Malware Analysis Report

2024-11-16 13:39

Sample ID 240531-b2dmfsbe28
Target cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
SHA256 cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651

Threat Level: Known bad

The file cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm

Detects Windows executables referencing non-Windows User-Agents

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Loads dropped DLL

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 01:38

Reported

2024-05-31 01:40

Platform

win7-20240508-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1636 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1732 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1732 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
DE 104.250.180.178:7061 tcp

Files

memory/1636-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/1636-1-0x0000000000140000-0x00000000001C4000-memory.dmp

memory/1636-2-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1636-3-0x0000000000530000-0x0000000000548000-memory.dmp

memory/1636-4-0x0000000000550000-0x0000000000560000-memory.dmp

memory/1636-5-0x00000000021A0000-0x00000000021F6000-memory.dmp

memory/1732-6-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1732-7-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1732-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1732-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1732-14-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1732-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1732-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1732-9-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1636-18-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1732-17-0x0000000073F10000-0x00000000745FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 5e07f66f8bbd0c701efa856541ca11f6
SHA1 aa829a958b9a96a486fa643f000aeebffc9a357d
SHA256 f20710e19143e44f4501ee95b4b4b49cbe95eef930cdfb113854077f4678d97f
SHA512 59ebcf5d0ca578b7d97bd0a94b18127c9f9bbbc15efb9a12878c518473ad45f35f01972abfd7b05f4cc9c3a0256f332d93fb456f689c7638e794964eb32d7732

\Users\Admin\AppData\Roaming\XClient.exe

MD5 ff3aea929347d0168b02de5d2c2bcec3
SHA1 fd7eaa628f424fc1384bcbd926a551c8e60740db
SHA256 cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651
SHA512 c5ba038472b25fa013852b57fa712a286e56a85f015b68c5e7da72ed403aa0b896deb6583407894ae76dc59e90c475a161504d55202b4b7fe774732b22793c3b

memory/1732-41-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1732-42-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/1732-43-0x0000000073F10000-0x00000000745FE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 01:38

Reported

2024-05-31 01:40

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 764 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 764 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 764 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 764 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 764 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 764 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 764 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 764 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 676 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 676 wrote to memory of 712 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 104.250.180.178:7061 tcp
US 8.8.8.8:53 178.180.250.104.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/764-0-0x000000007461E000-0x000000007461F000-memory.dmp

memory/764-1-0x00000000009B0000-0x0000000000A34000-memory.dmp

memory/764-2-0x00000000058E0000-0x0000000005E84000-memory.dmp

memory/764-3-0x0000000005410000-0x00000000054A2000-memory.dmp

memory/764-4-0x00000000054D0000-0x00000000054DA000-memory.dmp

memory/764-5-0x00000000055A0000-0x000000000563C000-memory.dmp

memory/764-6-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/764-7-0x0000000006D60000-0x0000000006D78000-memory.dmp

memory/764-8-0x0000000006740000-0x0000000006750000-memory.dmp

memory/764-9-0x0000000006960000-0x00000000069B6000-memory.dmp

memory/676-10-0x0000000000400000-0x0000000000414000-memory.dmp

memory/676-12-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/764-13-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/1636-14-0x00000000053B0000-0x00000000053E6000-memory.dmp

memory/1636-15-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/1636-16-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/1636-17-0x0000000005A70000-0x0000000006098000-memory.dmp

memory/1636-18-0x00000000059B0000-0x00000000059D2000-memory.dmp

memory/1636-19-0x00000000060A0000-0x0000000006106000-memory.dmp

memory/1636-20-0x0000000006180000-0x00000000061E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oohhi4qt.z3y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1636-30-0x0000000006460000-0x00000000067B4000-memory.dmp

memory/1636-31-0x0000000006970000-0x000000000698E000-memory.dmp

memory/1636-32-0x00000000069A0000-0x00000000069EC000-memory.dmp

memory/1636-33-0x0000000006F40000-0x0000000006F72000-memory.dmp

memory/1636-34-0x000000006FC30000-0x000000006FC7C000-memory.dmp

memory/1636-44-0x0000000006F80000-0x0000000006F9E000-memory.dmp

memory/1636-45-0x0000000007960000-0x0000000007A03000-memory.dmp

memory/1636-46-0x00000000082E0000-0x000000000895A000-memory.dmp

memory/1636-47-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

memory/1636-48-0x0000000007D10000-0x0000000007D1A000-memory.dmp

memory/1636-49-0x0000000007F20000-0x0000000007FB6000-memory.dmp

memory/1636-50-0x0000000007EA0000-0x0000000007EB1000-memory.dmp

memory/1636-51-0x0000000007ED0000-0x0000000007EDE000-memory.dmp

memory/1636-52-0x0000000007EE0000-0x0000000007EF4000-memory.dmp

memory/1636-53-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

memory/1636-54-0x0000000007FC0000-0x0000000007FC8000-memory.dmp

memory/1636-57-0x0000000074610000-0x0000000074DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a1b7deab00b9e3ac4e4d32a28767e0f5
SHA1 02e4a350ae521d57eae3c1b87e19dc718cd18853
SHA256 827761d4f5f4d588912d0918989032df66d026204364abed3c8fff3570e776d2
SHA512 2d42c5075997f80527e485d9d77093f538f9d71db33d01aecc535635c65f63f00627263a5278b47ac0c25c07e11b5b6c68216846751f8884bd2617da77ffa4e0

memory/3224-69-0x000000006FC30000-0x000000006FC7C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb510602161d9da8cf34c4269fd58305
SHA1 5897db5829282cc736f9c85d67ce4892dfe84c5e
SHA256 16129b44ae22e4e485f8f5e7be54948f22125d8520a94dcd74606dec0c3484f8
SHA512 5dab5cf64f2e742a4e5f3eb5b724483629ee85af0aaa04f499f2786acce31da739aa861f46a26a79699873d88f281afe682ea99577820f4178fb5a5201b96277

memory/4356-90-0x000000006FC30000-0x000000006FC7C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 155693d37a2ef32e6370db6e1d60ff62
SHA1 769f536a50c8bc7a7f699104a68bb6277be521a9
SHA256 2a97a665cc13a0cbe7f17058775b6bf74bb82c256b135b4ef3c5d0efad868ea6
SHA512 642155820a65af5c70cc099e959ad75c168841f0daa68b6430699d4e8b9b07df1393d9733693d2f122985a3555fb2433231b95963ae7b20d9456d3ca887e1b0f

memory/712-111-0x000000006FC30000-0x000000006FC7C000-memory.dmp

memory/676-126-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/676-127-0x0000000074610000-0x0000000074DC0000-memory.dmp

memory/676-128-0x0000000074610000-0x0000000074DC0000-memory.dmp