763-22A09CBEF50E}.catalogItem C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2352 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
File opened for modification C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001840064ECE0D0C = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000b86af6a0a362240c633095893347f66cdbd317f7767669847ae867a6f2dc14cd000000000e80000000020000200000003516c883bda4c14560d6a0f19ea9903770daf4ad30cdc23e8304381a24006c2280000000daca45cc5f10830406c50e77d1dbd026dfa3039472b7cc8a51dade67451226213babe4af8ed949dbe58b07cfd3f0204302949f73e6f9e87b522bda66fe78dd7f364ed6fdfad25304632004e7c5c13e93696fcf83924021eada2eb01fb31cad9dbd1de526e11530ee1a3800e8f5974a534805ef3951d375fd68cd303b5e4fd1eb4000000051db9bd2c2c7fa3ce79192bcd221758a8551524164033e005f5b63a529eff5662c38ee9155897c1d86cd2aa8ee23a2db7df4edba0ae47536b4cc0774504f7f73 C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000003ed1b665cea5e68ec2f3435436bb77f16ddaf8688ab391da681570814b654332000000000e8000000002000020000000585cc05b3b73e39f14c50f4fd759ca494c2e01c4d9bb175f651b9c10ebd36974100d000075abe37e04cea8b3e4695e559ca46966dbcdb6dc8ee2a09b5d3c4e8e4ad5edabe29e8e35488b15d72b17a87b3ef83c8f007a533da5b3ffd0f1b9393a7f00d56dabe851188d38ebc1a947befbef57e73306046228fde46a8ed3478daa5d94e14d1e09f5bdcddbef1aaaef0bfd5ba3ddcbb9d78dc782613ae2424f93bf1e5ac6d893a5819797e3fff6d13810ab172f191f09e5197897feb729ce1736dc6c5f18e856821f88d4c0612cb090c4773d171032d749525321f43fb45b5e9f9f5d2ede970a4788247338e2c2ae55878bf648b6f592be687635e7c1c8126bd7782a443268e10f07e8a48529462b6204e0d39973d3dfcdce7453dc52badc4e0ec9265ca68d5e9cb936d7a3183332eda1b92e24555adbcec6976a9927f60a71e9196fdc23f77839fda8a4b8807627131e8873038b0c0b73a56dbfc163caa050aaf64d086bca9c179d52790747a8b779ae4fee380af41bca226e47fd9383869549a994107f25e02cd886012b06b30c31648e1f5ea6a56bc6d71d8cea5d7ea7802e2e03c9f574d53ffe281dc58eea3279164469c3ecb6ac2e2d28e34f631bba560430dad290b34a9f2d8b79c601a7b622bcf330f1120858dbe81cbfc5a24da672450bc7ddcca98f693f5f1c3e56ab325caaa68cf83276cbbd7663e4f4bf48e58688bbb76b2c39046bbf625fa3fc9b36400e475bf116f2b432c4e7f72b6f2e22e10be2b14525edd2a9f46cd04013e4d40475be718ad546ecf50acfd9132c56addd1ac2174db8f292dbbf40488702426f50ef4fddad23f6c629049b76d417f1d9061b68d6955fc7a4715b4faf90c08dfd083b5c3e3fef01d6f1873a5ec68ab7f5cdee228233b89be846a4c9f0c6c5b0a67032a749dcc3ba025d7402c391b3ccc8812d67e120adbc1799004002cb1c211fb6caf953ffa9873f00f1a78fba9f8dc54052484d8bb77549e2133f586bb2005537ec88ef116fd8cb7558cfc97eb7734f650aa18b7f304129af47b98efebf37ee20114cccadfaa5983d230af69e87abe2cf5a2c12015aadfa2b9c7696cbbc218a7fd8e5fc6101ec764c3dbd9fc3c521585956737a7d0884be9b28724b1e5f9fada7b699f9039a351e1a185e6216ea4b43e05955df956d78d387c17f9043156471e6d05ff3e2fc961e5856d879ba3f7ea03202