Malware Analysis Report

2024-11-16 13:42

Sample ID 240601-efrtqshf36
Target ff3aea929347d0168b02de5d2c2bcec3.bin
SHA256 a443445abb02a4352781109b5fdd416ddc3551a71019d076ba2c99dd308ea021
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a443445abb02a4352781109b5fdd416ddc3551a71019d076ba2c99dd308ea021

Threat Level: Known bad

The file ff3aea929347d0168b02de5d2c2bcec3.bin was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Drops startup file

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:53

Reported

2024-06-01 03:55

Platform

win7-20231129-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1724 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1056 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
DE 104.250.180.178:7061 tcp

Files

memory/1724-0-0x00000000742CE000-0x00000000742CF000-memory.dmp

memory/1724-1-0x0000000000180000-0x0000000000204000-memory.dmp

memory/1724-2-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/1724-3-0x0000000000650000-0x0000000000668000-memory.dmp

memory/1724-4-0x0000000000670000-0x0000000000680000-memory.dmp

memory/1724-5-0x0000000004C40000-0x0000000004C96000-memory.dmp

memory/1056-6-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1056-12-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1056-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1056-9-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1056-8-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1056-7-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1056-16-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1056-14-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1056-17-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/1724-18-0x00000000742C0000-0x00000000749AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 13d1d97d6bb6bd139709c05e822914e4
SHA1 ba3bb57c24a3305408a388b6e70d3819acc72266
SHA256 a031e2169ee2433b5d4b084e9b95ddc0389545f06aaecce0bd09b521ba3ae5f6
SHA512 a76294638579970840464d059a133d2588d5e053964c0502ee6531e980a1de38a3b5a944a32d217b53622e798018e085637059f008cf33a8905f1060b416d218

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\XClient.exe

MD5 ff3aea929347d0168b02de5d2c2bcec3
SHA1 fd7eaa628f424fc1384bcbd926a551c8e60740db
SHA256 cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651
SHA512 c5ba038472b25fa013852b57fa712a286e56a85f015b68c5e7da72ed403aa0b896deb6583407894ae76dc59e90c475a161504d55202b4b7fe774732b22793c3b

memory/1056-42-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/1056-43-0x00000000742C0000-0x00000000749AE000-memory.dmp

memory/1056-44-0x00000000742C0000-0x00000000749AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:53

Reported

2024-06-01 03:55

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 1992 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe
PID 780 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 780 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe

"C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 104.250.180.178:7061 tcp
US 8.8.8.8:53 178.180.250.104.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1992-0-0x000000007467E000-0x000000007467F000-memory.dmp

memory/1992-1-0x0000000000250000-0x00000000002D4000-memory.dmp

memory/1992-2-0x0000000005260000-0x0000000005804000-memory.dmp

memory/1992-3-0x0000000004CB0000-0x0000000004D42000-memory.dmp

memory/1992-4-0x0000000004E80000-0x0000000004E8A000-memory.dmp

memory/1992-5-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1992-6-0x0000000004F30000-0x0000000004FCC000-memory.dmp

memory/1992-7-0x0000000005F10000-0x0000000005F28000-memory.dmp

memory/1992-8-0x0000000005250000-0x0000000005260000-memory.dmp

memory/1992-9-0x0000000006140000-0x0000000006196000-memory.dmp

memory/780-10-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cdec22b746d955eea4a995cc06795a0964af334d9ad48d9666fa631cf594e651.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1992-13-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/780-14-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/3248-16-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/3248-15-0x0000000004C10000-0x0000000004C46000-memory.dmp

memory/3248-18-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/3248-17-0x0000000005430000-0x0000000005A58000-memory.dmp

memory/3248-21-0x0000000005310000-0x0000000005376000-memory.dmp

memory/3248-22-0x0000000005B60000-0x0000000005BC6000-memory.dmp

memory/3248-20-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/3248-19-0x00000000051F0000-0x0000000005212000-memory.dmp

memory/3248-23-0x0000000005BD0000-0x0000000005F24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdluj3nn.l0r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3248-33-0x00000000061A0000-0x00000000061BE000-memory.dmp

memory/3248-34-0x0000000006240000-0x000000000628C000-memory.dmp

memory/3248-35-0x0000000006770000-0x00000000067A2000-memory.dmp

memory/3248-36-0x000000006FC90000-0x000000006FCDC000-memory.dmp

memory/3248-46-0x0000000006750000-0x000000000676E000-memory.dmp

memory/3248-47-0x0000000007370000-0x0000000007413000-memory.dmp

memory/3248-48-0x0000000007B10000-0x000000000818A000-memory.dmp

memory/3248-49-0x00000000074C0000-0x00000000074DA000-memory.dmp

memory/3248-50-0x0000000007520000-0x000000000752A000-memory.dmp

memory/3248-51-0x0000000007750000-0x00000000077E6000-memory.dmp

memory/3248-52-0x00000000076C0000-0x00000000076D1000-memory.dmp

memory/3248-53-0x00000000076F0000-0x00000000076FE000-memory.dmp

memory/3248-54-0x0000000007700000-0x0000000007714000-memory.dmp

memory/3248-55-0x0000000007810000-0x000000000782A000-memory.dmp

memory/3248-56-0x0000000007740000-0x0000000007748000-memory.dmp

memory/3248-59-0x0000000074670000-0x0000000074E20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a3b577849fb6975d7ea4b95f45820819
SHA1 c7f039c2019da2db0ba247fa87688fb9f4fcaa6f
SHA256 528ede03f0e336f931766acc2731d1cb82b180551bb76625d50c245af1ba7500
SHA512 27f847c9577069978de872d1a130bafa1fcd421adb77822540f49ed25cac25a6a854f3d9315b41216e1f99f550bf1736c505f693858f77b72a61861586df068d

memory/2492-71-0x000000006FC90000-0x000000006FCDC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3185088fa2729c4c6857b20937961d1
SHA1 361e07c0ab4f13816252c994e41ac042122e01a1
SHA256 d24b56c5d5abf7aea105b2a8719760e65dc7229ea4095e60f85ece4b550b9807
SHA512 1f047ad616f4570e65dd850e957187c52f2c8ed9d53110f43066c0b4d14bed4e2d454f230afe44fa76aff96b9e3d834181c4f13580f5259f96381018a76eb16c

memory/4540-92-0x000000006FC90000-0x000000006FCDC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cbcc34168adf9e736d8cfa24df969716
SHA1 efb96a8a1d371d0561bf08250c59c97350a30383
SHA256 2c65e4472f8bdec9107dfe8ca3bb613c0b059224a735ee48350f801c00f3f2b7
SHA512 fdc35e89300c9c9b625a83333ff7241d26b7b302f986b18bb4e7647a8af067c072feacb952909d96106599564d363bf8362c6f5470c042a052ed289620dc272e

memory/3684-113-0x000000006FC90000-0x000000006FCDC000-memory.dmp

memory/780-128-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/780-129-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/780-130-0x0000000074670000-0x0000000074E20000-memory.dmp