Malware Analysis Report

2024-11-16 13:37

Sample ID 240529-1nltcaba7v
Target dfsadfsfsf.exe
SHA256 17411b5f0a6618aab02247492f9ed3afad7fe7a4209a2355bf4b7c471ebca4a9
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17411b5f0a6618aab02247492f9ed3afad7fe7a4209a2355bf4b7c471ebca4a9

Threat Level: Known bad

The file dfsadfsfsf.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm family

Xworm

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 21:47

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 21:47

Reported

2024-05-29 21:48

Platform

win7-20240508-en

Max time kernel

34s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\program = "C:\\Users\\Admin\\AppData\\Roaming\\program" C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\schtasks.exe
PID 2228 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\schtasks.exe
PID 2228 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\schtasks.exe
PID 2228 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\system32\shutdown.exe
PID 2228 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\system32\shutdown.exe
PID 2228 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\system32\shutdown.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe

"C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dfsadfsfsf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\program'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'program'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "program" /tr "C:\Users\Admin\AppData\Roaming\program"

C:\Windows\system32\shutdown.exe

shutdown.exe /f /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 by-mit.gl.at.ply.gg udp
US 147.185.221.20:3500 by-mit.gl.at.ply.gg tcp

Files

memory/2228-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

memory/2228-1-0x0000000000E30000-0x0000000000E40000-memory.dmp

memory/2228-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

memory/2924-8-0x00000000029A0000-0x00000000029A8000-memory.dmp

memory/2924-7-0x000000001B580000-0x000000001B862000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0a349aab16ebf0a5be56b08814e59e21
SHA1 9232cb17d6f424e501342625a82891141d9fc249
SHA256 93a075a49d8623ef408fffba3b95d823ea0ab8b3c9312c46b54aeabec45d417d
SHA512 fcee4515c88692c7fc42aef8488b52f9a806685a38d51c916150fc6c62ebf7b98f1716f9786be695d6276a3f6672865f45d861a4a1248131f1eed3c3d546ced0

memory/2680-14-0x000000001B560000-0x000000001B842000-memory.dmp

memory/2680-15-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/2228-29-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

memory/2228-30-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

memory/2228-31-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 21:47

Reported

2024-05-29 21:48

Platform

win10v2004-20240508-en

Max time kernel

40s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\program = "C:\\Users\\Admin\\AppData\\Roaming\\program" C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SYSTEM32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2340 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\schtasks.exe
PID 2340 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\System32\schtasks.exe
PID 2340 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\SYSTEM32\shutdown.exe
PID 2340 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe C:\Windows\SYSTEM32\shutdown.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe

"C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dfsadfsfsf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dfsadfsfsf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\program'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'program'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "program" /tr "C:\Users\Admin\AppData\Roaming\program"

C:\Windows\SYSTEM32\shutdown.exe

shutdown.exe /f /s /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3963055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
BE 88.221.83.250:443 www.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 250.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 by-mit.gl.at.ply.gg udp
US 147.185.221.20:3500 by-mit.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/2340-0-0x00007FF816413000-0x00007FF816415000-memory.dmp

memory/2340-1-0x0000000000870000-0x0000000000880000-memory.dmp

memory/2340-2-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ymqnrpud.adt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2916-12-0x000002391F5C0000-0x000002391F5E2000-memory.dmp

memory/2916-13-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/2916-14-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/2916-15-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/2916-18-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b51dc9e5ec3c97f72b4ca9488bbb4462
SHA1 5c1e8c0b728cd124edcacefb399bbd5e25b21bd3
SHA256 976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db
SHA512 0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3161f4edbc9b963debe22e29658050b
SHA1 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA256 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

memory/2340-56-0x00007FF816413000-0x00007FF816415000-memory.dmp

memory/2340-57-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

memory/2340-58-0x00007FF816410000-0x00007FF816ED1000-memory.dmp