Malware Analysis Report

2024-11-16 12:11

Sample ID 240716-hnjd4ssepg
Target XClient.exe
SHA256 31053c2cbb304a77d3c454012374abec7a8c5a34312967a0e3c49164023c7304
Tags
xworm neshta ramnit banker execution persistence rat spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31053c2cbb304a77d3c454012374abec7a8c5a34312967a0e3c49164023c7304

Threat Level: Known bad

The file XClient.exe was found to be: Known bad.

Malicious Activity Summary

xworm neshta ramnit banker execution persistence rat spyware stealer trojan upx worm

Detect Xworm Payload

Detect Neshta payload

Neshta

Ramnit

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

UPX packed file

Modifies system executable filetype association

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 06:52

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 06:52

Reported

2024-07-16 06:54

Platform

win11-20240709-en

Max time kernel

79s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Ramnit

trojan spyware stealer worm banker ramnit

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\System" C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdate.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedgewebview2.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeComRegisterShellARM64.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\cookie_exporter.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\BHO\ie_to_edge_stub.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\msedge_proxy.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\identity_helper.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4712 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe
PID 4712 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe
PID 4712 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\XClient.exe C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe
PID 2088 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe
PID 2088 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe
PID 2088 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe
PID 1116 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjxSrv.exe
PID 1116 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjxSrv.exe
PID 1116 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjxSrv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\XClient.exe

"C:\Users\Admin\AppData\Local\Temp\XClient.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System'

C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe

"C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjxSrv.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjxSrv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 320

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 147.185.221.21:14365 21.ip.gl.ply.gg tcp
US 147.185.221.21:14365 21.ip.gl.ply.gg tcp

Files

memory/4712-1-0x00007FFAE7B73000-0x00007FFAE7B75000-memory.dmp

memory/4712-0-0x00000000006D0000-0x000000000072E000-memory.dmp

memory/4712-2-0x00007FFAE7B70000-0x00007FFAE8632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hq15p3o2.dp4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4976-12-0x00007FFAE7B70000-0x00007FFAE8632000-memory.dmp

memory/4976-11-0x00000257724A0000-0x00000257724C2000-memory.dmp

memory/4976-13-0x00007FFAE7B70000-0x00007FFAE8632000-memory.dmp

memory/4976-14-0x00007FFAE7B70000-0x00007FFAE8632000-memory.dmp

memory/4976-15-0x00007FFAE7B70000-0x00007FFAE8632000-memory.dmp

memory/4976-16-0x00007FFAE7B70000-0x00007FFAE8632000-memory.dmp

memory/4976-19-0x00007FFAE7B70000-0x00007FFAE8632000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa4f31835d07347297d35862c9045f4a
SHA1 83e728008935d30f98e5480fba4fbccf10cefb05
SHA256 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512 ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4914eb0b2ff51bfa48484b5cc8454218
SHA1 6a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA256 7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA512 83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

memory/4712-54-0x00007FFAE7B70000-0x00007FFAE8632000-memory.dmp

memory/4712-55-0x0000000002B00000-0x0000000002B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vpvzjx.exe

MD5 a83982b0882253cabec61f523f16954e
SHA1 fcd593b4380735520b2f77fa7243abd5bcc61c56
SHA256 b299476128e76cee29e3bc7b3cca388ebc60f38e7bde79d0d348c16b197b6e29
SHA512 e2b38461813afd7246bc836c276625ac58c568a0176f5990c14eb46dbf7ff7b30d181dacee0c29f3b37efde75f17a7105513a2a4bc35e0490899513caf3f9468

C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjx.exe

MD5 9a1b04a62283ab9848be4331ba124d0c
SHA1 f83fdad90c24e41987b44a022db3856c9ff22368
SHA256 3c782281df50b6286b774ce47c94da5b8283e73d285cf3412514c060fbb5405a
SHA512 393cc7cd603ee0f1f65085460c868339ae78e2616902da2ac25e2f45a453674f0bb94f5f1da3d62118d4cf7ec1d377f805ef3b74ce40fb368357055fe09740cc

memory/1116-74-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\vpvzjxSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3972-78-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3972-80-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2088-186-0x0000000000400000-0x000000000041B000-memory.dmp