Malware Analysis Report

2024-09-11 08:54

Sample ID 240428-l2r5ysdb35
Target 8d2faf1c3a857566f516c28da34b9479.exe
SHA256 93f357d221fc7f72bec7195e11c8a00b9e128448850a88ca66c8cc95fa47272f
Tags
redline sectoprat xworm cheat infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93f357d221fc7f72bec7195e11c8a00b9e128448850a88ca66c8cc95fa47272f

Threat Level: Known bad

The file 8d2faf1c3a857566f516c28da34b9479.exe was found to be: Known bad.

Malicious Activity Summary

redline sectoprat xworm cheat infostealer persistence rat trojan

RedLine payload

Detect Xworm Payload

RedLine

Xworm

SectopRAT payload

SectopRAT

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-28 10:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 10:02

Reported

2024-04-28 10:04

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1136 set thread context of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2880 set thread context of 888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2560 set thread context of 1132 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 1136 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 1136 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 1136 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 1136 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2504 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2504 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2504 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1180 wrote to memory of 2880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1180 wrote to memory of 2880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1180 wrote to memory of 2880 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2880 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2880 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2880 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2880 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2880 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2880 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2880 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2880 wrote to memory of 888 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe

"C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vKSqvdpkG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKSqvdpkG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp"

C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe

"C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8d2faf1c3a857566f516c28da34b9479.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A0BB93DD-F992-4A95-8C98-95F379B4FDCA} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vKSqvdpkG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKSqvdpkG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C0A.tmp"

C:\Users\Admin\AppData\Roaming\explorer.exe

"C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vKSqvdpkG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKSqvdpkG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp756E.tmp"

C:\Users\Admin\AppData\Roaming\explorer.exe

"C:\Users\Admin\AppData\Roaming\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7000 tcp
EG 41.199.23.195:7000 tcp
NL 91.92.252.220:7000 tcp
N/A 127.0.0.1:7000 tcp
NL 91.92.252.220:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.254.108:7000 saveclinetsforme68465454711991.publicvm.com tcp

Files

memory/1136-0-0x0000000000C60000-0x0000000000D02000-memory.dmp

memory/1136-1-0x0000000074700000-0x0000000074DEE000-memory.dmp

memory/1136-2-0x0000000006FB0000-0x0000000006FF0000-memory.dmp

memory/1136-3-0x0000000000480000-0x00000000004A0000-memory.dmp

memory/1136-4-0x00000000004D0000-0x00000000004E4000-memory.dmp

memory/1136-5-0x0000000002110000-0x0000000002164000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC909.tmp

MD5 ad692d7816ec7e34a919719cb3f38bfd
SHA1 15e701acc1277ae4319c7909b5260f9c25b714e1
SHA256 ed494fc94b57261d96b54ede8c9922fcba08fcf15a2d73ade95268e1f877afc3
SHA512 987dc3f8f4a0fcfb0590d6ca5a3076cda2d8c1e435b4480e57869a7d780199a5a30648f4238e5dbdfcc046c73d59ff0d9b5722b400e01a40be73fefd5fb08e78

memory/2504-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2504-21-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S5TKGT3KEP1SBOHO6ESH.temp

MD5 a115488a371700977225ec0be4cfbf08
SHA1 110ffa701f8f5fb8875b99bee2c9c38ca1c6e1cf
SHA256 24c66dc70786f5b2fb3ba27096c6c9d476bbc298d80b17226896678da2f9235d
SHA512 b8faa34bb1b638a8dc81f3a8310ad4569eb126b4f2f41730ebe44fd854564996b06f767f440bda46076a5ededbd510eb1132b6d4f420c1dcf8f712518ccfc1a6

memory/2504-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2504-20-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2504-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2504-17-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2504-15-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2504-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1136-31-0x0000000074700000-0x0000000074DEE000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\explorer.exe