db8749d651695b25bc737fe05d88b7eeed314d01791c30867e7242484237c4e74be1fba94a5b9c435166b59870ee9347059c3f777f3f52b6a6a793728c1ccece8534769efdda9e3b1a080f9bb67facf24ae9d503398f57ba1885dee1b91661905aed002af93e95c0fc8dbb66ae7534007831ed3104a06a683cc1060a9186a675f1dbc17481dad212ef09da26cf2dcf26210261a48e336a236860c5e7408c2d71a096adb8946e3f4caca518a8752169e86c3b9f4c6628550a378852b527e55d3a5c993a00ae94eb4d7dd860847e9109f802ff5a3f0e531fc9c55bfea7f6bbe005056e290fc8d3efc80020ddee86a7ad2d0e017f7c237b75c180241b73e5c111dbffe68bf7482af9dee14091a4fea011dd260b7d2552c73b825d12658e49e15a55ca375164abde6bf884dfaa156ed009e3379ff4cfab0d922c94d339d35f49d1e7be8b15f6152d6f07ba8c71917c0f4b00debf755f24c69fbb8946f30101b4f89a6acb460143bf82ceb474725b30d28c1cfb57a905d4f66fbd09dc3376e6f817b47018f387431645e01bebf9917b2893caa07965caf75d19af271273666be400c5084c3430133853be66130679e862eab4edfbd5aa8a84fac05f0676566ca7f834c91bcbf66145ff14293bb370e5978b2b44d27f322ef790f8c4bf2ad1576564b2e0591928a9e7b19ad10da7cb4b1959a255fd70ba583b9049946847ed0f7403772579f2794a9664253bcd33871c1e9e97e956ecba23b36a1a3b732343166f6c1480e269867bb2b676187050014261544ebedf9d8b19647bebb70b4799f5098607a4bc738a9a524f2a3460d68494c2e4e7e7d51a83665e26ceec510ff6fa6048540bdd17101e1f20864b74f81d0b7065537bfe516fcbacf42ec1787d88e52f0183b2146c499fadfa5e1db1759e285457a2e7850c83f8054384a0f97218efecbcee84f4d090f016655124fcd34e76902668c0a31da437f541b87a0a4fd3a40409db5f6fb26493c69e404570d97a5171d882e11069b006ab77b18ead3b6167223b1052bfa8abd0c51290959e525d9b4a28ae0a25024eb0ac9804011d4535fab04a73ab4a119f5cddd5b97b08114c568d15a39c80b2c6160ef4ad7a56a461f931d5e876b3f93458547a7e7137f1af4f6bd43a8653ec6c2259d4c215d75bc24985929c49653a79c59d0b62ad6398981729f8f3c158cbca3ebf5d219b8eae7d433ce41e9a0725b65b7c8044a5f48473e11d42d5ecf7e81213a9b5b168a82e47c0ac45622e028138a5b9c5761185ccee8b4285f95776165c4627131a30212f5b96724bebedd8722ea1b2ae37c4761bf6e2d1285f7ac7877e8c6bb108fd509938bccb44b664d679f4d3888bb3553eb991e7393cb70adebc562c7e498283b316b735afc34901ccfc1761f710d135af2771fe6edbc2c3a22dba7ade518195d849116642f644e13b2e6bdeda8bc8aa7e2e43a898ce05e3c01355c4c9a77b9dab933d7ff1bfb34477a7fe374b3e119c9073250a131b1ea479ab8dd94d40cb266ec656dfb116c22c90a08f2fd218ad10fdd3a78e27f36d12aa8788814297f40095b957b8b14e5c8c1612e297084a4c4ad32c960281f6ce4e8871ddda70bdcb2520d754628f31d63f62ff9959065ee7518e59791c65a72b43f043d08f09a357089b80022c2cbff9a359e994947791c778ef121dbec770dfd0f9dbb334beb74dfaaadee0cd4e47099fbc29a3b69f74118f86a489c43482f4d19fd91b086c66d3d7715c9a5e046940b5d588d891cfcb3bca39177694c281c02c95d3710a0a1478dab98aaecd64d1444b041cfc2a93d8b35c7baff0df47c4a0c6c065cee96ca7525968e8d6727f098a4d274285ef34b42e0192a861fda11c4d419b6863783c046913488732874f151e6485481a4f2d0e543b0e920a76961839033c47b901587e3ac1f11af