Malware Analysis Report

2024-09-11 14:54

Sample ID 240608-2jy4jsab53
Target Microsoft Network Realtime inspection.exe
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

Threat Level: Known bad

The file Microsoft Network Realtime inspection.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Detect Xworm Payload

Xworm family

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-08 22:37

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 22:37

Reported

2024-06-08 22:39

Platform

win7-20240419-en

Max time kernel

148s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 2236 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 2364 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 2364 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 2364 wrote to memory of 2416 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Windows\system32\taskeng.exe

taskeng.exe {D8B93800-DBF0-4058-9F19-1C74F688C7A1} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Local\Temp\rpkxlx.exe

"C:\Users\Admin\AppData\Local\Temp\rpkxlx.exe"

C:\Users\Admin\AppData\Local\Temp\ijokdc.exe

"C:\Users\Admin\AppData\Local\Temp\ijokdc.exe"

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\qdisfo.mp3"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x544

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 listing-trackbacks.gl.at.ply.gg udp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp

Files

memory/2236-0-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

memory/2236-1-0x00000000000B0000-0x00000000000CA000-memory.dmp

memory/2236-2-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

memory/2604-7-0x0000000002DC0000-0x0000000002E40000-memory.dmp

memory/2604-8-0x000000001B7B0000-0x000000001BA92000-memory.dmp

memory/2604-9-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NE8C67NOXKKWV0D3YEQP.temp

MD5 33c3223b24f61e7af8bb6c3dece2bf1d
SHA1 3660ce305e93983d71596f3c8302c411b24d2e19
SHA256 ddbe5404774cb08041070f19f962f529dcd9e49f002f39320d2586d38f51fa74
SHA512 02aa5383332ead20962900d0fdbb34aa42134f6411c2660bf2f6ae744093f21c15756b4018983a865d0b8988eaab291930130b969f0fb635eb1925c5571d375e

memory/2836-15-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/2836-16-0x00000000027A0000-0x00000000027A8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2236-31-0x000007FEF60C3000-0x000007FEF60C4000-memory.dmp

memory/2236-32-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

C:\Users\Admin\AppData\Roaming\TLauncher

MD5 5c888eddae30076bd7aaa2e5d5fea097
SHA1 6a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA512 4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

memory/2416-36-0x0000000001320000-0x000000000133A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rpkxlx.exe

MD5 f3dff8c02fc6b4ba001517bd2419aa49
SHA1 63b91c81e8052a9dea3414086688762f8892ea0a
SHA256 9c3b6e9259e0e4e8c8dd7a5e8813bab3e8111ff4b4b41049621b7f40d8e9f6fa
SHA512 5325eb276e41b5a6b78fc6048642cc6e4348a78ccee543ecfbf287785b41af467d53fb578a8681a3746cb64ef7b7439f066e0dfa6f2e3a39094d081fd8595aeb

memory/2848-47-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2848-46-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2848-44-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 c3a5ce85c40192cd052edfcf022a07e4
SHA1 3198e80609769ad9215fa51be8c9ebb554b1d1f1
SHA256 72985343bfb4b336f1b6ec81c46a49667d21060d9000017fe09f762505b1ba4b
SHA512 2dd4d1dabdddb14ca8a8d44c34caefaebdc5e74b8ced44b8e866b0d87264276330f31d7ff2bbde596d8265f181fbf572ebeab25dbc770ac6cb77d6d5e1e4b432

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 f49e778317dfbb4579835e471ff2a6fa
SHA1 316c4929327bc075948b049f9ab2142340a6495a
SHA256 8f035a33deb0319b3011f1a145c6b7304e0bcad57bba288f9f71d9bc981a9d0a
SHA512 b0733326d2cf5bca6ac84264e6d24172602f39445f64d924b08b9e6662d7b6fa86233442b943ced265aeeed1873d517765efda51d978692f0b944d69539080b7

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 4c02000ab1e3f8c78194d1f5665367e6
SHA1 a8ec63d13ea4b4102b60c03f2bb15ad15318e0f0
SHA256 9d349a51bf8cb0ea9224ecae376b787b8a2234b11db966752a37176096b5070f
SHA512 757cd2c054db00698bc89ec0a8da382f0bc8bde49f09330ec5bca5518446d1e67985f3643d2c3b9864800d5b7d392dcdc9adb2ed60d64895520018df1c2bcadf

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 44ffce4de78f958dc86da8b33c3c0154
SHA1 c0c34935c62c90e3b7dc36e46f320ed94bc292ae
SHA256 a8cf1bfbcdc8381cdd6d3bdeeebadd5acfc11d14ccc74ee0f6c55e6eab42e34d
SHA512 95fab0fcca6ffce08d6d9f9d25bf9e2e911196ec6a0786262a392e38d8be6b68f47959d56d14c42c05dff0b8945090157f916732aaf30ea624e0f4c8133aea14

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 8b9f2a56e8098cd05c57ca2de8a46669
SHA1 4220a5c4cafa6f49018c0c35a036db12c7e2c165
SHA256 561c9339657ed504096e362735e198b8b48b597affddecf18e648adfca2bd340
SHA512 f96bd2a8807e63c63cc955d1d973d625327e56b89b01cde9a85d4857a598f5c65f0aeca5eb12cda5037f6eff718e4ba87e30b7e6fc299aaa29e4d3f8eb7d2446

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 9c26ebeecb1317892e6c96e3e097de63
SHA1 cbefc48daec1afd14dbde6c04b500a1cdf625e75
SHA256 0414761907c76ac7e6005336eb02cf97748da9352b24a550b1234dbe27beee72
SHA512 00fa76e9685ea2bd5e68a1c2f69eccbbc288594d486412b5178a8e9f5f89ea2bb3698ddc325510d808f51293db934c87558f97f23939f166f94419579020dc14

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 3e5d0bed33de7bfdba1911bd31d668c2
SHA1 f5ede27d4b9288aca52c3cfa273a729851339844
SHA256 18e3c6496bdd649b2fa2d0dcfa253d2e1f2efb8132c50b59b95abe2318142843
SHA512 5030301acb8670e834c2a6ee1330cf6285aa4872d3b7530cfd239af6d1cf8dd54dee36a877c89faf7630130a1690db8c8bbb85341690d7bccce69335c75a8043

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 7d954d8709dbadf82126c39b2d763924
SHA1 887005d53e69e925fe84b16bb63551f1754aa308
SHA256 c938f1bd31f0e274ad16c1873d029a5a38acaa3a06bf315a731d6056743150d7
SHA512 62efaf1006253b84a332d6e8abbabd44b9b6e8a4d674de131a783579e28b785bb09c45b647c37f3438d9c9d1606459b9a425538105b34df99a2c81d6e05d9d10

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 aee4bbfbd717f6d6ad6b409e07d9c392
SHA1 b5fd2f7149ed9515bdab249130b794e0ca73a4b4
SHA256 90826b6575e0407448887dcc40134e58ed01c2262afc2b089ad4d1b1b3c8551f
SHA512 ef82b7143c7cda2e929c20e9700fd6bfa525a1a75479058bc391adec320b2f7d81b47b21e54fc39323117aa4fceabc5c4969afc3fb0c17bb08e4887a17fda904

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 beafb90192c5d2cd3bc33cde067793db
SHA1 d52dacad66cd793d624a1c9005567295fd11dda9
SHA256 4213d502569090b5b3fa014f5ed6a88fabc563a24c6be0e7f5bc74bfd7b210c1
SHA512 0989aecde78fdc251a57144d7b141bc4497dcf5021b72b84b78afab454a7cf4ae204184a53d75c5df440fff4873e951afc18afd16a7b09c42938b4334bebe1de

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 4a9887e3a7bb66e29f5a42d502631d72
SHA1 f24d913ab88ce12d90e915c3dce983f586feda91
SHA256 0fd5c1251c9850d87e2734dd14e96c4c30332dfcd4e609df3912445e2235d0f1
SHA512 c591cd9d2487fd439b1f15a8c1cb8f1cc1be13a92b4a6379e666ecc1711286f15be4f2fea0857aa0144093d5cb19d237c334a3f1771a0be086c28ce15b9e6645

memory/2848-205-0x0000000000400000-0x0000000000439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 fa7e4cce2baffd2f4e53b6f8885e4595
SHA1 e19372d769196e520dd876f59b99bd45862654b8
SHA256 b6c67d50c7425686ae6630a841a57d7199abea3e55365f9078144f9e7819ee1c
SHA512 98e316ccad6db9ac66110aeaf40162fc4d8806f36e253fc378181ded7ecf17e53ac5cedfd163f4e714ad1c464ab6b2128242965e9bc09e03b225515bb0ec8aca

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 868a5ead297bb709d8434ac7001904e0
SHA1 ee47608db1b1f25920bd84820518cf99669c8447
SHA256 9c02936b7b6f20455f4065f1059170e1412ed50ff3b460f6348ee0849337313e
SHA512 188ca7250396a2906d509fbb5ce84597561a83a563d86041c89e89ab5f7fd6799c512b9a351c258bfa1fed2d8e423aeacc079c0f29d22d93961f22bf879baef0

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 485473aa0288b56ee6d5446d4ef991f7
SHA1 01b541b5d441fb2454bbbf8487154a98e5c0ce7b
SHA256 07c12d7bd35b81f64f10b679db73769898d784c97cf4aecf439416ca6373536e
SHA512 65e7819d2ddbab3bcb89df0c4c98a05ed37c5e0ac40729aece88298be93b158f07911e0d57f9302aa4be9306c95df25f0be21410c7f4b865058fec836ed1938e

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 ea01c103a8759addfeaaa050b6f4f925
SHA1 f00e26d60888516567892077bbc573b3ad06142c
SHA256 c0178e4feef7d1e2dcd061960162a99fdd2935c434b8364522ef61cb9f9fff6b
SHA512 05df1cc37cd81af2eda98cfcf5c028ef5f6608ceb133b444a717901e8173eb92c83deef59a473d0bf4d5ec1b3165f0a238203187338501cb37f329293177f973

C:\Users\Admin\AppData\Local\Temp\ijokdc.exe

MD5 62cbb85434223022a0b0e369b227a3d9
SHA1 4978b691168f16c678a1ffe53e126ba1d946bce0
SHA256 ea3087204e3ed644308a0a96bbf319590a9b2701ac850bb63f2ba3dc4955f1fd
SHA512 f76d281ce4c4401315f811dba1512757fa59a9c1ca6486c006f7861aed793a1f196fd66b772405374a751f383b5a234234e64de16f2fe9d613694e354b882f69

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 4dfa844f639bedd69de6371f91f7ee9c
SHA1 e14039a520f8d565afba207fc2d56958a3cba28c
SHA256 9cac7671814be816d535acd6df13c4d1425bff72df807dfc1466057e94ab837d
SHA512 9168db1cd7f57311dd75be320b788930df9afd3d669da1399164c4e00bee5d1375a7bcf3a607e244a43ea7a0a0a762bb45520d6d460c6e43e70c190468f83e02

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 9b906868d2794c5b73b4afa8542f3e47
SHA1 43e3585a48d1c5141cd1a1d610e1c8e86fcc021d
SHA256 981ed787982b0609fc168b655eea86f2cf2145153140190568780f1e81f75427
SHA512 2ac9ce343a7ec694b63d0833c5483feaae112ccf85401f16970e90e6c13310a48bf19d4ba2bcb5782b17d0fd606497642bd8de93155a4d073b2bdca235c6c53e

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 88005ce2b42f37e4f5a4f1fdbfa14897
SHA1 95137eee65eea5f3bcb8a3e5a06fa3f1675242fc
SHA256 06adbeff0869f9f7609407b5d85f2a959598cf63a168bb9b9ba2dc8cedeac1c7
SHA512 4ea461abdca031e351a9512d774534ab429697afbdef034fc846969b3b9970d66550ebec0a9a2667c88dacafeee39d626b288864cf1345a56b7fff9fd4205f13

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 72d7f4dd57bfe1124c0d5114e05ff38e
SHA1 5f51d90e1b8ce57e419b05bf681b75390013b9ad
SHA256 7fb0779c55a84cf7198984e25d157cc4779085ff517d9a8aeb533dd4d2a57093
SHA512 9f5494ed8a4632f7ea5eec8770baa12e1406621541f72519b57e0a49cc37afdeea39c197c7fa819693abdac9597a1b28c48666339cab07aad9177eb56db8082a

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 9d726c94f0f2437737d6f42f3d61b10d
SHA1 1c6665d4e2c7c3397211fc785c674f0333bfabed
SHA256 26aadc0370cefc9aad2244d7c72725b4cd6140e789d4fd8acf21a840f8e5b464
SHA512 0a43ec21ffdbf765739015052aef64196854a53b977e16a38dc214d0193699cbed886c59d21c9099b0466b55d7afb9b5fa234c4b0b1f497475d92e46b9e545f2

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 3a5ec592d89933c7e1031c2f73006cc5
SHA1 e58b9414e2f852212f9f2a757d4b8cfd78f710f8
SHA256 1e97c97fa02e24a30e0390d9a0d5b03d5794f5fd7a5bd084b1969a0adf90555f
SHA512 9c11823175e009977391961d0976c94111a1b173fd291f84be84213e5278a6df2b4068aaad39b0c718274def97b7b39d048549f701e1bbf555a8e54879735abc

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 00be3cd4e5c216437a0a03213c3e1965
SHA1 83d786b461baa108dc0255ffea5c2c062364ec18
SHA256 6a436bd220fa9468d66b1262f4ab5cbe65e56ca6601b64e36b9d96f890cccc48
SHA512 7c09a09df89708420123fd40e52373fe255d4a6690e3059062261d073729c1688ec66d4065aab736845c1ad6a4f7c43f04debb37bfd4d48834a69d43969dca37

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 fd226dc2d6146554489b11e88bf2cde1
SHA1 35bab90faad2db02ea33c61bc8c27c90529a9fab
SHA256 9e0a2ec88aa43f424937d53e2268495f0ebbc4da26bdd8960bd7741c63cbce10
SHA512 1e5c7c672c9b03f3aefb0e968bb2bb04d702cd0267602a791ac4bfa1cb92adb33702a088a351a99adbc78a5780328194d9d1d9c37da00a30ca616427a693dfab

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 dbf2ac594815c98c53155c70c741e286
SHA1 4447b494a1dbb2b057b72f427a77db0c18cfd395
SHA256 d7d355a49f4f99883b6ff48f3804e9dac91d9957430817e1f9bc5b1cc5511428
SHA512 d39ed242c06cad241bb96d4fd022cae133a281b43a185e353ab643da8a110fe9606d24764b8f384a8068151b6a570bd36f1f1533956566bc57486fdd19e53aa9

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 5aee82543c9841defa6dccd5ff18e38f
SHA1 600fd5f63aba3c0d89d40c8c93d011b6b0ef63e1
SHA256 a128dff796f38e9e2d7f84bab65662f22922165f80611712ecf3aa4e11572a04
SHA512 23a562f72f1fc0e02d03a94040913e62b7f2a92bfd95d821a3a8b85242fbf0780c959d28265c5a00cd035452b7ac289687ab07c485368ded34ce4b71cdaa73a2

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 dc0e7a8e0e9c3c78c0ce4ed0ed840411
SHA1 5f96e145a3fed623984f00e8b57c8feb6c7ce08d
SHA256 2719ca59ba7f924f0880bd7c70ece7ec18b8eac0768372cfd860a7595a0fa43a
SHA512 f0e536ebc8c28172f97e4eeb2ddc3b68bc1b7bc6f18a463e6e9f7194a623adb592bc60735d8519ccca07cbf76b4fe1aaaeeaa3f94b607281c39a364a99fbfa21

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 7d2a23aed2053771c79b95de936e4c9d
SHA1 286889b9b1e5e3470b9375f08df0c5d11043105b
SHA256 8d93d1e253d4330157cf1a2e4950278f92aa15a0942741f2e8d781427ce89e33
SHA512 f6b5b91b0100653a5ad6e9652f439b603c73a8d0ba37d2ec1f54364875a96e442060ccce801eed02b5e0a705c4a81481ac7ea398c80d2c2b6ef88c3fc7a5a794

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 07eb14eb01c5b95f5e6a1b30e261a98b
SHA1 0c325aba9d41bec31b594cad6606ac1cb8dd6413
SHA256 5cadd7e6686bc65f201b9e340d42c76a7c638d8a557c1f985cda4b679d2939d0
SHA512 e4649c761761b9c1c484599b063e2fc714f7b2e1a814e14e2278fc6ffc4b52ccce58abb97f1b26612aa6c3c35b3089502688f2c20495da3f35f8e63ca36dee2b

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 efec7d2306d95b6063f4a85a36264792
SHA1 f6885c6d98b1ccfad9410cb38d6387cdaf7f575e
SHA256 92b37ad5198f4e218dc229fe9590ba5d847201a3604d1c3bad4bf4a14e4c34be
SHA512 10f61c46274afb8eba1352c55dda594ba76d470ccf33db31763c90dd1a7f6f0a881224da182552aad07f6ebfb815ef1c3e18d466e12f0e8db93cbe92f5b24cf2

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 702022f4a0861e867ea1ec7be2ce39ad
SHA1 1aca61681870eebe33ab2718465fb01407659b0e
SHA256 1b5afae6fef3a6803d10e12bd6a63be2594e5223306166d5b2e71cb2e74d851f
SHA512 4a96f2c02daa7f463da27d6e326f754922ae501c3a00a3be363698800453101be35a5cd966fffba26d1d37e694a08799134f5502a1062b5ee96b24038602c8d5

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 3e3c258f9d3237bf647245d518b68831
SHA1 94fdf18ca84901b8e3357aacc19b66fc06e88e8f
SHA256 46f19210ff4d9d72afe8e652afb7e36227084deaefb8f6b0b7379c6bcf0d5ac3
SHA512 3d5d4004f02bd518ac494d8a2543f1cb1f68ec583a07e2919fa3000854d10f5d38b71ddb9af12f968fb1af1f427f353c6aeb5c838e6f8570b39dd59a4513a49f

