Malware Analysis Report

2024-11-16 13:37

Sample ID 240529-nwensaea25
Target Nurik.exe
SHA256 ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
Tags
xworm bootkit evasion execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c

Threat Level: Known bad

The file Nurik.exe was found to be: Known bad.

Malicious Activity Summary

xworm bootkit evasion execution persistence rat trojan

Detect Xworm Payload

Xworm family

Xworm

Modifies WinLogon for persistence

UAC bypass

Command and Scripting Interpreter: PowerShell

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Executes dropped EXE

Drops startup file

Writes to the Master Boot Record (MBR)

Looks up external IP address via web service

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies Control Panel

System policy modification

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-29 11:44

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 11:44

Reported

2024-05-29 11:48

Platform

win11-20240508-en

Max time kernel

181s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nurik.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0" C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

Xworm

trojan rat xworm

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk C:\Users\Admin\AppData\Local\Temp\Nurik.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk C:\Users\Admin\AppData\Local\Temp\Nurik.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSecurity" C:\Users\Admin\AppData\Local\Temp\Nurik.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Control Panel\Mouse C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsSecurity N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsSecurity N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\WindowsSecurity N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1048 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1048 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\schtasks.exe
PID 1048 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Windows\System32\schtasks.exe
PID 1048 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe
PID 1048 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe
PID 1048 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\Nurik.exe C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nurik.exe

"C:\Users\Admin\AppData\Local\Temp\Nurik.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nurik.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nurik.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Roaming\WindowsSecurity"

C:\Users\Admin\AppData\Roaming\WindowsSecurity

C:\Users\Admin\AppData\Roaming\WindowsSecurity

C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe

"C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D8

C:\Users\Admin\AppData\Roaming\WindowsSecurity

C:\Users\Admin\AppData\Roaming\WindowsSecurity

C:\Users\Admin\AppData\Roaming\WindowsSecurity

C:\Users\Admin\AppData\Roaming\WindowsSecurity

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38ca855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 104.20.4.235:443 pastebin.com tcp
DE 3.125.102.39:15961 0.tcp.eu.ngrok.io tcp
DE 3.124.142.205:15961 0.tcp.eu.ngrok.io tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
DE 3.125.209.94:15961 0.tcp.eu.ngrok.io tcp

Files

memory/1048-0-0x00007FF864593000-0x00007FF864595000-memory.dmp

memory/1048-1-0x0000000000FE0000-0x000000000101A000-memory.dmp

memory/1048-2-0x00007FF864590000-0x00007FF865052000-memory.dmp

memory/4176-3-0x00007FF864590000-0x00007FF865052000-memory.dmp

memory/4176-4-0x00007FF864590000-0x00007FF865052000-memory.dmp

memory/4176-5-0x00007FF864590000-0x00007FF865052000-memory.dmp

memory/4176-6-0x000001A9C28E0000-0x000001A9C2902000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzktullg.goa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4176-15-0x00007FF864590000-0x00007FF865052000-memory.dmp

memory/4176-16-0x00007FF864590000-0x00007FF865052000-memory.dmp

memory/4176-19-0x000001A9C2950000-0x000001A9C2A9F000-memory.dmp

memory/4176-20-0x00007FF864590000-0x00007FF865052000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3284cb698efa6fb773dc0eebd30a3214
SHA1 a1093d44f025e5ba9609e99a3fc5fce3723fd7f3
SHA256 22f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa
SHA512 af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606

memory/1576-32-0x000001BC56BA0000-0x000001BC56CEF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 78dd5ad095162eb2777b0ff766a61a6e
SHA1 5ba064016205f0d26999080726c600e48f308f39
SHA256 aed8c14187935d0a33ac129c8bdce507dfb1938a1fd1d8a7c8c568c224d2deec
SHA512 993c2370fd9ddc14abfa9e4c972188605ec57a8edc17a2d9e51d85da93e98a72a4c096e6967a4d6e6ec7555cc04bfebc4977c23e301b6fa7b308c0ea8971a72d

memory/2352-43-0x0000014775B30000-0x0000014775C7F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9f57d6c4214f890e8c0b575404864dc
SHA1 017f9174a12ca9632ffdf6b4316c88e02800777a
SHA256 3d51900ed720bd3f98cfc27c5a268eaa93b2ae4a40202fcc8240e26d1a3eac8f
SHA512 bec0064af11dd33ba51e4e6271633b3d9143d9e6b99290bc84da066c74eff297dc92071cb56c377739a3ece3e19c780e4591cde667bf8d4aa73eb4797630d042

memory/3720-54-0x000001B1F67E0000-0x000001B1F692F000-memory.dmp

memory/1048-58-0x00007FF864593000-0x00007FF864595000-memory.dmp

memory/1048-59-0x00007FF864590000-0x00007FF865052000-memory.dmp

memory/1048-60-0x000000001CF80000-0x000000001CF8C000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsSecurity

MD5 bb252d8aa4f5834229ea080c11db0b59
SHA1 7de57dfc07520a7f3013abc807446e8611914812
SHA256 ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
SHA512 0e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a

memory/1516-76-0x0000000000400000-0x0000000003DF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsSecurity.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

memory/1516-79-0x0000000000400000-0x0000000003DF3000-memory.dmp

memory/1516-80-0x0000000000400000-0x0000000003DF3000-memory.dmp

memory/1516-82-0x0000000000400000-0x0000000003DF3000-memory.dmp

memory/1516-83-0x0000000000400000-0x0000000003DF3000-memory.dmp

memory/1048-84-0x000000001B4F0000-0x000000001B57E000-memory.dmp

memory/1516-85-0x0000000000400000-0x0000000003DF3000-memory.dmp

memory/1516-87-0x0000000000400000-0x0000000003DF3000-memory.dmp

memory/1048-91-0x00007FF864590000-0x00007FF865052000-memory.dmp

memory/1516-90-0x0000000000400000-0x0000000003DF3000-memory.dmp