Malware Analysis Report

2024-11-16 13:35

Sample ID 240527-kn2a2aea9v
Target читы.exe
SHA256 2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad

Threat Level: Known bad

The file читы.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Xworm family

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 08:45

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 08:45

Reported

2024-05-27 08:48

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\читы.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2148 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2148 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2328 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2328 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2328 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\Delta.exe
PID 2148 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2148 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2148 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2148 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\system32\cmd.exe
PID 2252 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2252 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2252 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\читы.exe

"C:\Users\Admin\AppData\Local\Temp\читы.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {F608BB8A-E9F2-4F0B-85A0-F473E3A53D28} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBA3B.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:54921 19.ip.gl.ply.gg tcp

Files

memory/2148-0-0x000007FEF5193000-0x000007FEF5194000-memory.dmp

memory/2148-1-0x0000000000160000-0x0000000000180000-memory.dmp

memory/2280-6-0x00000000028C0000-0x0000000002940000-memory.dmp

memory/2280-7-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/2280-8-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 515226976c81e0a34ec46b959f4fa46d
SHA1 87fe529f73ede88d7a24a03e8a916d14fba5d220
SHA256 e27cf01ab5227fdcd51b99bb65ee4b3b884e47396e5c2220a7b7e5fb6dfb6faa
SHA512 0b5b5231e8b58f26c10df04ffcc1a13e9de49966b1bbd7ecd66b37a625f106502d98538fedfd8a9c5801fc5629be27cb41e34a7f5ed086a3dd11cdc693ad057f

memory/2744-14-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2744-15-0x0000000001E60000-0x0000000001E68000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2148-31-0x000000001A8E0000-0x000000001A960000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 7c4229f56dd1abf353b7615e099cb3a8
SHA1 f1a2545b0d9b1f686d456c60fcd87c3c4ee93d08
SHA256 2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad
SHA512 e961a5a7b44fdfc0cbdedbb48320afa5097c8ff5f7d1880069e4120ee0bfe2d0642d3b7b7977c815c6f96b9c0f66028f26a2a0bfcdef5cca363269dff780af41

memory/1988-35-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2148-36-0x000007FEF5193000-0x000007FEF5194000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBA3B.tmp.bat

MD5 d56c76d12309e8ce1faa6788d1fe2af3
SHA1 2076a6e74cd5121d9f83b97aad50c1207a75a329
SHA256 9ff0b09804848c3a3203c30968f530db708a0645b878b6e15b9280052c8cdfe4
SHA512 0aa895c88bf3280d51873be88db803d8c6c4716849872f066a44929c3c877023a05bde30f9aae62e3318b33150da187f5c354871b0f904104b322cc2563f521f

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 08:45

Reported

2024-05-27 08:48

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\читы.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Delta.lnk C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Delta = "C:\\Users\\Admin\\AppData\\Roaming\\Delta.exe" C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Delta.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\читы.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2652 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2652 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2652 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2652 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\System32\schtasks.exe
PID 2652 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\читы.exe C:\Windows\system32\cmd.exe
PID 5060 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 5060 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\читы.exe

"C:\Users\Admin\AppData\Local\Temp\читы.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\читы.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'читы.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Delta.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Delta.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Delta" /tr "C:\Users\Admin\AppData\Roaming\Delta.exe"

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Users\Admin\AppData\Roaming\Delta.exe

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /delete /f /tn "Delta"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1A3.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:54921 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:54921 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/2652-0-0x0000000000530000-0x0000000000550000-memory.dmp

memory/2652-1-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfxtldsc.q1y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3012-11-0x0000024B740B0000-0x0000024B740D2000-memory.dmp

memory/3012-12-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/3012-13-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/3012-14-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/3012-17-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 a43e653ffb5ab07940f4bdd9cc8fade4
SHA1 af43d04e3427f111b22dc891c5c7ee8a10ac4123
SHA256 c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe
SHA512 62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f9a34206d3c65e9361a2b802f8099882
SHA1 972570b8609d524dce821e4648339e3887e1da86
SHA256 5ec50aa1ce2f6eb950d211b2db96fb221ad1f1c23c67e1eb773b8b49d14fe8f0
SHA512 a6969e553606805e32b24d7d6abcd13d03334378ab8364b73ba1e0cf699d3152ab240ce60318d66c35fbf555cb8d06fdc727c94f2dddaafff504eaf4af8177d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96e3b86880fedd5afc001d108732a3e5
SHA1 8fc17b39d744a9590a6d5897012da5e6757439a3
SHA256 c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512 909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef72c47dbfaae0b9b0d09f22ad4afe20
SHA1 5357f66ba69b89440b99d4273b74221670129338
SHA256 692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA512 7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

memory/2652-56-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

C:\Users\Admin\AppData\Roaming\Delta.exe

MD5 7c4229f56dd1abf353b7615e099cb3a8
SHA1 f1a2545b0d9b1f686d456c60fcd87c3c4ee93d08
SHA256 2d0936804bfa8aedd998cbfb27485f1816222f17921d14705e390c5622b232ad
SHA512 e961a5a7b44fdfc0cbdedbb48320afa5097c8ff5f7d1880069e4120ee0bfe2d0642d3b7b7977c815c6f96b9c0f66028f26a2a0bfcdef5cca363269dff780af41

memory/2652-59-0x00007FFFEFE53000-0x00007FFFEFE55000-memory.dmp

memory/2652-61-0x000000001BA10000-0x000000001BA1C000-memory.dmp

memory/2652-62-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

memory/2652-68-0x00007FFFEFE50000-0x00007FFFF0911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF1A3.tmp.bat

MD5 2e34fb1dd066fb0a4846e69c1eca20f3
SHA1 bfe70392d3acccf98d82a6b74ea215c1b4ae5a88
SHA256 a84c13bd2c771b45669b7a9591d4d7755b62f4743cd900d765e921f4dbeab87a
SHA512 43add330684aa642b5c22a1036a0ca5f84748c572029b311844a2cf5b2c358aadf000f81073eb734bc25683c434ca350bb3ec46a3b075d085363f90a46f80384