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 cdb55faeec0835a0672dd85e56332a56
SHA1 09c6b64c9b6a6954cff8710bebe1016a87e4eb7a
SHA256 001ddf3b84ac14bc24db19756008c0c0fe1fe2afa36ac7d45879eb0cb66ac0f9
SHA512 b7f96bdc8ba8eb2a545449df66951050b9a56bbd220aabd8a1533371c91e95534ace133308740786c0593797868d04d14f800f83a19cec09061176b110daf49d

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 932eb8c00bb3f5093d2b12b3927175be
SHA1 4aaa2ff6ca4cd579bc0c508a44d555542cc6ba37
SHA256 ca5df8d14c51fc82efeeb9333f63810403cc2f8691c086f701100ae36fa4e6b7
SHA512 4fd621a617ab9b77829bb3902b907cd937e51905f933844d89a59c89779a39c6b542c095d7769b8f616dd29a192f81379c238d11e52d6834456b103a87617fdf

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 92c784f5071799ddd9d248e2a377abe8
SHA1 061e187dd09d7e132d891f6e25d5f04d39ae942b
SHA256 94237b020302211b4429535a0320ef69c4f681360851a80faea9a91c6df1318d
SHA512 462f3dae8489d7b637abc6bd26fdfa5949e0b335e95f7b816142fee2d5ffb0dbdb2c64c3cc204fc24a2638b5a7ef7292a28ad7b136dec9b141f2c834a9155897

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 c190b313d49dffa9dc60916163f59f41
SHA1 03414957a9a6bfb3d90798835996e8ff91d77cee
SHA256 143b314796ee6b2c72d369c7da41d7941a6e7e1615de3ff825e8c6452fadc72b
SHA512 37352c66ab863a07703a45754ae60984db10aaf8b89a43e890ffdce0e64e4b7da923a39c77da16680371ee28f676cd6b8816a4ac2c0cdce21aaa5aa25937156e

C:\Users\Admin\AppData\Local\Temp\qdisfo.mp3

MD5 f7f81920f6c6aa97a91475c1426b9a63
SHA1 84808aebd973bb0538606fb48153ad1b0a42c005
SHA256 388d6009b8ff701269e92c87b53825dc7526b49a1ba94dba5c3a2b346fd52042
SHA512 645bcf905064321fcbf7025b280902a4c6a6d6ecc816df6cf4a917d19fe69d3ec5509c4e428080335b7c5b59862d212aa9d545cc4c906bfe2bd6ec174dde8234

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 c3d1a0f07e497c3044b40fd230bdc14b
SHA1 a41a723c99c83c18814d3fbc485ea5ee38f500e8
SHA256 9506d5686d6e378d4ba4405f391d4f4c4989dd66cdba308d3926bbb7302e7b06
SHA512 ad54717909635d4eebc2baef0198f6375f2bca55b12611525f9f08e1be6423207735c8eec4445670ad63c23db142fafd30cc9afe498f714fccb485aebb04f554

C:\Users\Admin\AppData\Local\Temp\Log.tmp

MD5 b883289d2ec306fabaefc36d9c2951bf
SHA1 4799f0650ee246f603d04b6b50ae2ccd0b1e6d88
SHA256 bfd66990a76135544b286e0d66bd70f965eac8e1dcf04186b36d1dfe1573058a
SHA512 aa140737e186ffbe827d312f8948a1e067e2f1e8ef025ccf4fa77efcdc2e774574b48d16cf0c6d8c73fd60210cfc61ce64125657ee7d110eeb6b55fe0f8dbdb4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 22:37

Reported

2024-06-08 22:40

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 4728 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 listing-trackbacks.gl.at.ply.gg udp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4728-0-0x00007FFEF97C3000-0x00007FFEF97C5000-memory.dmp

memory/4728-1-0x0000000000C10000-0x0000000000C2A000-memory.dmp

memory/4728-2-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

memory/2596-3-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

memory/2596-4-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1dliiov2.5sp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2596-14-0x00000224AB520000-0x00000224AB542000-memory.dmp

memory/2596-17-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 993af531f0b57e8128ec273731c3a8e2
SHA1 a42ea55876f4f390837dd2c95fb7ff2344b6e9e1
SHA256 fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62
SHA512 bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

memory/4728-55-0x00007FFEF97C3000-0x00007FFEF97C5000-memory.dmp

memory/4728-56-0x00007FFEF97C0000-0x00007FFEFA281000-memory.dmp

C:\Users\Admin\AppData\Roaming\TLauncher

MD5 5c888eddae30076bd7aaa2e5d5fea097
SHA1 6a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA512 4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TLauncher.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1