MD5 8d2faf1c3a857566f516c28da34b9479
SHA1 6151cc6fe9097e07676b8e7dca4057d4be292f44
SHA256 93f357d221fc7f72bec7195e11c8a00b9e128448850a88ca66c8cc95fa47272f
SHA512 42c3908b63b7b5960c53b11f34e8b42efa361107491236730d30dc258857006d0e7078d3c529fddbe2c44ffad1fc3ee181de01b51dc2e52e5fc38c43d6672420

memory/2880-60-0x0000000000BF0000-0x0000000000C92000-memory.dmp

memory/2880-61-0x00000000042D0000-0x0000000004324000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 4b47d536d1466fe5d8608c528df0fad2
SHA1 6db96fd0b4615a7931f23472987d5ec0b892a1fb
SHA256 4f1ede0b3d8faa8d60496167f18c3e08601067d6bd48686500b896b4aa2ec1b7
SHA512 35952ff0e6a0b6a06bcd0cb8d553b93ac0dd0822a7cd4db17baf48abbb6c2c1db46022c6a0e5e19cc8476aecbb55d5092e869dc44e06118367da25c07bfbf9e8

memory/888-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2560-89-0x0000000001320000-0x00000000013C2000-memory.dmp

memory/1132-100-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2504-116-0x00000000005D0000-0x00000000005EE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 10:02

Reported

2024-04-28 10:04

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2820 set thread context of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2712 set thread context of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3212 set thread context of 5016 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2820 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2820 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2820 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2820 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2820 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2820 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2820 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2820 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe
PID 2940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2940 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2712 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 2712 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3212 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 668 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Windows\SysWOW64\schtasks.exe
PID 3212 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3212 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 3212 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\explorer.exe C:\Users\Admin\AppData\Roaming\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe

"C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vKSqvdpkG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKSqvdpkG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7119.tmp"

C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe

"C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\8d2faf1c3a857566f516c28da34b9479.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '8d2faf1c3a857566f516c28da34b9479.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vKSqvdpkG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKSqvdpkG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A14.tmp"

C:\Users\Admin\AppData\Roaming\explorer.exe

"C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

"C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vKSqvdpkG.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vKSqvdpkG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30BB.tmp"

C:\Users\Admin\AppData\Roaming\explorer.exe

"C:\Users\Admin\AppData\Roaming\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 23.53.113.159:80 tcp
US 8.8.8.8:53 ip-api.com udp
N/A 127.0.0.1:7000 tcp
EG 41.199.23.195:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 saveclinetsforme68465454711991.publicvm.com udp
NL 91.92.252.220:7000 tcp
N/A 127.0.0.1:7000 tcp
EG 41.199.23.195:7000 tcp

Files

memory/2820-0-0x0000000000D90000-0x0000000000E32000-memory.dmp

memory/2820-1-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2820-2-0x0000000005760000-0x0000000005770000-memory.dmp

memory/2820-3-0x0000000008300000-0x00000000088A4000-memory.dmp

memory/2820-4-0x0000000007E00000-0x0000000007E92000-memory.dmp

memory/2820-5-0x00000000050C0000-0x00000000050CA000-memory.dmp

memory/2820-6-0x00000000093A0000-0x000000000943C000-memory.dmp

memory/2820-7-0x0000000008140000-0x0000000008160000-memory.dmp

memory/2820-8-0x0000000008290000-0x00000000082A4000-memory.dmp

memory/2820-9-0x00000000059A0000-0x00000000059F4000-memory.dmp

memory/1324-14-0x0000000000CC0000-0x0000000000CF6000-memory.dmp

memory/1324-16-0x0000000000D50000-0x0000000000D60000-memory.dmp

memory/1324-15-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/1324-17-0x0000000004BB0000-0x00000000051D8000-memory.dmp

memory/4324-18-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/4324-19-0x0000000005170000-0x0000000005192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7119.tmp

MD5 6ee3750101332c99eedb8b1befc9e3b3
SHA1 9e3dd9438a094f532ea806ccbf4c52fdfb226931
SHA256 ce04ce843e0db5a29f274359ed584748e2d3f8520985b2807281fd08d546c4ef
SHA512 be25163f4f2a5789c8e89743673849d7b663c5c0a54d4cfbce809152a02eeb100588114aaa728f955d186557915b6778f31534693d823d3eb0e014c04f3298e0

memory/4324-22-0x0000000005AB0000-0x0000000005B16000-memory.dmp

memory/4324-30-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

memory/2820-29-0x00000000749F0000-0x00000000751A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3cu5xkca.sdu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4324-21-0x0000000005940000-0x00000000059A6000-memory.dmp

memory/4324-43-0x0000000005C20000-0x0000000005F74000-memory.dmp

memory/2940-44-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2820-46-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/4324-47-0x0000000006130000-0x000000000614E000-memory.dmp

memory/4324-48-0x00000000066A0000-0x00000000066EC000-memory.dmp

memory/1324-49-0x0000000006A10000-0x0000000006A42000-memory.dmp

memory/1324-50-0x00000000752A0000-0x00000000752EC000-memory.dmp

memory/1324-60-0x00000000069D0000-0x00000000069EE000-memory.dmp

memory/1324-61-0x0000000006C50000-0x0000000006CF3000-memory.dmp

memory/4324-62-0x00000000752A0000-0x00000000752EC000-memory.dmp

memory/1324-73-0x0000000006D70000-0x0000000006D8A000-memory.dmp

memory/1324-72-0x00000000073B0000-0x0000000007A2A000-memory.dmp

memory/4324-74-0x00000000074C0000-0x00000000074CA000-memory.dmp

memory/1324-75-0x0000000006FF0000-0x0000000007086000-memory.dmp

memory/1324-76-0x0000000006F70000-0x0000000006F81000-memory.dmp

memory/1324-77-0x0000000006FA0000-0x0000000006FAE000-memory.dmp

memory/1324-78-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

memory/1324-79-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/4324-80-0x0000000007760000-0x0000000007768000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3382ecf6d9106b02f9fe9a9ff6166a40
SHA1 25ba98d09c69dcb60cd0fe2fa7da9a7a2c5562c4
SHA256 4af51ebdf7ee59268da498f289b352252a32cc2d8e39af9cf49380b99e1724c7
SHA512 32b5e796fa8370d4579616c9e5ef5a6bd154f5b20d55ecaba4ef2d3394d51d04140fa805960d4a83342999610383be327458fb93356d74ea491230510332934a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4324-86-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/1324-87-0x00000000749F0000-0x00000000751A0000-memory.dmp

memory/2512-88-0x0000000005490000-0x00000000057E4000-memory.dmp

memory/2512-99-0x0000000006040000-0x000000000608C000-memory.dmp

memory/2512-100-0x000000006FAD0000-0x000000006FB1C000-memory.dmp

memory/2512-110-0x0000000006D70000-0x0000000006E13000-memory.dmp

memory/2512-111-0x0000000007030000-0x0000000007041000-memory.dmp

memory/2512-112-0x0000000007080000-0x0000000007094000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c954d7e99cb582655aa0efd09350703
SHA1 a8a22b25a0f802e0d85b0e1dac08ae2f7eb61fea
SHA256 5c1303cca1791aea09b332c2a21cc2e391622293fc350067e62c0250d9f9b189
SHA512 39c24e050eea1615f9284182377f5b6fd46e057a7337f71a6bfdd79481fbd2ca384c6e93c7f07d787ba6546b04a690affa3f8624086bed7078b699f712267856

memory/4396-124-0x000000006FAD0000-0x000000006FB1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1bcf30be5e7053ca255e16815afba5ae
SHA1 387b37b267e86106802bc23a4ba271d9ff4999d7
SHA256 c8610b4fe3ff88a94d83e045ac75537b7f77453e49cb44ce1ae8e388ec8d17df
SHA512 4d99942332ec9ea49013bbcff4dff19a5506ccbfb74d410104a78725bcb6b7e9e95a53b363eb63dedf84cc2d2a7216653cdd620a9a648101efb0884c6be86a9c