060c62863f32afead8d217536da042e07ba36b998e8ce24bfb5f2763af0a357c0142725f48c76fd250f1811180a1789d7708b4d2dc4a549789eb417336da6a0693f57400a5331cd69c560e374b407e6adf61f664f5f5bdeb80b406147f60dad7b7d76e075da8b935b357ccee374a73db924e4f552bb9c27a730aeb848e99d04ca333f85180bb80b03a9ea0ad6accbf98ddd0f188dda5eef54070d4e2e936b69b98e4f5e2ac47f892b01af462e9f071dca1246c074fccd87677cda7026f82c50fa05782b17643b08b2d1d4bd40f4fcf313a64aa6facd5036952c211545155a7106251493ceab46697f4d5bc8d4957d609c6bf4cea4730cf7dcfddff1df40a62cbbbd9fe1acd257b90a892cce4e379bd0e7604dd56f4d6039a96be3a165101da2d2469eea5fd5670da981d5d067ccdac8aecddc9edc24c88c03d3b516d6d9dfbee965f6c2c6a4e70aaadfcd8d75f48669dde83e083bd30e5abe36a79426e09d94d13dcabe9051cdec635790f6b3611384fca096d72a6cbc5d8c1872c3feb4e119a1b2883203fa49a4d56cfea3ab93b08c5fa3f6595ca0ccda5a22f7fed07aeada7df9fbb722a6e03bd8b3f2c56b46cf1b499f711e728185cf3a79fbb76471e2d53baab2d3e0d86d0b128efa6afbe630c62188774f525e05227ac2f3fff56cc1b4825b599de1c94cd7afc4c42b1a8a999e4b3f59f3d0fec7e839e09491c826fcb8434741189bc70eec257982a0a9841a5b56d2fb0ca5ff24712d855cff24a7cde34c5276788bfb9e3314c46e39b1dff0578bb333f699536eb8e22b4465b04c186035ce6c4fc6f6eafd2ec2ca4a79dfb54931f625bc6912475af598e9d013136044f4ab8986f9a529263790ecdd764440b4e12708638435f50f944803f8a5ed9256fd954ff4efad22c064123b3d885b24384c57e72ef234e43340a2e4a5cc693e6946fdbf62f9fe7152355da4e7f067eb1815b19bb694cb47ca300f4208daf43def523ee5649e0ebc7c07880f067f5c799ba3d3f3c20e80930740ec85bda16390e1c3cc29961acd7604dfb49c540f60033879193a11ca5f30d7c14d91dbc45dea8fbedeadb8cd1e981e8d5ea0d8c2d30cea772f69e78063467d7fea1a387eab1fabed507257090eddd69f70b68054139d7961280ad3b6b153ad3d3734611e5968a59461b8575616f87897affcfeb161295a732376eec590339f8c9e12840add15091aac0d8b06e005a526a3dae558b249a782492ff148b8de4358b2f282865c748be1782c9d78c0c3e24cdb50d852e24dc29dc7abc879a5eb5b9687de634ceb6fcb954721f0c58ecb7c79ddc661fab217b220b228a1c5141b219dab975131d7c1219052a4b8a3100beb83613c3f4885732c0041920e7d19da68caeeef98402e73d9b73933e0def8524c5af40296a2b215143973c1873b6b04be827178ed94eef772166432ac6faf227c993030c099ae4ad375e763d105d56bbf97119721636974624ff6ec622a576d6acc651c1ca40e90777f1c3060980a0ec694266a8a2d30a1b13992dfde932d45003362a9bb41145c32600384bf3f9db3d07c2113acb94c3945d935d2da1914d83ee87ab3840b729dcc02120e52cfc4fcba246540000000e16d793711a763f1142325beef4cd2dbacdbdf145720cd7516949cfba3bc0e099d5bfee0961674f43642bfffd602360124eddfd451f28a334b232c5782fd868a C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001840064ECE0D0C" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2352 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
PID 2352 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe" -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe" -Force

