Malware Analysis Report

2024-11-16 13:32

Sample ID 240620-znk2da1cqq
Target asdasdad.exe
SHA256 ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa
Tags
xworm execution rat trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed36eacbc76c5bc86ceeb156854e849ee67d76a184b0253482debcfb62fba3fa

Threat Level: Known bad

The file asdasdad.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan evasion

Xworm

Xworm family

Contains code to disable Windows Defender

Modifies Windows Defender Real-time Protection settings

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 20:51

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 20:51

Reported

2024-06-20 20:57

Platform

win7-20231129-en

Max time kernel

118s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\asdasdad.exe

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 147.185.221.17:29206 silver-bowl.gl.at.ply.gg tcp

Files

memory/2344-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

memory/2344-1-0x0000000000820000-0x0000000000838000-memory.dmp

memory/2344-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

memory/2552-7-0x0000000002C20000-0x0000000002CA0000-memory.dmp

memory/2552-8-0x000000001B560000-0x000000001B842000-memory.dmp

memory/2552-9-0x00000000022C0000-0x00000000022C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 68c1091da31c10d4ef03e37ba0c3d0f2
SHA1 2e7119b29431d6a014d5c00beb41c85a34dfcd7d
SHA256 335e194139051dec64c215ec493d616423d1ebc7c83f8e2f9286a8af89d25c6a
SHA512 094359a9204412a7428e8a4d9d074e8d5eb22a78f284635bd9cac37eddd2fa2d016aba8fdb3ee998f26d69a73e77dfd9f4971434ed5ceae727725bcfab1654c9

memory/2556-15-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

memory/2556-16-0x0000000002820000-0x0000000002828000-memory.dmp

memory/2344-26-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

memory/2344-27-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 20:51

Reported

2024-06-20 20:57

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\System32\WScript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\System32\WScript.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\System32\WScript.exe N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asdasdad.lnk C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WScript.exe
PID 228 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\asdasdad.exe C:\Windows\System32\WScript.exe
PID 3036 wrote to memory of 2692 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 3036 wrote to memory of 2692 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 2692 wrote to memory of 4864 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4864 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1696 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1696 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 3356 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 3356 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1256 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1256 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4732 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4732 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4576 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4576 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4808 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4808 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1260 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1260 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2080 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2080 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4476 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 4476 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 5092 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 5092 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\asdasdad.exe

"C:\Users\Admin\AppData\Local\Temp\asdasdad.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'asdasdad.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\asdasdad.exe'

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aliaac.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aliaac.vbs" /elevate

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 silver-bowl.gl.at.ply.gg udp
US 147.185.221.17:29206 silver-bowl.gl.at.ply.gg tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/228-0-0x00007FFE2BA93000-0x00007FFE2BA95000-memory.dmp

memory/228-1-0x0000000000800000-0x0000000000818000-memory.dmp

memory/228-2-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp

memory/1484-3-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwtd52or.omk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1484-4-0x000001A772C30000-0x000001A772C52000-memory.dmp

memory/1484-14-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp

memory/1484-15-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp

memory/1484-18-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10fb30dc297f99d6ebafa5fee8b24fa2
SHA1 76904509313a49a765edcde26b69c3a61f9fa225
SHA256 567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a
SHA512 c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498

memory/228-46-0x000000001C380000-0x000000001C482000-memory.dmp

memory/228-47-0x00007FFE2BA93000-0x00007FFE2BA95000-memory.dmp

memory/228-49-0x00007FFE2BA90000-0x00007FFE2C551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aliaac.vbs

MD5 3183ab3e54079f5094f0438ad5d460f6
SHA1 850eacdf078b851378fee9b83a895a247f3ff1ed
SHA256 16da599511714cce9fd5888b1cc06bdb44857fc9147f9a2b5eed422d9ae40415
SHA512 31e996ae9eaf26a7292a6c3c0d7a4284228dec13d082a82f0b5f8825cd265a249e266b5a99c755f41dfd370ce8a179ad29780311c1f49f89dc80f5e4a99ce31e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 21e043e582145961dd6c69cedfe3b546
SHA1 ef49b88e229166bb5426d5e9dd03cd2ad0df0e0f
SHA256 29ee445e0007c20444e537e0fdc41700e8bb8ea6a5040f5eee8d91e4fb44133e
SHA512 27ec3f4f9ff15a2b2629752e5369b325886ab4bd709ae303cfd8b77feb6ebae361af4156531643bae1a2c8bc601f5cef20fabe04b62fda985038ae68aed4b9de

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 46bf20e17dec660ef09b16e41372a7c3
SHA1 cf8daa89a45784a385b75cf5e90d3f59706ac5d5
SHA256 719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17
SHA512 91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2551c57c4f442d3968db9a207cfd059
SHA1 38910649f3f651586477bf47640174ae4db1e8c2
SHA256 d37658614a272d600067784941dca04367d449085124833554557d60c2ddc4c4
SHA512 b48d4a9c465415ecd67ca98f3f1b8be163af87f301a145ceb6fe8a5806c777d4bf6e6040a5468f325561333c05dd4cd9b7c678fd434909e70761998d3a5335d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9a2c763c5ff40e18e49ad63c7c3b0088
SHA1 4b289ea34755323fa869da6ad6480d8d12385a36
SHA256 517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e
SHA512 3af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd0716df5ff6e2ed8bfa08e271d64dd8
SHA1 c342bbe936058ea27843d5dbe5eb434f926612f7
SHA256 15ea3598b422f0d7705405688a174b98789b623154d4ccf3f3148f7c10bafdd8
SHA512 7e6dc8f9ad269ca3969e7b1284399f16f59559d5a4232537147fb7edcba86932474eff26921c09472894d55ee045dd3e371dcfce65d358785166742582e0b8a4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dc0eb1839781c4bed27d3b94a4f3fc88
SHA1 40432a27ea09d935efa2d769464b8f687a36af14
SHA256 c76800855c49d5639d1ab7bbf105c0ea8eb9a1003aa2ad9656fa57357e47f53d
SHA512 06ad9fab6f49d07cef550078cca0c0a40013c9282deb0c46c66bbe1b4dde8207e42c23451818ab04aab3427063bd41a7c8ea852884dee2ddaf123e8d4cf089dd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d74094040d182233ea30bb3fc049dbcd
SHA1 bef1d368773cd21b5214dbb74aa7364389e83247
SHA256 75efd9b0b7dc6910c41e2e01cc337f8861606dd83ad2848261406bce14b97f56
SHA512 58e8dd9180cc699c370836b68cdff76b9397dead8d73bd8af631bf1020db6e88536aac214a298f93fcfa0c76c6c566ab41aaf006a95bf157b43ddcf938cacf79