memory/3908-145-0x000000006FAD0000-0x000000006FB1C000-memory.dmp

memory/1424-156-0x00000000062B0000-0x0000000006604000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 460715f73d0d714263151c2c6c0672a3
SHA1 8685658a444608ec18fa33eb19048dab5660692a
SHA256 7b5af50d847011f9bf2f16a666046c641bdd95766f54e3b0e0c76b753b8b0929
SHA512 6fe84b30e565ebcc07a17e2866421b1f0d7007cb579207d3416856debe3e6365494cd3c5d930831b409b905220f6c6c83dbc910977af020dd54dc0856087cb97

memory/1424-167-0x000000006FAD0000-0x000000006FB1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\explorer.exe

MD5 8d2faf1c3a857566f516c28da34b9479
SHA1 6151cc6fe9097e07676b8e7dca4057d4be292f44
SHA256 93f357d221fc7f72bec7195e11c8a00b9e128448850a88ca66c8cc95fa47272f
SHA512 42c3908b63b7b5960c53b11f34e8b42efa361107491236730d30dc258857006d0e7078d3c529fddbe2c44ffad1fc3ee181de01b51dc2e52e5fc38c43d6672420

memory/2712-184-0x0000000008440000-0x0000000008454000-memory.dmp

memory/4844-196-0x0000000005C00000-0x0000000005F54000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 330a748c7a8705e213da7ec90e81bfb9
SHA1 47314cb3fc762b233100863108bc7c2b0079bfe2
SHA256 62126b92ed9ef2a263d5f9929e551eda1cbeb8afcea322eb0e570832bed26270
SHA512 9263ac6ae3787d47efe7fa1d8cb12e392ae94e0f3512a905c28ffe3513700c4a90f8b6307b1e540518f6669cdb9d8ee76d7682c48890f563eb1c70d73e961839

memory/4844-211-0x00000000061B0000-0x00000000061FC000-memory.dmp

memory/4844-212-0x000000006FAE0000-0x000000006FB2C000-memory.dmp

memory/4844-222-0x0000000007320000-0x00000000073C3000-memory.dmp

memory/760-223-0x000000006FAE0000-0x000000006FB2C000-memory.dmp

memory/4844-233-0x0000000007690000-0x00000000076A1000-memory.dmp

memory/4844-234-0x00000000076D0000-0x00000000076E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da1eeba02116c0ef6454725d4b3da2a1
SHA1 87e4f63f522673872ef1ccf5edbaed9b911cc8d2
SHA256 b0c037becbeace997528f0a36f89b9c64c55589ddc3f96af5473180879d02277
SHA512 87adfb145114405188241b0d8dfa92f0a3943a8d7efab1417cfe0ced7c92eb5e384843d3460caa822e8c0c836eee9d596a6da210f9d6a1683098b41c092b460f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\explorer.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/2900-252-0x00000000055C0000-0x0000000005914000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e75396b5df67f594bf261bfbe46b06ba
SHA1 c2d9eb60e75726efc313ef28e3a9ace0537adfc9
SHA256 a92edc86251d6092af3102efe8e1adbfb4ae3a49b6b647d9ab1324288f4f64d6
SHA512 ce94e0b0ad35c2a8c2892ddcd0d3e067ad14f7501867c84ba2321b070aaf2c276d7fff0dbe2f60fae53bc798d885bfb1f207f253041645b9d53b2f016c473472

memory/2900-265-0x000000006FAE0000-0x000000006FB2C000-memory.dmp

memory/4192-275-0x000000006FAE0000-0x000000006FB2C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 112299aae5c79b21caaaa8a0ce303a19
SHA1 6e46cc69267de5348cf789672db7daeb8c1325bc
SHA256 f1071b820a11c3ecca8f3027c7261d445c8cc80a2d8c0207c2d129b863d63c4a
SHA512 4be231319440c476e7d5bc986572d7587d6b5af3a1f2d28948abe58c7854776ac5a085d54689a93f9cb424ecf796eea684f4296aa9ecb2b6c03d7ceb9b4a2ca5