C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"

C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe

"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"

Network

Country Destination Domain Proto
US 204.79.197.203:443 api.msn.com tcp
NL 45.133.174.87:15028 45.133.174.87 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.225.205:443 storesdk.dsx.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp

Files

memory/2352-134-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2352-135-0x00000000002A0000-0x0000000000376000-memory.dmp

memory/2352-136-0x0000000004D00000-0x0000000004D9C000-memory.dmp

memory/2352-137-0x0000000005350000-0x00000000058F4000-memory.dmp

memory/2352-138-0x0000000004E40000-0x0000000004ED2000-memory.dmp

memory/2352-139-0x0000000004DA0000-0x0000000005344000-memory.dmp

memory/2352-140-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

memory/2352-141-0x0000000004FE0000-0x0000000005036000-memory.dmp

memory/2352-142-0x0000000004DA0000-0x0000000005344000-memory.dmp

memory/1032-143-0x00000000024E0000-0x0000000002516000-memory.dmp

memory/1032-144-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/1032-145-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1032-146-0x00000000025E2000-0x00000000025E3000-memory.dmp

memory/1324-148-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/1324-147-0x0000000005990000-0x0000000005FB8000-memory.dmp

memory/1744-149-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/1324-150-0x0000000005350000-0x0000000005351000-memory.dmp

memory/1744-152-0x0000000004820000-0x0000000004821000-memory.dmp

memory/1744-153-0x0000000004822000-0x0000000004823000-memory.dmp

memory/1324-151-0x0000000005352000-0x0000000005353000-memory.dmp

memory/1032-154-0x0000000004D30000-0x0000000004D52000-memory.dmp

memory/1324-156-0x00000000061A0000-0x0000000006206000-memory.dmp

memory/1032-155-0x0000000005610000-0x0000000005676000-memory.dmp

memory/2600-157-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2600-158-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2600-159-0x0000000005380000-0x0000000005998000-memory.dmp

memory/2600-160-0x0000000004D60000-0x0000000004D72000-memory.dmp

memory/1324-161-0x0000000006870000-0x000000000688E000-memory.dmp

memory/2600-162-0x0000000004DC0000-0x0000000004DFC000-memory.dmp

memory/2600-163-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/2600-164-0x0000000005070000-0x000000000517A000-memory.dmp

memory/2352-165-0x0000000070800000-0x0000000070812000-memory.dmp

memory/1324-167-0x0000000005355000-0x0000000005357000-memory.dmp

memory/1744-166-0x0000000004825000-0x0000000004827000-memory.dmp

memory/1032-168-0x00000000025E5000-0x00000000025E7000-memory.dmp

memory/1744-170-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

memory/1744-172-0x0000000006B70000-0x0000000006B8E000-memory.dmp

memory/1032-173-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

memory/1032-169-0x0000000007070000-0x00000000070A2000-memory.dmp

memory/1324-171-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

memory/1032-174-0x000000007F350000-0x000000007F351000-memory.dmp

memory/1744-175-0x000000007FC80000-0x000000007FC81000-memory.dmp

memory/1324-176-0x000000007F3B0000-0x000000007F3B1000-memory.dmp

memory/1324-177-0x00000000081C0000-0x000000000883A000-memory.dmp

memory/1032-178-0x0000000007180000-0x000000000719A000-memory.dmp

memory/1324-179-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

memory/1744-180-0x0000000007180000-0x0000000007216000-memory.dmp

memory/1324-181-0x0000000007DA0000-0x0000000007DAE000-memory.dmp

memory/1032-182-0x00000000074C0000-0x00000000074DA000-memory.dmp

memory/1032-183-0x00000000074A0000-0x00000000074A8000-memory.dmp

memory/2600-184-0x0000000006350000-0x0000000006512000-memory.dmp

memory/2600-185-0x0000000006A50000-0x0000000006F7C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 264bdf4039fa632a1e97f56385be1b47
SHA1 4e763082f0ffcf7a2eae53bfae4012176f9ee5cc
SHA256 6205756956ebc3e5681e18a959537a2ec9d19791175668ea101b48890f8a56bc
SHA512 a1952ce76bf3f369e6b11368483d26ff1ffdbed0a6651d17dd635f21a5e6f30466e627cc955981b7b3a82effd07881a0a31b9d11f6ddefce356e0dffe56a4230

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b1c159445b218fcc3039c60b3f2af57f
SHA1 9afb5509e24438ca02311cf2e8384d18196c336f
SHA256 bf2158a0892a74c2efa0b821b17e1cc33b77eaaa1a882c50ca408c5156d9b58e
SHA512 a68e2f91c0d25880592c8a23ebe7d11e5601551aaa93c938a120115572ec2c52a491cfd7f3b5408ad7635ee538779fcb974d770ddac191610134f6973fc586ce

memory/2600-189-0x0000000006850000-0x00000000068C6000-memory.dmp

memory/2600-190-0x0000000006A30000-0x0000000006A4E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XFT-21062-22.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc